Analysis
-
max time kernel
211s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 06:33
Static task
static1
Behavioral task
behavioral1
Sample
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe
Resource
win10v2004-20230220-en
Errors
General
-
Target
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe
-
Size
541KB
-
MD5
841df4aadcf2ba0ef0a1bfe3a421c7bc
-
SHA1
5b3d870d348f52908b8871f16ad8f6edfbac08c3
-
SHA256
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8
-
SHA512
41ac5cc1ec3599f8d2921b7e2a48636b66c661631bc5c920aff3c5e0dc7915ca79d29814d3c293e84c522417f2dd0d4171c3cf4b1b8ef537a8a6d6b07b65f531
-
SSDEEP
6144:WYa6Bv7p3QTwn5M11k+zsndP21nktxtlfzw/5kb1wmO4zhOVJeUsK73b1KYr0hgP:WYfzFQTwM16+sdenmS5kbiiUsKLb13F
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
kofssc.exekofssc.exepid process 4456 kofssc.exe 3560 kofssc.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
kofssc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kofssc.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kofssc.exe Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kofssc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
kofssc.exekofssc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bwgp = "C:\\Users\\Admin\\AppData\\Roaming\\xdyirnwgclhqae\\njsoxhdmvr.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kofssc.exe\" C:\\Users\\Admin\\AppData" kofssc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VvcPRR = "C:\\Users\\Admin\\AppData\\Roaming\\VvcPRR\\VvcPRR.exe" kofssc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 api.ipify.org 21 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kofssc.exedescription pid process target process PID 4456 set thread context of 3560 4456 kofssc.exe kofssc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "173" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
taskmgr.exepid process 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
kofssc.exepid process 4456 kofssc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
kofssc.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 3560 kofssc.exe Token: SeDebugPrivilege 3648 taskmgr.exe Token: SeSystemProfilePrivilege 3648 taskmgr.exe Token: SeCreateGlobalPrivilege 3648 taskmgr.exe Token: 33 3648 taskmgr.exe Token: SeIncBasePriorityPrivilege 3648 taskmgr.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
Processes:
taskmgr.exepid process 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe -
Suspicious use of SendNotifyMessage 50 IoCs
Processes:
taskmgr.exepid process 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe 3648 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 2552 LogonUI.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exekofssc.exedescription pid process target process PID 2796 wrote to memory of 4456 2796 02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe kofssc.exe PID 2796 wrote to memory of 4456 2796 02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe kofssc.exe PID 2796 wrote to memory of 4456 2796 02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe kofssc.exe PID 4456 wrote to memory of 3560 4456 kofssc.exe kofssc.exe PID 4456 wrote to memory of 3560 4456 kofssc.exe kofssc.exe PID 4456 wrote to memory of 3560 4456 kofssc.exe kofssc.exe PID 4456 wrote to memory of 3560 4456 kofssc.exe kofssc.exe -
outlook_office_path 1 IoCs
Processes:
kofssc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kofssc.exe -
outlook_win_path 1 IoCs
Processes:
kofssc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kofssc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe"C:\Users\Admin\AppData\Local\Temp\02d64b9cbd5268cec49399d35962acaac4e4548b96b0775b315811bc0c23c7e8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exe"C:\Users\Admin\AppData\Local\Temp\kofssc.exe" C:\Users\Admin\AppData\Local\Temp\okzwmmqrv.z2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exe"C:\Users\Admin\AppData\Local\Temp\kofssc.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa394c855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
C:\Users\Admin\AppData\Local\Temp\kofssc.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
C:\Users\Admin\AppData\Local\Temp\okzwmmqrv.zFilesize
7KB
MD50736cfb1c372bc1cdecd835b36ea47b2
SHA1226a90103e5393a46c9dc618599900fae3228352
SHA256480343f765c169bb1b61700dac434324ef497ae34970c0dc4b2ab86ed3610839
SHA512edcf2e9a020c766195fef46a5ec2c18272daac1755ffefc1843af7b1529efa3ffbddae2cf76ec3f8016fc0370e7fa4bb8554d1b2fe29c78adea6783e72686662
-
C:\Users\Admin\AppData\Local\Temp\zblcf.kFilesize
263KB
MD542c612dfebd3cdb18c31b6690f432bde
SHA110f2ed2156ed0993d09488eda8dbf91cea1de909
SHA256dc47d65610d5296cc84b94d4a5372f2fca4de071ccead4312cf11899aaede691
SHA512768468b06aa70fb55821a42b1fbf6362af836c71c0908ccc51cf55828bf600c890de0803d815cd5ff270e67db6de1447d40525d33a23cd930ba60cbb4231c8c0
-
C:\Users\Admin\AppData\Roaming\xdyirnwgclhqae\njsoxhdmvr.exeFilesize
130KB
MD5c14478f2d0cdca05383387b081354cfc
SHA1672f1d9a6e0ae1866f4185d510c13c782a734058
SHA2562b0a6eabb4f31964cd38970d3c3851a142e9dd2d0a99ce4804c640c9b7a928ee
SHA5124443700de4b23c4a5bbd9b87c8879f6b6267fbde3fbd7832b395766dfcde263aec5898bd4a4c519771c99ac1d6ffdcd6e07489928bf8aa7eaed77c5f36060a8a
-
memory/3560-156-0x0000000006240000-0x000000000624A000-memory.dmpFilesize
40KB
-
memory/3560-160-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-148-0x0000000004980000-0x0000000004F24000-memory.dmpFilesize
5.6MB
-
memory/3560-149-0x0000000004FB0000-0x0000000005016000-memory.dmpFilesize
408KB
-
memory/3560-150-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3560-152-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-151-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-153-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-154-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-155-0x0000000006190000-0x0000000006222000-memory.dmpFilesize
584KB
-
memory/3560-145-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3560-157-0x0000000006330000-0x0000000006380000-memory.dmpFilesize
320KB
-
memory/3560-158-0x00000000064B0000-0x0000000006672000-memory.dmpFilesize
1.8MB
-
memory/3560-146-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3560-161-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-162-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-163-0x0000000004940000-0x0000000004950000-memory.dmpFilesize
64KB
-
memory/3560-143-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/3648-168-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-169-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-173-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-174-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-175-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-176-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-177-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-178-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-179-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB
-
memory/3648-167-0x0000014170850000-0x0000014170851000-memory.dmpFilesize
4KB