Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 05:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    851KB

  • MD5

    7ff571e8d43bdefd4fb9ca3177dfbc7e

  • SHA1

    1cee0c951d9b2841bf6ab2b86abd3cd6d1a4210f

  • SHA256

    d9136458c333f03b11beaaec3388aa1bd3afad5b5f6920fa992b8e5c05b8c62b

  • SHA512

    6a1295835c574970eb5c7ef23f1b179216436c03dd5482ec84e9d58674dfe22c2f558514b5ad3e08cf7cb737b730a8d8ad1f125cf73b316a5049ebcae28b4157

  • SSDEEP

    12288:CZUpZwdqiKnLWeFXwg71cAwV6rmo6f4oKcBsInfwDUXgZtEjHD/d92JTDAd:hpZG4XX33mo6fZKcBdNimnd92JTE

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1611551445:AAFDJ3yQMlB3zXJGib2_TFkq1jedBMj3GTw/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dyfYBBF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5100
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dyfYBBF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE96.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2196
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
        PID:1232
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        2⤵
          PID:4548
        • C:\Users\Admin\AppData\Local\Temp\tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
          2⤵
          • Drops file in Drivers directory
          • Accesses Microsoft Outlook profiles
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:4892
        • C:\Users\Admin\AppData\Local\Temp\tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
          2⤵
            PID:1436

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Registry Run Keys / Startup Folder

        1
        T1060

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Credentials in Files

        3
        T1081

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.log
          Filesize

          1KB

          MD5

          8ec831f3e3a3f77e4a7b9cd32b48384c

          SHA1

          d83f09fd87c5bd86e045873c231c14836e76a05c

          SHA256

          7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

          SHA512

          26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsvepdnk.ubg.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmpE96.tmp
          Filesize

          1KB

          MD5

          f3d1863f70fc2ec2701587b607dc131e

          SHA1

          4aea998fc51e9e9ace948032a45957f8f6a1f78a

          SHA256

          84da7171a9a3490589ddd942f1e06889d2171761e9dd12ddbc2181cfc29e9b5f

          SHA512

          8df99850d3102618fc28e9b3a8dc71c90e40e1a3070f58ec191889bbe2a732612f4b67f51cacb28eb946cd4c23c99d34514fbe685b6495b357273fc5f822a9d9

          Download Submit
        • memory/4604-134-0x0000000005C00000-0x00000000061A4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/4604-135-0x0000000005650000-0x00000000056E2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/4604-136-0x00000000058B0000-0x00000000058C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4604-137-0x00000000058A0000-0x00000000058AA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/4604-138-0x00000000058B0000-0x00000000058C0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4604-139-0x00000000077E0000-0x000000000787C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/4604-133-0x0000000000BC0000-0x0000000000C9C000-memory.dmp
          Filesize

          880KB

          Download
        • memory/4892-162-0x0000000005120000-0x0000000005130000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4892-147-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/4892-191-0x0000000006670000-0x00000000066C0000-memory.dmp
          Filesize

          320KB

          Download
        • memory/4892-188-0x0000000005120000-0x0000000005130000-memory.dmp
          Filesize

          64KB

          Download
        • memory/5100-176-0x0000000006E00000-0x0000000006E1E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/5100-178-0x000000007F5F0000-0x000000007F600000-memory.dmp
          Filesize

          64KB

          Download
        • memory/5100-144-0x0000000002F50000-0x0000000002F86000-memory.dmp
          Filesize

          216KB

          Download
        • memory/5100-163-0x0000000005570000-0x0000000005580000-memory.dmp
          Filesize

          64KB

          Download
        • memory/5100-164-0x0000000006840000-0x000000000685E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/5100-165-0x0000000006E20000-0x0000000006E52000-memory.dmp
          Filesize

          200KB

          Download
        • memory/5100-166-0x0000000071750000-0x000000007179C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/5100-146-0x0000000005BB0000-0x00000000061D8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/5100-177-0x0000000005570000-0x0000000005580000-memory.dmp
          Filesize

          64KB

          Download
        • memory/5100-157-0x00000000061E0000-0x0000000006246000-memory.dmp
          Filesize

          408KB

          Download
        • memory/5100-179-0x00000000081A0000-0x000000000881A000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/5100-180-0x0000000007B60000-0x0000000007B7A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/5100-181-0x0000000007BD0000-0x0000000007BDA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/5100-182-0x0000000007DE0000-0x0000000007E76000-memory.dmp
          Filesize

          600KB

          Download
        • memory/5100-183-0x0000000007D90000-0x0000000007D9E000-memory.dmp
          Filesize

          56KB

          Download
        • memory/5100-184-0x0000000007EA0000-0x0000000007EBA000-memory.dmp
          Filesize

          104KB

          Download
        • memory/5100-185-0x0000000007E80000-0x0000000007E88000-memory.dmp
          Filesize

          32KB

          Download
        • memory/5100-151-0x0000000005B40000-0x0000000005BA6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/5100-150-0x00000000058A0000-0x00000000058C2000-memory.dmp
          Filesize

          136KB

          Download