Analysis
-
max time kernel
211s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
28-03-2023 06:33
Errors
General
-
Target
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe
-
Size
541KB
-
MD5
841df4aadcf2ba0ef0a1bfe3a421c7bc
-
SHA1
5b3d870d348f52908b8871f16ad8f6edfbac08c3
-
SHA256
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8
-
SHA512
41ac5cc1ec3599f8d2921b7e2a48636b66c661631bc5c920aff3c5e0dc7915ca79d29814d3c293e84c522417f2dd0d4171c3cf4b1b8ef537a8a6d6b07b65f531
-
SSDEEP
6144:WYa6Bv7p3QTwn5M11k+zsndP21nktxtlfzw/5kb1wmO4zhOVJeUsK73b1KYr0hgP:WYfzFQTwM16+sdenmS5kbiiUsKLb13F
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 50 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe"C:\Users\Admin\AppData\Local\Temp\02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exe"C:\Users\Admin\AppData\Local\Temp\kofssc.exe" C:\Users\Admin\AppData\Local\Temp\okzwmmqrv.z2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exe"C:\Users\Admin\AppData\Local\Temp\kofssc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa394c855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
C:\Users\Admin\AppData\Local\Temp\okzwmmqrv.zFilesize
7KB
MD50736cfb1c372bc1cdecd835b36ea47b2
SHA1226a90103e5393a46c9dc618599900fae3228352
SHA256480343f765c169bb1b61700dac434324ef497ae34970c0dc4b2ab86ed3610839
SHA512edcf2e9a020c766195fef46a5ec2c18272daac1755ffefc1843af7b1529efa3ffbddae2cf76ec3f8016fc0370e7fa4bb8554d1b2fe29c78adea6783e72686662
-
C:\Users\Admin\AppData\Local\Temp\zblcf.kFilesize
263KB
MD542c612dfebd3cdb18c31b6690f432bde
SHA110f2ed2156ed0993d09488eda8dbf91cea1de909
SHA256dc47d65610d5296cc84b94d4a5372f2fca4de071ccead4312cf11899aaede691
SHA512768468b06aa70fb55821a42b1fbf6362af836c71c0908ccc51cf55828bf600c890de0803d815cd5ff270e67db6de1447d40525d33a23cd930ba60cbb4231c8c0
-
C:\Users\Admin\AppData\Roaming\xdyirnwgclhqae\njsoxhdmvr.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
memory/3560-156-0x0000000006240000-0x000000000624A000-memory.dmpFilesize
40KB
-
memory/3560-160-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-148-0x0000000004980000-0x0000000004F24000-memory.dmpFilesize
5.6MB
-
memory/3560-149-0x0000000004FB0000-0x0000000005016000-memory.dmpFilesize
408KB
-
memory/3560-150-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3560-152-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-151-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-153-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-154-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-155-0x0000000006190000-0x0000000006222000-memory.dmpFilesize
584KB
-
memory/3560-145-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3560-157-0x0000000006330000-0x0000000006380000-memory.dmpFilesize
320KB
-
memory/3560-158-0x00000000064B0000-0x0000000006672000-memory.dmpFilesize
1.8MB
-
memory/3560-146-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3560-161-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-162-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-163-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-143-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3648-168-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-169-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-173-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-174-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-175-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-176-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-177-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-178-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-179-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-167-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB