Analysis
-
max time kernel
86s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2023 05:26
Static task
static1
Behavioral task
behavioral1
Sample
p004575839574947.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
p004575839574947.exe
Resource
win10v2004-20230220-en
General
-
Target
p004575839574947.exe
-
Size
1.1MB
-
MD5
f90d87222db82285ce87a988b372524a
-
SHA1
b4a571be12134d9ff6c91fc8fc46b8f53ba3d176
-
SHA256
53873190e732fcbe931729aadb3d4f878d74bd17dc64c282b4efa1f87d021b43
-
SHA512
299c35d9c16ce2479b104787d04f50f644db735f540a148d07cef32a78f01343d15b9c7610ebd88482eec76e600c80f4b33152228d4af69cf43c29aa72a4e116
-
SSDEEP
12288:00ZeZOUnaKuQdJFUbDLYqid+3eo9geDCknIfblyi7uDvOI8fpXVNLhc5LiJMUZCp:9KgoYi3ImgiSs/1cNQz9oG
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.focuzpartsmart.com - Port:
587 - Username:
johnsonpc@focuzpartsmart.com - Password:
FpmJhn@2023 - Email To:
jinhux31@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
p004575839574947.exedescription pid process target process PID 4924 set thread context of 4556 4924 p004575839574947.exe jsc.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
p004575839574947.exepid process 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe 4924 p004575839574947.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
p004575839574947.exejsc.exedescription pid process Token: SeDebugPrivilege 4924 p004575839574947.exe Token: SeDebugPrivilege 4556 jsc.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
p004575839574947.exedescription pid process target process PID 4924 wrote to memory of 1368 4924 p004575839574947.exe EdmGen.exe PID 4924 wrote to memory of 1368 4924 p004575839574947.exe EdmGen.exe PID 4924 wrote to memory of 1952 4924 p004575839574947.exe aspnet_compiler.exe PID 4924 wrote to memory of 1952 4924 p004575839574947.exe aspnet_compiler.exe PID 4924 wrote to memory of 584 4924 p004575839574947.exe csc.exe PID 4924 wrote to memory of 584 4924 p004575839574947.exe csc.exe PID 4924 wrote to memory of 796 4924 p004575839574947.exe MSBuild.exe PID 4924 wrote to memory of 796 4924 p004575839574947.exe MSBuild.exe PID 4924 wrote to memory of 3972 4924 p004575839574947.exe CasPol.exe PID 4924 wrote to memory of 3972 4924 p004575839574947.exe CasPol.exe PID 4924 wrote to memory of 644 4924 p004575839574947.exe aspnet_wp.exe PID 4924 wrote to memory of 644 4924 p004575839574947.exe aspnet_wp.exe PID 4924 wrote to memory of 4040 4924 p004575839574947.exe aspnet_regiis.exe PID 4924 wrote to memory of 4040 4924 p004575839574947.exe aspnet_regiis.exe PID 4924 wrote to memory of 2836 4924 p004575839574947.exe aspnet_regsql.exe PID 4924 wrote to memory of 2836 4924 p004575839574947.exe aspnet_regsql.exe PID 4924 wrote to memory of 1008 4924 p004575839574947.exe AppLaunch.exe PID 4924 wrote to memory of 1008 4924 p004575839574947.exe AppLaunch.exe PID 4924 wrote to memory of 1620 4924 p004575839574947.exe aspnet_regbrowsers.exe PID 4924 wrote to memory of 1620 4924 p004575839574947.exe aspnet_regbrowsers.exe PID 4924 wrote to memory of 3204 4924 p004575839574947.exe AddInUtil.exe PID 4924 wrote to memory of 3204 4924 p004575839574947.exe AddInUtil.exe PID 4924 wrote to memory of 2168 4924 p004575839574947.exe ilasm.exe PID 4924 wrote to memory of 2168 4924 p004575839574947.exe ilasm.exe PID 4924 wrote to memory of 2228 4924 p004575839574947.exe ngentask.exe PID 4924 wrote to memory of 2228 4924 p004575839574947.exe ngentask.exe PID 4924 wrote to memory of 2260 4924 p004575839574947.exe mscorsvw.exe