Analysis
-
max time kernel
122s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2023 08:53
Static task
static1
Behavioral task
behavioral1
Sample
PHILIP.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
PHILIP.exe
Resource
win10v2004-20220812-en
General
-
Target
PHILIP.exe
-
Size
324KB
-
MD5
443750f08bb402c1cee9f7ed5641de40
-
SHA1
36e10876601d74747ade10db65ebba79fcdd7b72
-
SHA256
dec27cdadd52f7d2264eb50ecbae1d43313c917594d9c4b93ea936b556f05902
-
SHA512
d06a70a036d9602fcbdaf2157d6b98271f9877256f9cc6b7a3c7191f810b48bd0faf8e170f61800bad6e5fa50cdb29188a94d39d17463cfbde55755dccff090e
-
SSDEEP
6144:vYa6lInxv/GBwkvnZkaIkDkiUjBEFefnDyhIHUe7NBG5LB:vYP2Uw2nQjiceFSDUc7NG1
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
pid Process 5092 digdconvf.exe 1488 digdconvf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 digdconvf.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 digdconvf.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 digdconvf.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\soxdmirrbvfo = "C:\\Users\\Admin\\AppData\\Roaming\\ktdyirnv\\rbkgpyuueaj.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\digdconvf.exe\" C:\\Users\\Admin\\AppData\\L" digdconvf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XynDz = "C:\\Users\\Admin\\AppData\\Roaming\\XynDz\\XynDz.exe" digdconvf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5092 set thread context of 1488 5092 digdconvf.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 5092 digdconvf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1488 digdconvf.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 5040 wrote to memory of 5092 5040 PHILIP.exe 83 PID 5040 wrote to memory of 5092 5040 PHILIP.exe 83 PID 5040 wrote to memory of 5092 5040 PHILIP.exe 83 PID 5092 wrote to memory of 1488 5092 digdconvf.exe 84 PID 5092 wrote to memory of 1488 5092 digdconvf.exe 84 PID 5092 wrote to memory of 1488 5092 digdconvf.exe 84 PID 5092 wrote to memory of 1488 5092 digdconvf.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 digdconvf.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 digdconvf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PHILIP.exe"C:\Users\Admin\AppData\Local\Temp\PHILIP.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\digdconvf.exe"C:\Users\Admin\AppData\Local\Temp\digdconvf.exe" C:\Users\Admin\AppData\Local\Temp\ngivhuetle.mug2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Users\Admin\AppData\Local\Temp\digdconvf.exe"C:\Users\Admin\AppData\Local\Temp\digdconvf.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1488
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD5548c32a92cd221f0b0a1e5ab389bf5af
SHA1ba4191ec1939c16ad6a700f5200c5ac84ab9efa7
SHA256ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166
SHA512d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82
-
Filesize
127KB
MD5548c32a92cd221f0b0a1e5ab389bf5af
SHA1ba4191ec1939c16ad6a700f5200c5ac84ab9efa7
SHA256ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166
SHA512d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82
-
Filesize
127KB
MD5548c32a92cd221f0b0a1e5ab389bf5af
SHA1ba4191ec1939c16ad6a700f5200c5ac84ab9efa7
SHA256ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166
SHA512d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82
-
Filesize
7KB
MD5fd2b5db4a3e41d39623fb54f73ea8f5e
SHA1fcce51cbb53a0e5d7aa694f3322a09854480fd02
SHA2560273b0a96847a19d6a9569c9ca02a9d95d196eebeaa666b58f74028451386475
SHA512a0af6a7e4b8411776b0007be01ddcfbd05560f168eb1554874fb9729f6adb6f82044c969bf0e598c2992844e19faa06536b80316a11ac4fb2e0800e24a66a885
-
Filesize
266KB
MD5e4e6989f4cb92813cb3415e839bac761
SHA1711a5250fef9cbeb2181725bf8d15ab0b7e0bd47
SHA2564042be4b86842251228cc7193b8ac462c02b5dd144bbad9556cef770176befcc
SHA512812627eb2bb60c18151c90afd10187420aa97c924eade61720b1002341f188d60ccdf6f62c0c37a2f5bc647ef60ebe02fd170b484a3c2654308e2ec64a9d54cd