Analysis

  • max time kernel
    122s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2023 08:53

General

  • Target

    PHILIP.exe

  • Size

    324KB

  • MD5

    443750f08bb402c1cee9f7ed5641de40

  • SHA1

    36e10876601d74747ade10db65ebba79fcdd7b72

  • SHA256

    dec27cdadd52f7d2264eb50ecbae1d43313c917594d9c4b93ea936b556f05902

  • SHA512

    d06a70a036d9602fcbdaf2157d6b98271f9877256f9cc6b7a3c7191f810b48bd0faf8e170f61800bad6e5fa50cdb29188a94d39d17463cfbde55755dccff090e

  • SSDEEP

    6144:vYa6lInxv/GBwkvnZkaIkDkiUjBEFefnDyhIHUe7NBG5LB:vYP2Uw2nQjiceFSDUc7NG1

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PHILIP.exe
    "C:\Users\Admin\AppData\Local\Temp\PHILIP.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
      "C:\Users\Admin\AppData\Local\Temp\digdconvf.exe" C:\Users\Admin\AppData\Local\Temp\ngivhuetle.mug
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:5092
      • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe
        "C:\Users\Admin\AppData\Local\Temp\digdconvf.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1488

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe

    Filesize

    127KB

    MD5

    548c32a92cd221f0b0a1e5ab389bf5af

    SHA1

    ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

    SHA256

    ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

    SHA512

    d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

  • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe

    Filesize

    127KB

    MD5

    548c32a92cd221f0b0a1e5ab389bf5af

    SHA1

    ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

    SHA256

    ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

    SHA512

    d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

  • C:\Users\Admin\AppData\Local\Temp\digdconvf.exe

    Filesize

    127KB

    MD5

    548c32a92cd221f0b0a1e5ab389bf5af

    SHA1

    ba4191ec1939c16ad6a700f5200c5ac84ab9efa7

    SHA256

    ce1c120571a06830f12a0a82741d00806cf18817be88c9458cf8349737c77166

    SHA512

    d6a09567b49075fd45bd2e52b40387570ced13d00fd28f474b15cf72a7c177a09c0573a61e9639d83859f01eb80f297d3c67ec883cf7997d453554c824f4fa82

  • C:\Users\Admin\AppData\Local\Temp\ngivhuetle.mug

    Filesize

    7KB

    MD5

    fd2b5db4a3e41d39623fb54f73ea8f5e

    SHA1

    fcce51cbb53a0e5d7aa694f3322a09854480fd02

    SHA256

    0273b0a96847a19d6a9569c9ca02a9d95d196eebeaa666b58f74028451386475

    SHA512

    a0af6a7e4b8411776b0007be01ddcfbd05560f168eb1554874fb9729f6adb6f82044c969bf0e598c2992844e19faa06536b80316a11ac4fb2e0800e24a66a885

  • C:\Users\Admin\AppData\Local\Temp\svnwdctuh.ir

    Filesize

    266KB

    MD5

    e4e6989f4cb92813cb3415e839bac761

    SHA1

    711a5250fef9cbeb2181725bf8d15ab0b7e0bd47

    SHA256

    4042be4b86842251228cc7193b8ac462c02b5dd144bbad9556cef770176befcc

    SHA512

    812627eb2bb60c18151c90afd10187420aa97c924eade61720b1002341f188d60ccdf6f62c0c37a2f5bc647ef60ebe02fd170b484a3c2654308e2ec64a9d54cd

  • memory/1488-137-0x0000000000000000-mapping.dmp

  • memory/1488-139-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/1488-140-0x00000000056E0000-0x0000000005C84000-memory.dmp

    Filesize

    5.6MB

  • memory/1488-141-0x0000000005090000-0x00000000050F6000-memory.dmp

    Filesize

    408KB

  • memory/1488-142-0x0000000006770000-0x0000000006802000-memory.dmp

    Filesize

    584KB

  • memory/1488-143-0x0000000006740000-0x000000000674A000-memory.dmp

    Filesize

    40KB

  • memory/1488-144-0x00000000069F0000-0x0000000006A40000-memory.dmp

    Filesize

    320KB

  • memory/1488-145-0x0000000006C80000-0x0000000006E42000-memory.dmp

    Filesize

    1.8MB

  • memory/1488-146-0x0000000006B50000-0x0000000006BEC000-memory.dmp

    Filesize

    624KB

  • memory/5092-132-0x0000000000000000-mapping.dmp