Analysis
-
max time kernel
126s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 14:12
Static task
static1
Behavioral task
behavioral1
Sample
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
Resource
win10v2004-20221111-en
General
-
Target
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe
-
Size
1.4MB
-
MD5
65edcfa090755e408992785778955dce
-
SHA1
6eff23db579671e283798e729a9b57614612b6d9
-
SHA256
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0
-
SHA512
f8325f5a27318da052d81a67f1b1f552dc1932577ef932e273c7ae61974e595881f305721fe92fedcaf32190ef28c7a90520303c4410e1f0d44701b6b861a837
-
SSDEEP
24576:eSUqKIqZHzOdysVKr+nXF1CutCtbDpKYxOBvwaWGAOpYyovkirp:cpHzOdysVKrG1KpKYxn60Mi
Malware Config
Extracted
Protocol: smtp- Host:
mail.clipjoint.co.nz - Port:
587 - Username:
[email protected] - Password:
melandloz64
Extracted
agenttesla
Protocol: smtp- Host:
mail.clipjoint.co.nz - Port:
587 - Username:
[email protected] - Password:
melandloz64 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect rhadamanthys stealer shellcode 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4144-158-0x0000000000E60000-0x0000000000E7D000-memory.dmp family_rhadamanthys behavioral2/memory/4144-162-0x0000000000E60000-0x0000000000E7D000-memory.dmp family_rhadamanthys -
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
sasa dogolaf legifema yoyi vogot veg recaquik nivev.exedescription pid process target process PID 4576 created 2808 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe taskhostw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe -
Executes dropped EXE 1 IoCs
Processes:
sasa dogolaf legifema yoyi vogot veg recaquik nivev.exepid process 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe -
Loads dropped DLL 1 IoCs
Processes:
sasa dogolaf legifema yoyi vogot veg recaquik nivev.exepid process 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ngentask.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ngentask.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ngentask.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ngentask.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 api.ipify.org 22 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
fontview.exepid process 4144 fontview.exe 4144 fontview.exe 4144 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sasa dogolaf legifema yoyi vogot veg recaquik nivev.exedescription pid process target process PID 4576 set thread context of 4016 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe ngentask.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4344 4576 WerFault.exe sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fontview.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exesasa dogolaf legifema yoyi vogot veg recaquik nivev.exepid process 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ngentask.exefontview.exedescription pid process Token: SeDebugPrivilege 4016 ngentask.exe Token: SeShutdownPrivilege 4144 fontview.exe Token: SeCreatePagefilePrivilege 4144 fontview.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.execmd.exesasa dogolaf legifema yoyi vogot veg recaquik nivev.exedescription pid process target process PID 2212 wrote to memory of 1748 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe schtasks.exe PID 2212 wrote to memory of 1748 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe schtasks.exe PID 2212 wrote to memory of 1748 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe schtasks.exe PID 2212 wrote to memory of 4576 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe PID 2212 wrote to memory of 4576 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe PID 2212 wrote to memory of 4576 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe PID 2212 wrote to memory of 3388 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe cmd.exe PID 2212 wrote to memory of 3388 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe cmd.exe PID 2212 wrote to memory of 3388 2212 871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe cmd.exe PID 3388 wrote to memory of 3348 3388 cmd.exe chcp.com PID 3388 wrote to memory of 3348 3388 cmd.exe chcp.com PID 3388 wrote to memory of 3348 3388 cmd.exe chcp.com PID 3388 wrote to memory of 268 3388 cmd.exe PING.EXE PID 3388 wrote to memory of 268 3388 cmd.exe PING.EXE PID 3388 wrote to memory of 268 3388 cmd.exe PING.EXE PID 4576 wrote to memory of 4016 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe ngentask.exe PID 4576 wrote to memory of 4016 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe ngentask.exe PID 4576 wrote to memory of 4016 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe ngentask.exe PID 4576 wrote to memory of 4016 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe ngentask.exe PID 4576 wrote to memory of 4016 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe ngentask.exe PID 4576 wrote to memory of 4144 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe fontview.exe PID 4576 wrote to memory of 4144 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe fontview.exe PID 4576 wrote to memory of 4144 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe fontview.exe PID 4576 wrote to memory of 4144 4576 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe fontview.exe -
