Analysis

  • max time kernel
    43s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2023 14:05

General

  • Target

    f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe

  • Size

    319KB

  • MD5

    0494a68d7135560a50c02f4c4b6ad18f

  • SHA1

    84338aa1637299d93358f0e1d842932358d07093

  • SHA256

    f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd

  • SHA512

    f5b5af135ee9b69a9e9ec740cd8d2cdac082b8dcc0a7cb81168076f849632c7423c845e998dd7c77b164bba2f08fadd434adae280aa8717f19baac359c7601bd

  • SSDEEP

    6144:vYa6nfiMr0Cxya0QuwyhA0AUZOE7Zj50ZUonaM4O2im59x+skSCR0/rEOh:vY9FyavQA4wE7Zj5dyaM4O2im59L/CRY

Malware Config

Extracted

Family

agenttesla

C2

https://discord.com/api/webhooks/1060497255888605185/YygDHRiwYqCp3BheuMa5Zliz-2yRI2G-aeR8nFUp8XCSIhCp4S0uU66B1TLkMA0rIykw

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe
    "C:\Users\Admin\AppData\Local\Temp\f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Users\Admin\AppData\Local\Temp\hjjwqn.exe
      "C:\Users\Admin\AppData\Local\Temp\hjjwqn.exe" C:\Users\Admin\AppData\Local\Temp\waihmj.r
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Users\Admin\AppData\Local\Temp\hjjwqn.exe
        "C:\Users\Admin\AppData\Local\Temp\hjjwqn.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1464

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\doqfqwz.oh

    Filesize

    263KB

    MD5

    8fd572cbcc8e06be860c0121ee1fb117

    SHA1

    faac36076051a80cb149d2acb5648649f5fa8adf

    SHA256

    5b817d0432465d5d920b2f2f70b1875520b119e1c9e42ab5f8f8ad790ed4c97c

    SHA512

    dbc5decddc9bfb5bc4bc4fabb11b2065be760d0c365c1f6bfb9fa861c4b0e6df8bf31671680c9b2df2f5874a304c9905f6e2454ccf5f5792afa10c2ff01f1cec

  • C:\Users\Admin\AppData\Local\Temp\hjjwqn.exe

    Filesize

    113KB

    MD5

    a6371e1b2d2971c563f90f6c38f2520c

    SHA1

    4f0fee5d49724919b8d5b8b6d3e815294ee05376

    SHA256

    fc93722b90c2d7e5db10ba6ffbe0fbde8ab900e930506685dbc2783d4af174d3

    SHA512

    f7f4f2f2f0a925f0dd2179f7ad29e4131b6018a40eb345c1fd97f5730e82d7ff56ff691b100dc80152b0c73d96644cc58562056e18e4b5394a7bf83b7b7e78da

  • C:\Users\Admin\AppData\Local\Temp\hjjwqn.exe

    Filesize

    113KB

    MD5

    a6371e1b2d2971c563f90f6c38f2520c

    SHA1

    4f0fee5d49724919b8d5b8b6d3e815294ee05376

    SHA256

    fc93722b90c2d7e5db10ba6ffbe0fbde8ab900e930506685dbc2783d4af174d3

    SHA512

    f7f4f2f2f0a925f0dd2179f7ad29e4131b6018a40eb345c1fd97f5730e82d7ff56ff691b100dc80152b0c73d96644cc58562056e18e4b5394a7bf83b7b7e78da

  • C:\Users\Admin\AppData\Local\Temp\hjjwqn.exe

    Filesize

    113KB

    MD5

    a6371e1b2d2971c563f90f6c38f2520c

    SHA1

    4f0fee5d49724919b8d5b8b6d3e815294ee05376

    SHA256

    fc93722b90c2d7e5db10ba6ffbe0fbde8ab900e930506685dbc2783d4af174d3

    SHA512

    f7f4f2f2f0a925f0dd2179f7ad29e4131b6018a40eb345c1fd97f5730e82d7ff56ff691b100dc80152b0c73d96644cc58562056e18e4b5394a7bf83b7b7e78da

  • C:\Users\Admin\AppData\Local\Temp\waihmj.r

    Filesize

    5KB

    MD5

    4324d64f050398e45f3bfe6c2ec32e97

    SHA1

    2af7fd4d3e843163e28f9397f078e2f2380a0e16

    SHA256

    27e8b1e3c8b66ddeaee627e90f2754a86d4897a508d64e4bd752c7bcc5918f20

    SHA512

    e78eabaf61529010e5c52f19974eecf6d3b504fbaf26081119263cc0c48b8ae0fdb3f485a9ad13f8ea1f01e931ab10522d0c54ad9545afa9abd4db96ea69b101

  • \Users\Admin\AppData\Local\Temp\hjjwqn.exe

    Filesize

    113KB

    MD5

    a6371e1b2d2971c563f90f6c38f2520c

    SHA1

    4f0fee5d49724919b8d5b8b6d3e815294ee05376

    SHA256

    fc93722b90c2d7e5db10ba6ffbe0fbde8ab900e930506685dbc2783d4af174d3

    SHA512

    f7f4f2f2f0a925f0dd2179f7ad29e4131b6018a40eb345c1fd97f5730e82d7ff56ff691b100dc80152b0c73d96644cc58562056e18e4b5394a7bf83b7b7e78da

  • \Users\Admin\AppData\Local\Temp\hjjwqn.exe

    Filesize

    113KB

    MD5

    a6371e1b2d2971c563f90f6c38f2520c

    SHA1

    4f0fee5d49724919b8d5b8b6d3e815294ee05376

    SHA256

    fc93722b90c2d7e5db10ba6ffbe0fbde8ab900e930506685dbc2783d4af174d3

    SHA512

    f7f4f2f2f0a925f0dd2179f7ad29e4131b6018a40eb345c1fd97f5730e82d7ff56ff691b100dc80152b0c73d96644cc58562056e18e4b5394a7bf83b7b7e78da

  • memory/916-56-0x0000000000000000-mapping.dmp

  • memory/1108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

    Filesize

    8KB

  • memory/1464-63-0x0000000000401896-mapping.dmp

  • memory/1464-66-0x0000000002060000-0x0000000002090000-memory.dmp

    Filesize

    192KB

  • memory/1464-67-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB