Analysis
-
max time kernel
41s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
07-02-2023 01:10
Static task
static1
Behavioral task
behavioral1
Sample
5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe
Resource
win10v2004-20221111-en
General
-
Target
5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe
-
Size
343KB
-
MD5
383a66b236ca130567b944ded28acbb3
-
SHA1
1f32c099f88de3de17411232b469720de80b9568
-
SHA256
5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d
-
SHA512
12aa8017a36beef09fd08da0c5175c311dff38f25edd7a6a79e5ed5179cf75a8ee237c62b229e9ae74b8c004d7b1f401db952844e4feed7c39b3be5ff55eac23
-
SSDEEP
6144:gYa6Ydr4i+dYQy+/quTtshVOl9jqNmB0x+4/iew7ePphpRdCVXsy:gYqGi+36uTamvKmeNPphnkFV
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mgcpakistan.com - Port:
21 - Username:
[email protected] - Password:
boygirl123456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
pid Process 1432 lhjlh.exe 1172 lhjlh.exe -
Loads dropped DLL 2 IoCs
pid Process 1532 5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe 1432 lhjlh.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 lhjlh.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 lhjlh.exe Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 lhjlh.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1432 set thread context of 1172 1432 lhjlh.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1172 lhjlh.exe 1172 lhjlh.exe 1172 lhjlh.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1432 lhjlh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1172 lhjlh.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1532 wrote to memory of 1432 1532 5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe 28 PID 1532 wrote to memory of 1432 1532 5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe 28 PID 1532 wrote to memory of 1432 1532 5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe 28 PID 1532 wrote to memory of 1432 1532 5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe 28 PID 1432 wrote to memory of 1172 1432 lhjlh.exe 29 PID 1432 wrote to memory of 1172 1432 lhjlh.exe 29 PID 1432 wrote to memory of 1172 1432 lhjlh.exe 29 PID 1432 wrote to memory of 1172 1432 lhjlh.exe 29 PID 1432 wrote to memory of 1172 1432 lhjlh.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 lhjlh.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 lhjlh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe"C:\Users\Admin\AppData\Local\Temp\5c33966947abe22733168a2405879c3260d8c01699ee0ad9462846f481d2ad8d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\lhjlh.exe"C:\Users\Admin\AppData\Local\Temp\lhjlh.exe" C:\Users\Admin\AppData\Local\Temp\bpiaurtg.lxm2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Users\Admin\AppData\Local\Temp\lhjlh.exe"C:\Users\Admin\AppData\Local\Temp\lhjlh.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1172
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5e7c4dfe685330a359d7086353be044e3
SHA1d77e89fb8fed3f8d393ab1626b0f04f51b102241
SHA2567a09ad825dda413368597b65a70620d7b2c0b7f4bc4f50951e08ef944ec32e81
SHA512470ed5b264137e582bfdadad8b2c7a11ca2179c556176146f3b35b6ff408afc2784a308e0b75132900ae72cabb30d8536842ea4f23d077f92ed282e6fe916526
-
Filesize
50KB
MD5c20b75ad041c86940589f41878af7187
SHA12dfb0a1b7c680157c2ae7b7a60a6c4f83bfe7c2e
SHA256c017f5bbfdec5544845a48d05c445c5f3744ed60b60fa6b40c703a6477b8a1f7
SHA512df10c32fbedc23fa59a90d41afac6bc679c930a793d13897d6c8a786e5dd8f67b86d294c58c56eb4d72d86c74b497ebeb1fc5d0ef444fd2f83f03a484c1caff2
-
Filesize
50KB
MD5c20b75ad041c86940589f41878af7187
SHA12dfb0a1b7c680157c2ae7b7a60a6c4f83bfe7c2e
SHA256c017f5bbfdec5544845a48d05c445c5f3744ed60b60fa6b40c703a6477b8a1f7
SHA512df10c32fbedc23fa59a90d41afac6bc679c930a793d13897d6c8a786e5dd8f67b86d294c58c56eb4d72d86c74b497ebeb1fc5d0ef444fd2f83f03a484c1caff2
-
Filesize
50KB
MD5c20b75ad041c86940589f41878af7187
SHA12dfb0a1b7c680157c2ae7b7a60a6c4f83bfe7c2e
SHA256c017f5bbfdec5544845a48d05c445c5f3744ed60b60fa6b40c703a6477b8a1f7
SHA512df10c32fbedc23fa59a90d41afac6bc679c930a793d13897d6c8a786e5dd8f67b86d294c58c56eb4d72d86c74b497ebeb1fc5d0ef444fd2f83f03a484c1caff2
-
Filesize
315KB
MD57d6278c457fc5f516e3648533a28dfe9
SHA1ba68478cc1326b0958a4674e1d4dd0e7e5109dc8
SHA2564d6fc082a341a6cf1809d577d35d452496e637e4e75346b7f1ff232b236eb47c
SHA512a5b84ae497ef8f45e5dac2ea2e6f2adfd8f4d2e5e9d382d71bed74951ba64d6c0f07a1a28903304736489577b825c99b55b1af6dd624372a2e71388e4482e1e7
-
Filesize
50KB
MD5c20b75ad041c86940589f41878af7187
SHA12dfb0a1b7c680157c2ae7b7a60a6c4f83bfe7c2e
SHA256c017f5bbfdec5544845a48d05c445c5f3744ed60b60fa6b40c703a6477b8a1f7
SHA512df10c32fbedc23fa59a90d41afac6bc679c930a793d13897d6c8a786e5dd8f67b86d294c58c56eb4d72d86c74b497ebeb1fc5d0ef444fd2f83f03a484c1caff2
-
Filesize
50KB
MD5c20b75ad041c86940589f41878af7187
SHA12dfb0a1b7c680157c2ae7b7a60a6c4f83bfe7c2e
SHA256c017f5bbfdec5544845a48d05c445c5f3744ed60b60fa6b40c703a6477b8a1f7
SHA512df10c32fbedc23fa59a90d41afac6bc679c930a793d13897d6c8a786e5dd8f67b86d294c58c56eb4d72d86c74b497ebeb1fc5d0ef444fd2f83f03a484c1caff2