Analysis
-
max time kernel
47s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 14:06
Static task
static1
Behavioral task
behavioral1
Sample
f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe
Resource
win10v2004-20220812-en
General
-
Target
f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe
-
Size
319KB
-
MD5
0494a68d7135560a50c02f4c4b6ad18f
-
SHA1
84338aa1637299d93358f0e1d842932358d07093
-
SHA256
f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd
-
SHA512
f5b5af135ee9b69a9e9ec740cd8d2cdac082b8dcc0a7cb81168076f849632c7423c845e998dd7c77b164bba2f08fadd434adae280aa8717f19baac359c7601bd
-
SSDEEP
6144:vYa6nfiMr0Cxya0QuwyhA0AUZOE7Zj50ZUonaM4O2im59x+skSCR0/rEOh:vY9FyavQA4wE7Zj5dyaM4O2im59L/CRY
Malware Config
Extracted
agenttesla
https://discord.com/api/webhooks/1060497255888605185/YygDHRiwYqCp3BheuMa5Zliz-2yRI2G-aeR8nFUp8XCSIhCp4S0uU66B1TLkMA0rIykw
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
hjjwqn.exehjjwqn.exepid process 1788 hjjwqn.exe 112 hjjwqn.exe -
Loads dropped DLL 2 IoCs
Processes:
f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exehjjwqn.exepid process 1224 f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe 1788 hjjwqn.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
hjjwqn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hjjwqn.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hjjwqn.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hjjwqn.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hjjwqn.exedescription pid process target process PID 1788 set thread context of 112 1788 hjjwqn.exe hjjwqn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hjjwqn.exepid process 1788 hjjwqn.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hjjwqn.exedescription pid process Token: SeDebugPrivilege 112 hjjwqn.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exehjjwqn.exedescription pid process target process PID 1224 wrote to memory of 1788 1224 f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe hjjwqn.exe PID 1224 wrote to memory of 1788 1224 f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe hjjwqn.exe PID 1224 wrote to memory of 1788 1224 f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe hjjwqn.exe PID 1224 wrote to memory of 1788 1224 f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe hjjwqn.exe PID 1788 wrote to memory of 112 1788 hjjwqn.exe hjjwqn.exe PID 1788 wrote to memory of 112 1788 hjjwqn.exe hjjwqn.exe PID 1788 wrote to memory of 112 1788 hjjwqn.exe hjjwqn.exe PID 1788 wrote to memory of 112 1788 hjjwqn.exe hjjwqn.exe PID 1788 wrote to memory of 112 1788 hjjwqn.exe hjjwqn.exe -
outlook_office_path 1 IoCs
Processes:
hjjwqn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hjjwqn.exe -
outlook_win_path 1 IoCs
Processes:
hjjwqn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hjjwqn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe"C:\Users\Admin\AppData\Local\Temp\f1c0ce5d37364862798e7e11817f3544d72847e1bffd46723f51df8504796afd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\hjjwqn.exe"C:\Users\Admin\AppData\Local\Temp\hjjwqn.exe" C:\Users\Admin\AppData\Local\Temp\waihmj.r2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\hjjwqn.exe"C:\Users\Admin\AppData\Local\Temp\hjjwqn.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:112
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD58fd572cbcc8e06be860c0121ee1fb117
SHA1faac36076051a80cb149d2acb5648649f5fa8adf
SHA2565b817d0432465d5d920b2f2f70b1875520b119e1c9e42ab5f8f8ad790ed4c97c
SHA512dbc5decddc9bfb5bc4bc4fabb11b2065be760d0c365c1f6bfb9fa861c4b0e6df8bf31671680c9b2df2f5874a304c9905f6e2454ccf5f5792afa10c2ff01f1cec
-
Filesize
113KB
MD5a6371e1b2d2971c563f90f6c38f2520c
SHA14f0fee5d49724919b8d5b8b6d3e815294ee05376
SHA256fc93722b90c2d7e5db10ba6ffbe0fbde8ab900e930506685dbc2783d4af174d3
SHA512f7f4f2f2f0a925f0dd2179f7ad29e4131b6018a40eb345c1fd97f5730e82d7ff56ff691b100dc80152b0c73d96644cc58562056e18e4b5394a7bf83b7b7e78da
-
Filesize
113KB
MD5a6371e1b2d2971c563f90f6c38f2520c
SHA14f0fee5d49724919b8d5b8b6d3e815294ee05376
SHA256fc93722b90c2d7e5db10ba6ffbe0fbde8ab900e930506685dbc2783d4af174d3
SHA512f7f4f2f2f0a925f0dd2179f7ad29e4131b6018a40eb345c1fd97f5730e82d7ff56ff691b100dc80152b0c73d96644cc58562056e18e4b5394a7bf83b7b7e78da
-
Filesize
113KB
MD5a6371e1b2d2971c563f90f6c38f2520c
SHA14f0fee5d49724919b8d5b8b6d3e815294ee05376
SHA256fc93722b90c2d7e5db10ba6ffbe0fbde8ab900e930506685dbc2783d4af174d3
SHA512f7f4f2f2f0a925f0dd2179f7ad29e4131b6018a40eb345c1fd97f5730e82d7ff56ff691b100dc80152b0c73d96644cc58562056e18e4b5394a7bf83b7b7e78da
-
Filesize
5KB
MD54324d64f050398e45f3bfe6c2ec32e97
SHA12af7fd4d3e843163e28f9397f078e2f2380a0e16
SHA25627e8b1e3c8b66ddeaee627e90f2754a86d4897a508d64e4bd752c7bcc5918f20
SHA512e78eabaf61529010e5c52f19974eecf6d3b504fbaf26081119263cc0c48b8ae0fdb3f485a9ad13f8ea1f01e931ab10522d0c54ad9545afa9abd4db96ea69b101
-
Filesize
113KB
MD5a6371e1b2d2971c563f90f6c38f2520c
SHA14f0fee5d49724919b8d5b8b6d3e815294ee05376
SHA256fc93722b90c2d7e5db10ba6ffbe0fbde8ab900e930506685dbc2783d4af174d3
SHA512f7f4f2f2f0a925f0dd2179f7ad29e4131b6018a40eb345c1fd97f5730e82d7ff56ff691b100dc80152b0c73d96644cc58562056e18e4b5394a7bf83b7b7e78da
-
Filesize
113KB
MD5a6371e1b2d2971c563f90f6c38f2520c
SHA14f0fee5d49724919b8d5b8b6d3e815294ee05376
SHA256fc93722b90c2d7e5db10ba6ffbe0fbde8ab900e930506685dbc2783d4af174d3
SHA512f7f4f2f2f0a925f0dd2179f7ad29e4131b6018a40eb345c1fd97f5730e82d7ff56ff691b100dc80152b0c73d96644cc58562056e18e4b5394a7bf83b7b7e78da