Analysis
-
max time kernel
62s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2023 02:46
Static task
static1
Behavioral task
behavioral1
Sample
p004575839574947.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
p004575839574947.exe
Resource
win10v2004-20230220-en
General
-
Target
p004575839574947.exe
-
Size
1.1MB
-
MD5
f90d87222db82285ce87a988b372524a
-
SHA1
b4a571be12134d9ff6c91fc8fc46b8f53ba3d176
-
SHA256
53873190e732fcbe931729aadb3d4f878d74bd17dc64c282b4efa1f87d021b43
-
SHA512
299c35d9c16ce2479b104787d04f50f644db735f540a148d07cef32a78f01343d15b9c7610ebd88482eec76e600c80f4b33152228d4af69cf43c29aa72a4e116
-
SSDEEP
12288:00ZeZOUnaKuQdJFUbDLYqid+3eo9geDCknIfblyi7uDvOI8fpXVNLhc5LiJMUZCp:9KgoYi3ImgiSs/1cNQz9oG
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.focuzpartsmart.com - Port:
587 - Username:
johnsonpc@focuzpartsmart.com - Password:
FpmJhn@2023 - Email To:
jinhux31@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
p004575839574947.exedescription pid process target process PID 4632 set thread context of 1480 4632 p004575839574947.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
p004575839574947.exepid process 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe 4632 p004575839574947.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
p004575839574947.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 4632 p004575839574947.exe Token: SeDebugPrivilege 1480 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
p004575839574947.exedescription pid process target process PID 4632 wrote to memory of 2788 4632 p004575839574947.exe Microsoft.Workflow.Compiler.exe PID 4632 wrote to memory of 2788 4632 p004575839574947.exe Microsoft.Workflow.Compiler.exe PID 4632 wrote to memory of 4044 4632 p004575839574947.exe mscorsvw.exe PID 4632 wrote to memory of 4044 4632 p004575839574947.exe mscorsvw.exe PID 4632 wrote to memory of 4928 4632 p004575839574947.exe AppLaunch.exe PID 4632 wrote to memory of 4928 4632 p004575839574947.exe AppLaunch.exe PID 4632 wrote to memory of 4800 4632 p004575839574947.exe ServiceModelReg.exe PID 4632 wrote to memory of 4800 4632 p004575839574947.exe ServiceModelReg.exe PID 4632 wrote to memory of 4912 4632 p004575839574947.exe aspnet_regsql.exe PID 4632 wrote to memory of 4912 4632 p004575839574947.exe aspnet_regsql.exe PID 4632 wrote to memory of 4420 4632 p004575839574947.exe WsatConfig.exe PID 4632 wrote to memory of 4420 4632 p004575839574947.exe WsatConfig.exe PID 4632 wrote to memory of 1312 4632 p004575839574947.exe aspnet_compiler.exe PID 4632 wrote to memory of 1312 4632 p004575839574947.exe aspnet_compiler.exe PID 4632 wrote to memory of 4440 4632 p004575839574947.exe ilasm.exe PID 4632 wrote to memory of 4440 4632 p004575839574947.exe ilasm.exe PID 4632 wrote to memory of 3768 4632 p004575839574947.exe aspnet_regiis.exe PID 4632 wrote to memory of 3768 4632 p004575839574947.exe aspnet_regiis.exe PID 4632 wrote to memory of 1684 4632 p004575839574947.exe vbc.exe PID 4632 wrote to memory of 1684 4632 p004575839574947.exe vbc.exe PID 4632 wrote to memory of 1028 4632 p004575839574947.exe ngentask.exe PID 4632 wrote to memory of 1028 4632 p004575839574947.exe ngentask.exe PID 4632 wrote to memory of 3576 4632 p004575839574947.exe InstallUtil.exe PID 4632 wrote to memory of 3576 4632 p004575839574947.exe InstallUtil.exe PID 4632 wrote to memory of 2308 4632 p004575839574947.exe aspnet_state.exe PID 4632 wrote to memory of 2308 4632 p004575839574947.exe aspnet_state.exe PID 4632 wrote to memory of 4456 4632 p004575839574947.exe aspnet_regbrowsers.exe PID 4632 wrote to memory of 4456 4632 p004575839574947.exe aspnet_regbrowsers.exe PID 4632 wrote to memory of 1480 4632 p004575839574947.exe AddInProcess32.exe PID 4632 wrote to memory of 1480 4632 p004575839574947.exe AddInProcess32.exe PID 4632 wrote to memory of 1480 4632 p004575839574947.exe AddInProcess32.exe PID 4632 wrote to memory of 1480 4632 p004575839574947.exe AddInProcess32.exe PID 4632 wrote to memory of 1480 4632 p004575839574947.exe AddInProcess32.exe PID 4632 wrote to memory of 1480 4632 p004575839574947.exe AddInProcess32.exe PID 4632 wrote to memory of 1480 4632 p004575839574947.exe AddInProcess32.exe PID 4632 wrote to memory of 1480 4632 p004575839574947.exe AddInProcess32.exe -
outlook_office_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
outlook_win_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\p004575839574947.exe"C:\Users\Admin\AppData\Local\Temp\p004575839574947.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1480-135-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1480-137-0x0000000005970000-0x0000000005F14000-memory.dmpFilesize
5.6MB
-
memory/1480-138-0x0000000005310000-0x0000000005320000-memory.dmpFilesize
64KB
-
memory/1480-139-0x0000000005320000-0x0000000005386000-memory.dmpFilesize
408KB
-
memory/1480-140-0x0000000006440000-0x00000000064D2000-memory.dmpFilesize
584KB
-
memory/1480-141-0x0000000006420000-0x000000000642A000-memory.dmpFilesize
40KB
-
memory/1480-142-0x0000000006640000-0x0000000006690000-memory.dmpFilesize
320KB
-
memory/1480-143-0x0000000006860000-0x0000000006A22000-memory.dmpFilesize
1.8MB
-
memory/1480-144-0x0000000005310000-0x0000000005320000-memory.dmpFilesize
64KB
-
memory/4632-133-0x0000018C913A0000-0x0000018C914C6000-memory.dmpFilesize
1.1MB
-
memory/4632-134-0x0000018C930A0000-0x0000018C930B0000-memory.dmpFilesize
64KB