PID 4924 wrote to memory of 2260 4924 p004575839574947.exe mscorsvw.exe PID 4924 wrote to memory of 2340 4924 p004575839574947.exe dfsvc.exe PID 4924 wrote to memory of 2340 4924 p004575839574947.exe dfsvc.exe PID 4924 wrote to memory of 1412 4924 p004575839574947.exe DataSvcUtil.exe PID 4924 wrote to memory of 1412 4924 p004575839574947.exe DataSvcUtil.exe PID 4924 wrote to memory of 2156 4924 p004575839574947.exe cvtres.exe PID 4924 wrote to memory of 2156 4924 p004575839574947.exe cvtres.exe PID 4924 wrote to memory of 3944 4924 p004575839574947.exe WsatConfig.exe PID 4924 wrote to memory of 3944 4924 p004575839574947.exe WsatConfig.exe PID 4924 wrote to memory of 1420 4924 p004575839574947.exe RegSvcs.exe PID 4924 wrote to memory of 1420 4924 p004575839574947.exe RegSvcs.exe PID 4924 wrote to memory of 2972 4924 p004575839574947.exe AddInProcess32.exe PID 4924 wrote to memory of 2972 4924 p004575839574947.exe AddInProcess32.exe PID 4924 wrote to memory of 2972 4924 p004575839574947.exe AddInProcess32.exe PID 4924 wrote to memory of 2976 4924 p004575839574947.exe ComSvcConfig.exe PID 4924 wrote to memory of 2976 4924 p004575839574947.exe ComSvcConfig.exe PID 4924 wrote to memory of 444 4924 p004575839574947.exe ngen.exe PID 4924 wrote to memory of 444 4924 p004575839574947.exe ngen.exe PID 4924 wrote to memory of 1436 4924 p004575839574947.exe aspnet_state.exe PID 4924 wrote to memory of 1436 4924 p004575839574947.exe aspnet_state.exe PID 4924 wrote to memory of 2576 4924 p004575839574947.exe AddInProcess.exe PID 4924 wrote to memory of 2576 4924 p004575839574947.exe AddInProcess.exe PID 4924 wrote to memory of 3216 4924 p004575839574947.exe ServiceModelReg.exe PID 4924 wrote to memory of 3216 4924 p004575839574947.exe ServiceModelReg.exe PID 4924 wrote to memory of 3252 4924 p004575839574947.exe RegAsm.exe PID 4924 wrote to memory of 3252 4924 p004575839574947.exe RegAsm.exe PID 4924 wrote to memory of 4556 4924 p004575839574947.exe jsc.exe PID 4924 wrote to memory of 4556 4924 p004575839574947.exe jsc.exe PID 4924 wrote to memory of 4556 4924 p004575839574947.exe jsc.exe PID 4924 wrote to memory of 4556 4924 p004575839574947.exe jsc.exe PID 4924 wrote to memory of 4556 4924 p004575839574947.exe jsc.exe PID 4924 wrote to memory of 4556 4924 p004575839574947.exe jsc.exe PID 4924 wrote to memory of 4556 4924 p004575839574947.exe jsc.exe PID 4924 wrote to memory of 4556 4924 p004575839574947.exe jsc.exe -
outlook_office_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\p004575839574947.exe"C:\Users\Admin\AppData\Local\Temp\p004575839574947.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4556-135-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4556-137-0x00000000056A0000-0x0000000005C44000-memory.dmpFilesize
5.6MB
-
memory/4556-138-0x00000000050F0000-0x0000000005156000-memory.dmpFilesize
408KB
-
memory/4556-139-0x0000000005050000-0x0000000005060000-memory.dmpFilesize
64KB
-
memory/4556-140-0x0000000006210000-0x00000000062A2000-memory.dmpFilesize
584KB
-
memory/4556-141-0x0000000006200000-0x000000000620A000-memory.dmpFilesize
40KB
-
memory/4556-142-0x00000000062D0000-0x0000000006320000-memory.dmpFilesize
320KB
-
memory/4556-143-0x00000000066D0000-0x0000000006892000-memory.dmpFilesize
1.8MB
-
memory/4556-144-0x0000000005050000-0x0000000005060000-memory.dmpFilesize
64KB
-
memory/4924-133-0x000001C5FBC70000-0x000001C5FBD96000-memory.dmpFilesize
1.1MB
-
memory/4924-134-0x000001C5FC0F0000-0x000001C5FC100000-memory.dmpFilesize
64KB