Analysis
-
max time kernel
561s -
max time network
398s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 06:33
Static task
static1
Behavioral task
behavioral1
Sample
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe
Resource
win10v2004-20230220-en
General
-
Target
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe
-
Size
541KB
-
MD5
841df4aadcf2ba0ef0a1bfe3a421c7bc
-
SHA1
5b3d870d348f52908b8871f16ad8f6edfbac08c3
-
SHA256
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8
-
SHA512
41ac5cc1ec3599f8d2921b7e2a48636b66c661631bc5c920aff3c5e0dc7915ca79d29814d3c293e84c522417f2dd0d4171c3cf4b1b8ef537a8a6d6b07b65f531
-
SSDEEP
6144:WYa6Bv7p3QTwn5M11k+zsndP21nktxtlfzw/5kb1wmO4zhOVJeUsK73b1KYr0hgP:WYfzFQTwM16+sdenmS5kbiiUsKLb13F
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
kofssc.exekofssc.exepid process 268 kofssc.exe 616 kofssc.exe -
Loads dropped DLL 2 IoCs
Processes:
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exekofssc.exepid process 1948 02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe 268 kofssc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
kofssc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kofssc.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kofssc.exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kofssc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
kofssc.exekofssc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\bwgp = "C:\\Users\\Admin\\AppData\\Roaming\\xdyirnwgclhqae\\njsoxhdmvr.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kofssc.exe\" C:\\Users\\Admin\\AppData" kofssc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\VvcPRR = "C:\\Users\\Admin\\AppData\\Roaming\\VvcPRR\\VvcPRR.exe" kofssc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kofssc.exedescription pid process target process PID 268 set thread context of 616 268 kofssc.exe kofssc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
kofssc.exepid process 268 kofssc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kofssc.exedescription pid process Token: SeDebugPrivilege 616 kofssc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exekofssc.exedescription pid process target process PID 1948 wrote to memory of 268 1948 02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe kofssc.exe PID 1948 wrote to memory of 268 1948 02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe kofssc.exe PID 1948 wrote to memory of 268 1948 02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe kofssc.exe PID 1948 wrote to memory of 268 1948 02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe kofssc.exe PID 268 wrote to memory of 616 268 kofssc.exe kofssc.exe PID 268 wrote to memory of 616 268 kofssc.exe kofssc.exe PID 268 wrote to memory of 616 268 kofssc.exe kofssc.exe PID 268 wrote to memory of 616 268 kofssc.exe kofssc.exe PID 268 wrote to memory of 616 268 kofssc.exe kofssc.exe -
outlook_office_path 1 IoCs
Processes:
kofssc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kofssc.exe -
outlook_win_path 1 IoCs
Processes:
kofssc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kofssc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe"C:\Users\Admin\AppData\Local\Temp\02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exe"C:\Users\Admin\AppData\Local\Temp\kofssc.exe" C:\Users\Admin\AppData\Local\Temp\okzwmmqrv.z2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exe"C:\Users\Admin\AppData\Local\Temp\kofssc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
C:\Users\Admin\AppData\Local\Temp\okzwmmqrv.zFilesize
7KB
MD50736cfb1c372bc1cdecd835b36ea47b2
SHA1226a90103e5393a46c9dc618599900fae3228352
SHA256480343f765c169bb1b61700dac434324ef497ae34970c0dc4b2ab86ed3610839
SHA512edcf2e9a020c766195fef46a5ec2c18272daac1755ffefc1843af7b1529efa3ffbddae2cf76ec3f8016fc0370e7fa4bb8554d1b2fe29c78adea6783e72686662
-
C:\Users\Admin\AppData\Local\Temp\zblcf.kFilesize
263KB
MD542c612dfebd3cdb18c31b6690f432bde
SHA110f2ed2156ed0993d09488eda8dbf91cea1de909
SHA256dc47d65610d5296cc84b94d4a5372f2fca4de071ccead4312cf11899aaede691
SHA512768468b06aa70fb55821a42b1fbf6362af836c71c0908ccc51cf55828bf600c890de0803d815cd5ff270e67db6de1447d40525d33a23cd930ba60cbb4231c8c0
-
\Users\Admin\AppData\Local\Temp\kofssc.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
\Users\Admin\AppData\Local\Temp\kofssc.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
memory/616-67-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/616-71-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/616-72-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/616-73-0x0000000000760000-0x0000000000790000-memory.dmpFilesize
192KB
-
memory/616-75-0x0000000004640000-0x0000000004680000-memory.dmpFilesize
256KB
-
memory/616-76-0x0000000004640000-0x0000000004680000-memory.dmpFilesize
256KB
-
memory/616-74-0x0000000004640000-0x0000000004680000-memory.dmpFilesize
256KB
-
memory/616-95-0x0000000004640000-0x0000000004680000-memory.dmpFilesize
256KB