outlook_office_path 1 IoCs
Processes:
ngentask.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ngentask.exe -
outlook_win_path 1 IoCs
Processes:
ngentask.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ngentask.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe"C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe"C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 12723⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\871aba5cef884e6cb532f1023c47f2e6fdf894bffb7d171e13781ce7957b8ab0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4576 -ip 45761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\240558031.dllFilesize
335KB
MD5f8d36091acfdc104254d90a91588d569
SHA13ac92b58e3378a6d88349cf8549ba8334a90b608
SHA2567765a84991c1fc872740ffbcb1bc0563e4edc31fcf02ce9341fa1f316c6efdc4
SHA512fc2f2bac554997593468cef0fcbd6c0b24e00852ba199b9cedb4c5c4af52eb6874e15e346953d2f47c31b05f18eec1f0865495187be943cd1fcf27ed4fb8a5f1
-
C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exeFilesize
775.4MB
MD518e73fdac527c624908e1cfa1fc6a6a5
SHA1de33ed698b2e30a43085bee3c0f3f67d67b39247
SHA2569cf8f0d549c5c2dd31591d3ee1bfd5c0997e571a53cfdd67df820228c4c47fb1
SHA512220e44f529f43f75b03b546e72f3d5812b2130ae4af6164a5e0d52e84e6ebcbe9d850176269d1aaefeb0640fea5101c9b829d9475db37d1832638e1a5b71c2ea
-
C:\Users\Admin\Lica sasebi pab vegoxoke gorida\sasa dogolaf legifema yoyi vogot veg recaquik nivev.exeFilesize
775.4MB
MD518e73fdac527c624908e1cfa1fc6a6a5
SHA1de33ed698b2e30a43085bee3c0f3f67d67b39247
SHA2569cf8f0d549c5c2dd31591d3ee1bfd5c0997e571a53cfdd67df820228c4c47fb1
SHA512220e44f529f43f75b03b546e72f3d5812b2130ae4af6164a5e0d52e84e6ebcbe9d850176269d1aaefeb0640fea5101c9b829d9475db37d1832638e1a5b71c2ea
-
memory/268-140-0x0000000000000000-mapping.dmp
-
memory/1748-133-0x0000000000000000-mapping.dmp
-
memory/2212-132-0x0000000000260000-0x00000000003C7000-memory.dmpFilesize
1.4MB
-
memory/2212-138-0x0000000000260000-0x00000000003C7000-memory.dmpFilesize
1.4MB
-
memory/3348-139-0x0000000000000000-mapping.dmp
-
memory/3388-137-0x0000000000000000-mapping.dmp
-
memory/4016-155-0x00000000064A0000-0x0000000006532000-memory.dmpFilesize
584KB
-
memory/4016-153-0x0000000004FC0000-0x0000000005026000-memory.dmpFilesize
408KB
-
memory/4016-165-0x00000000068D0000-0x000000000696C000-memory.dmpFilesize
624KB
-
memory/4016-144-0x0000000000000000-mapping.dmp
-
memory/4016-145-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4016-147-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4016-164-0x0000000006A00000-0x0000000006BC2000-memory.dmpFilesize
1.8MB
-
memory/4016-163-0x00000000067E0000-0x0000000006830000-memory.dmpFilesize
320KB
-
memory/4016-159-0x0000000006660000-0x000000000666A000-memory.dmpFilesize
40KB
-
memory/4016-151-0x0000000005570000-0x0000000005B14000-memory.dmpFilesize
5.6MB
-
memory/4144-161-0x0000000000C10000-0x0000000000C45000-memory.dmpFilesize
212KB
-
memory/4144-150-0x0000000000000000-mapping.dmp
-
memory/4144-154-0x0000000000EE5000-0x0000000000EE7000-memory.dmpFilesize
8KB
-
memory/4144-149-0x0000000000C10000-0x0000000000C45000-memory.dmpFilesize
212KB
-
memory/4144-157-0x0000000000EE5000-0x0000000000EE7000-memory.dmpFilesize
8KB
-
memory/4144-162-0x0000000000E60000-0x0000000000E7D000-memory.dmpFilesize
116KB
-
memory/4144-158-0x0000000000E60000-0x0000000000E7D000-memory.dmpFilesize
116KB
-
memory/4144-152-0x0000000000C10000-0x0000000000C45000-memory.dmpFilesize
212KB
-
memory/4144-160-0x0000000002D80000-0x0000000003D80000-memory.dmpFilesize
16.0MB
-
memory/4576-142-0x000000000F6A0000-0x000000000F875000-memory.dmpFilesize
1.8MB
-
memory/4576-134-0x0000000000000000-mapping.dmp
-
memory/4576-156-0x000000000F6A0000-0x000000000F875000-memory.dmpFilesize
1.8MB
-
memory/4576-141-0x0000000000AD0000-0x0000000000C37000-memory.dmpFilesize
1.4MB
-
memory/4576-143-0x000000000F6A0000-0x000000000F875000-memory.dmpFilesize
1.8MB
-
memory/4576-166-0x0000000000AD0000-0x0000000000C37000-memory.dmpFilesize
1.4MB