Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 01:52
Static task
static1
Behavioral task
behavioral1
Sample
PO 5326976.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO 5326976.exe
Resource
win10v2004-20230220-en
General
-
Target
PO 5326976.exe
-
Size
320KB
-
MD5
3e156414a3514dc7228eb4ff71f0c730
-
SHA1
8f5929d4b6dac662c5044b9ae372bd1e3b13fd1d
-
SHA256
af9516862a7fd0fc54b7979064e75a5a8d1aa908ece62eec5900581ca90bd339
-
SHA512
7eedb72e9a90840de075028904b250852f33e13388cb97e283dbe8ae6f69d01db1fc9526a46c67f2610263a88ebd1f89b3d6cef86902419d8ff8913df8ce39f0
-
SSDEEP
6144:/Ya6dCELRWDCnUWTrucf1Kwkb3v04WSIEwi8tgFC:/Y/CAB3FFkb37WSAjes
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
fwilxo.exefwilxo.exepid process 412 fwilxo.exe 4568 fwilxo.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
fwilxo.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fwilxo.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fwilxo.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fwilxo.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fwilxo.exedescription pid process target process PID 412 set thread context of 4568 412 fwilxo.exe fwilxo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
fwilxo.exepid process 412 fwilxo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fwilxo.exedescription pid process Token: SeDebugPrivilege 4568 fwilxo.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
PO 5326976.exefwilxo.exedescription pid process target process PID 5076 wrote to memory of 412 5076 PO 5326976.exe fwilxo.exe PID 5076 wrote to memory of 412 5076 PO 5326976.exe fwilxo.exe PID 5076 wrote to memory of 412 5076 PO 5326976.exe fwilxo.exe PID 412 wrote to memory of 4568 412 fwilxo.exe fwilxo.exe PID 412 wrote to memory of 4568 412 fwilxo.exe fwilxo.exe PID 412 wrote to memory of 4568 412 fwilxo.exe fwilxo.exe PID 412 wrote to memory of 4568 412 fwilxo.exe fwilxo.exe -
outlook_office_path 1 IoCs
Processes:
fwilxo.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fwilxo.exe -
outlook_win_path 1 IoCs
Processes:
fwilxo.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 fwilxo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 5326976.exe"C:\Users\Admin\AppData\Local\Temp\PO 5326976.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fwilxo.exe"C:\Users\Admin\AppData\Local\Temp\fwilxo.exe" C:\Users\Admin\AppData\Local\Temp\brmoge.cp2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fwilxo.exe"C:\Users\Admin\AppData\Local\Temp\fwilxo.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\brmoge.cpFilesize
5KB
MD556b427842ea05c9bc80931c2c59d2e2a
SHA108903f5f89c411e68e308a256e216ab825482ebe
SHA2564bb24da31e192daefe242e75a44e2d27301f1f54e4082fdebfcd9b6ba3bec078
SHA5125ee654413b77f1f750f7836d576506cf1144a39020b30b15162d2be58a2dc6bcba3753cd8eb6a5e164c539f20407b6d90f7edc419aca197ffb0370beffcb6520
-
C:\Users\Admin\AppData\Local\Temp\fwilxo.exeFilesize
138KB
MD5b75e2f82e6dc7ab9a3189f4c3bf530dd
SHA1d5246fb14139a7775e2cba16913dc87ae13f0017
SHA256db27e48dbd9880d2ce0ceb5473145faf608640b41bb1e457335d838271745ce9
SHA512156cc67d1abed85d4a4a22affd9f6dd8d4a15a765eef4c27bd9e0f3e2dd96a4a24a13dc752b22239d3208ecdf67c66a5c98be51245f1ff12d45df61f4a35e1f9
-
C:\Users\Admin\AppData\Local\Temp\fwilxo.exeFilesize
138KB
MD5b75e2f82e6dc7ab9a3189f4c3bf530dd
SHA1d5246fb14139a7775e2cba16913dc87ae13f0017
SHA256db27e48dbd9880d2ce0ceb5473145faf608640b41bb1e457335d838271745ce9
SHA512156cc67d1abed85d4a4a22affd9f6dd8d4a15a765eef4c27bd9e0f3e2dd96a4a24a13dc752b22239d3208ecdf67c66a5c98be51245f1ff12d45df61f4a35e1f9
-
C:\Users\Admin\AppData\Local\Temp\fwilxo.exeFilesize
138KB
MD5b75e2f82e6dc7ab9a3189f4c3bf530dd
SHA1d5246fb14139a7775e2cba16913dc87ae13f0017
SHA256db27e48dbd9880d2ce0ceb5473145faf608640b41bb1e457335d838271745ce9
SHA512156cc67d1abed85d4a4a22affd9f6dd8d4a15a765eef4c27bd9e0f3e2dd96a4a24a13dc752b22239d3208ecdf67c66a5c98be51245f1ff12d45df61f4a35e1f9
-
C:\Users\Admin\AppData\Local\Temp\xqdah.nfbFilesize
262KB
MD53f7f9e53341a865fda910b162997c814
SHA12a14d2ce5bdb32367fa5775fbf9e48912f463d0b
SHA256501b8ebddaa29b6c2c012a9bb1f4a3038a56fc8cedb71f05f4d8cc7ccbc6785c
SHA512903906ba3abf80e2da0b88100149a4616dde7ab5bdaaa82bbca8a318da878495b69aa854367c9f08a32af43f8b9ab6b8d8a3fdaf7882709d3f9c55dc0938dee5
-
memory/4568-149-0x0000000002220000-0x0000000002230000-memory.dmpFilesize
64KB
-
memory/4568-152-0x0000000002220000-0x0000000002230000-memory.dmpFilesize
64KB
-
memory/4568-144-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/4568-146-0x00000000049A0000-0x0000000004F44000-memory.dmpFilesize
5.6MB
-
memory/4568-147-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/4568-141-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/4568-148-0x0000000002220000-0x0000000002230000-memory.dmpFilesize
64KB
-
memory/4568-150-0x0000000002220000-0x0000000002230000-memory.dmpFilesize
64KB
-
memory/4568-151-0x0000000004FA0000-0x0000000005006000-memory.dmpFilesize
408KB
-
memory/4568-143-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/4568-153-0x0000000005880000-0x0000000005912000-memory.dmpFilesize
584KB
-
memory/4568-154-0x0000000005AB0000-0x0000000005ABA000-memory.dmpFilesize
40KB
-
memory/4568-155-0x0000000005B00000-0x0000000005B50000-memory.dmpFilesize
320KB
-
memory/4568-156-0x0000000005B50000-0x0000000005D12000-memory.dmpFilesize
1.8MB
-
memory/4568-158-0x0000000002220000-0x0000000002230000-memory.dmpFilesize
64KB
-
memory/4568-159-0x0000000002220000-0x0000000002230000-memory.dmpFilesize
64KB
-
memory/4568-160-0x0000000002220000-0x0000000002230000-memory.dmpFilesize
64KB
-
memory/4568-161-0x0000000002220000-0x0000000002230000-memory.dmpFilesize
64KB