Analysis
-
max time kernel
90s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 14:46
Static task
static1
Behavioral task
behavioral1
Sample
URGENT REQUEST.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
URGENT REQUEST.exe
Resource
win10v2004-20220812-en
General
-
Target
URGENT REQUEST.exe
-
Size
64KB
-
MD5
3031228682ee992a8c75b0b7e767b794
-
SHA1
c0beabc62747ee62fbb05eb35284cc382a9a25fe
-
SHA256
2b7d52cff6d8153c70e007f4b88b38788b6205144cb65c60b76272dc838acc8b
-
SHA512
4fbadca7a43b04946afab52fd39e7de1ce34677d93316ff1f471105331af29e9787979fd6a6c3be2e1d6be0253fbd2b67c6f5963b618ebdeec030a77e49254aa
-
SSDEEP
768:EkOyF9AKzI19Nn7cx4vn+vEqMtpYYkhN40LO6dusn04eF:xOe9AA49Nn7cxgMEqMt8N40ymuL3F
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
focuzpartsmart.com - Port:
587 - Username:
johnsonpc@focuzpartsmart.com - Password:
FpmJhn@2023 - Email To:
decenmomodou20@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
URGENT REQUEST.exedescription pid process target process PID 4600 set thread context of 1048 4600 URGENT REQUEST.exe jsc.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
URGENT REQUEST.exepid process 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe 4600 URGENT REQUEST.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
URGENT REQUEST.exejsc.exedescription pid process Token: SeDebugPrivilege 4600 URGENT REQUEST.exe Token: SeDebugPrivilege 1048 jsc.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
URGENT REQUEST.exedescription pid process target process PID 4600 wrote to memory of 4804 4600 URGENT REQUEST.exe RegAsm.exe PID 4600 wrote to memory of 4804 4600 URGENT REQUEST.exe RegAsm.exe PID 4600 wrote to memory of 3276 4600 URGENT REQUEST.exe WsatConfig.exe PID 4600 wrote to memory of 3276 4600 URGENT REQUEST.exe WsatConfig.exe PID 4600 wrote to memory of 4756 4600 URGENT REQUEST.exe AddInProcess32.exe PID 4600 wrote to memory of 4756 4600 URGENT REQUEST.exe AddInProcess32.exe PID 4600 wrote to memory of 4756 4600 URGENT REQUEST.exe AddInProcess32.exe PID 4600 wrote to memory of 3376 4600 URGENT REQUEST.exe aspnet_state.exe PID 4600 wrote to memory of 3376 4600 URGENT REQUEST.exe aspnet_state.exe PID 4600 wrote to memory of 4596 4600 URGENT REQUEST.exe AddInProcess.exe PID 4600 wrote to memory of 4596 4600 URGENT REQUEST.exe AddInProcess.exe PID 4600 wrote to memory of 4336 4600 URGENT REQUEST.exe SMSvcHost.exe PID 4600 wrote to memory of 4336 4600 URGENT REQUEST.exe SMSvcHost.exe PID 4600 wrote to memory of 1044 4600 URGENT REQUEST.exe CasPol.exe PID 4600 wrote to memory of 1044 4600 URGENT REQUEST.exe CasPol.exe PID 4600 wrote to memory of 1048 4600 URGENT REQUEST.exe jsc.exe PID 4600 wrote to memory of 1048 4600 URGENT REQUEST.exe jsc.exe PID 4600 wrote to memory of 1048 4600 URGENT REQUEST.exe jsc.exe PID 4600 wrote to memory of 1048 4600 URGENT REQUEST.exe jsc.exe PID 4600 wrote to memory of 1048 4600 URGENT REQUEST.exe jsc.exe PID 4600 wrote to memory of 1048 4600 URGENT REQUEST.exe jsc.exe PID 4600 wrote to memory of 1048 4600 URGENT REQUEST.exe jsc.exe PID 4600 wrote to memory of 1048 4600 URGENT REQUEST.exe jsc.exe -
outlook_office_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST.exe"C:\Users\Admin\AppData\Local\Temp\URGENT REQUEST.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1048-134-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1048-135-0x000000000042A62E-mapping.dmp
-
memory/1048-137-0x0000000005F20000-0x00000000064C4000-memory.dmpFilesize
5.6MB
-
memory/1048-138-0x0000000005860000-0x00000000058C6000-memory.dmpFilesize
408KB
-
memory/1048-139-0x00000000069F0000-0x0000000006A82000-memory.dmpFilesize
584KB
-
memory/1048-140-0x00000000069B0000-0x00000000069BA000-memory.dmpFilesize
40KB
-
memory/1048-141-0x0000000006B30000-0x0000000006B80000-memory.dmpFilesize
320KB
-
memory/1048-142-0x0000000006E50000-0x0000000007012000-memory.dmpFilesize
1.8MB
-
memory/4600-132-0x00000203B8FA0000-0x00000203B8FB4000-memory.dmpFilesize
80KB
-
memory/4600-133-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmpFilesize
10.8MB
-
memory/4600-136-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmpFilesize
10.8MB