Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 09:23
Static task
static1
Behavioral task
behavioral1
Sample
nhhhhnn.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
nhhhhnn.exe
Resource
win10v2004-20220901-en
General
-
Target
nhhhhnn.exe
-
Size
611KB
-
MD5
75e55b619b34973c98df9425fcda82a7
-
SHA1
c56718c5d03aa9d7bd3ce9f46afbf7efb4c421db
-
SHA256
d584f5c481acd2b638b4196021c6326b590c2b64aa0a8b3953e69ad232d651fe
-
SHA512
fac6cc1acb9d7a0b783cb0be2e6855e0bffdc62cec9e9e0756e5e51ff7b77f6a6bb66dca42c63d6ae055f893c54c514d28f50d23a40a631a185060a36c50acb6
-
SSDEEP
12288:vc7FkSAEj5yn7i2IY9UG5JGsRw5kfCqqcrhIREsXx8mFmH:v91Ejyi1Y9/5JGsC5k6LIpsB8lH
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 4 IoCs
Processes:
atskme.exeatskme.exeatskme.exeatskme.exepid process 1296 atskme.exe 4532 atskme.exe 1384 atskme.exe 1512 atskme.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
atskme.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 atskme.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 atskme.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 atskme.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
atskme.exedescription pid process target process PID 1296 set thread context of 1512 1296 atskme.exe atskme.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
atskme.exepid process 1512 atskme.exe 1512 atskme.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
atskme.exepid process 1296 atskme.exe 1296 atskme.exe 1296 atskme.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
atskme.exedescription pid process Token: SeDebugPrivilege 1512 atskme.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
atskme.exepid process 1296 atskme.exe 1296 atskme.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
atskme.exepid process 1296 atskme.exe 1296 atskme.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
nhhhhnn.exeatskme.exedescription pid process target process PID 1712 wrote to memory of 1296 1712 nhhhhnn.exe atskme.exe PID 1712 wrote to memory of 1296 1712 nhhhhnn.exe atskme.exe PID 1712 wrote to memory of 1296 1712 nhhhhnn.exe atskme.exe PID 1296 wrote to memory of 4532 1296 atskme.exe atskme.exe PID 1296 wrote to memory of 4532 1296 atskme.exe atskme.exe PID 1296 wrote to memory of 4532 1296 atskme.exe atskme.exe PID 1296 wrote to memory of 1384 1296 atskme.exe atskme.exe PID 1296 wrote to memory of 1384 1296 atskme.exe atskme.exe PID 1296 wrote to memory of 1384 1296 atskme.exe atskme.exe PID 1296 wrote to memory of 1512 1296 atskme.exe atskme.exe PID 1296 wrote to memory of 1512 1296 atskme.exe atskme.exe PID 1296 wrote to memory of 1512 1296 atskme.exe atskme.exe PID 1296 wrote to memory of 1512 1296 atskme.exe atskme.exe -
outlook_office_path 1 IoCs
Processes:
atskme.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 atskme.exe -
outlook_win_path 1 IoCs
Processes:
atskme.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 atskme.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\nhhhhnn.exe"C:\Users\Admin\AppData\Local\Temp\nhhhhnn.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\atskme.exe"C:\Users\Admin\AppData\Local\Temp\atskme.exe" "C:\Users\Admin\AppData\Local\Temp\gbtnllb.au3"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\atskme.exe"C:\Users\Admin\AppData\Local\Temp\atskme.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\atskme.exe"C:\Users\Admin\AppData\Local\Temp\atskme.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\atskme.exe"C:\Users\Admin\AppData\Local\Temp\atskme.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\atskme.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\atskme.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\atskme.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\atskme.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\ehteadmu.iaFilesize
64KB
MD56db4c0fc61def99eaed28f769f0ce1b3
SHA192af4f7dc2c0563f27c239f52007483dd122060d
SHA256322ccbfb364a2496de585b6b0ca0d699736e55ad83244a01c0f625ab73bc7f4f
SHA512bc09f1f92219f81572e469f3001b804438933a253f28b8409ff675a06aeb09a8883149c0d9a456910eceb2a8e372e36b58c429d309aa09741f52d5f79687dc9e
-
C:\Users\Admin\AppData\Local\Temp\gbtnllb.au3Filesize
6KB
MD51d9ac95cf8856d639dad940e24dc9b7b
SHA166f15e7002310e81570d43eb32b1bb3a0eda93bc
SHA256507fafc4e1709e13a0f9cab8cd490fbc56a28bb65570ffeae6eb6ce8a575852f
SHA5121680da6168380e77a5066a44f47929bbed8ac23314db85499c9136c94c6ef64869a87d7b948d4c0f859bebce39b1eeb1da494d344ad1f462fe4513b20a0ff140
-
C:\Users\Admin\AppData\Local\Temp\ssfaozp.ovaFilesize
236KB
MD5d58951f7048adc79392195b909b4387c
SHA185398d546ff5b389849d87b9123fc63531f99cfa
SHA2569d095c1562fd08d3491f7ea0671d17e0e542212125d79235f989df204d556202
SHA512e78784db5c263f8a77ef952b499bb176e38c77ec9afa32079c8dfb8503e1637b2a8deb16633a9ed488258184284dc7c10cb7786f5bf45c5c304da63d645876b3
-
memory/1296-132-0x0000000000000000-mapping.dmp
-
memory/1384-139-0x0000000000000000-mapping.dmp
-
memory/1512-141-0x0000000000000000-mapping.dmp
-
memory/1512-143-0x0000000000400000-0x000000000043F000-memory.dmpFilesize
252KB
-
memory/1512-144-0x00000000068B0000-0x0000000006E54000-memory.dmpFilesize
5.6MB
-
memory/1512-145-0x0000000006300000-0x000000000639C000-memory.dmpFilesize
624KB
-
memory/1512-146-0x0000000007B30000-0x0000000007B96000-memory.dmpFilesize
408KB
-
memory/1512-147-0x00000000081D0000-0x0000000008262000-memory.dmpFilesize
584KB
-
memory/1512-148-0x0000000008710000-0x000000000871A000-memory.dmpFilesize
40KB
-
memory/4532-137-0x0000000000000000-mapping.dmp