Analysis
-
max time kernel
28s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 13:09
Static task
static1
Behavioral task
behavioral1
Sample
Order Spec 122001400100.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Order Spec 122001400100.exe
Resource
win10v2004-20230220-en
General
-
Target
Order Spec 122001400100.exe
-
Size
318KB
-
MD5
4d9e63c46ed5f1fdfbbb41b2088f411c
-
SHA1
65632c2913f5d25e518c1d4760b21fb4441aac86
-
SHA256
87214f349c6c4a1dd838d005fd0a6bbac96d1cf77b954a9ce33c66006d090cf0
-
SHA512
42d5fc250b0c0f004e747c42eee537e45d8b5d4cafde3c8acbf5617f223f90492e1132a23de86762fa273c82871b0f666c449b3f3eff9ebd5c1eb29adfd806b4
-
SSDEEP
6144:vYa6CVvPsNEPYWv/6Z9baO31qC6vd94BJGt9SFjy/F/A3ukRN/:vYMN0xy6DbaOFqhyGfh/t/4R
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
dnghzmauol.exednghzmauol.exepid process 944 dnghzmauol.exe 556 dnghzmauol.exe -
Loads dropped DLL 2 IoCs
Processes:
Order Spec 122001400100.exednghzmauol.exepid process 1424 Order Spec 122001400100.exe 944 dnghzmauol.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
dnghzmauol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dnghzmauol.exe Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dnghzmauol.exe Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dnghzmauol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dnghzmauol.exedescription pid process target process PID 944 set thread context of 556 944 dnghzmauol.exe dnghzmauol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
dnghzmauol.exepid process 944 dnghzmauol.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dnghzmauol.exedescription pid process Token: SeDebugPrivilege 556 dnghzmauol.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Order Spec 122001400100.exednghzmauol.exedescription pid process target process PID 1424 wrote to memory of 944 1424 Order Spec 122001400100.exe dnghzmauol.exe PID 1424 wrote to memory of 944 1424 Order Spec 122001400100.exe dnghzmauol.exe PID 1424 wrote to memory of 944 1424 Order Spec 122001400100.exe dnghzmauol.exe PID 1424 wrote to memory of 944 1424 Order Spec 122001400100.exe dnghzmauol.exe PID 944 wrote to memory of 556 944 dnghzmauol.exe dnghzmauol.exe PID 944 wrote to memory of 556 944 dnghzmauol.exe dnghzmauol.exe PID 944 wrote to memory of 556 944 dnghzmauol.exe dnghzmauol.exe PID 944 wrote to memory of 556 944 dnghzmauol.exe dnghzmauol.exe PID 944 wrote to memory of 556 944 dnghzmauol.exe dnghzmauol.exe -
outlook_office_path 1 IoCs
Processes:
dnghzmauol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dnghzmauol.exe -
outlook_win_path 1 IoCs
Processes:
dnghzmauol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dnghzmauol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Spec 122001400100.exe"C:\Users\Admin\AppData\Local\Temp\Order Spec 122001400100.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dnghzmauol.exe"C:\Users\Admin\AppData\Local\Temp\dnghzmauol.exe" C:\Users\Admin\AppData\Local\Temp\sebcx.do2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dnghzmauol.exe"C:\Users\Admin\AppData\Local\Temp\dnghzmauol.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cgqwlabnp.aznFilesize
262KB
MD5f8a0f47588d8977a67454efba8cb4948
SHA16384db508ad910c891fac93d18e6401219e73ac7
SHA2563f9c4243629119b02097a827a6198760bf6004a1eee2d0da8deaf3a2d465a60f
SHA5122f8fb83eb88a7bd6d16a896504cff8afa0ce72edc6d6acd9aa3f852ee0dcc287401bc922087b7085c2f77f772ced233cdcbc1f4e7bb9543c7014994010ad876e
-
C:\Users\Admin\AppData\Local\Temp\dnghzmauol.exeFilesize
108KB
MD51f4ac6a4a2fe279b1ab731afe0c7087e
SHA1c84769ff37ee558c7f37c5c40ef03f36cb7f8f52
SHA2561ee50c13963ba8c141c9995af7a01089d5fc57315b09945c5aa3a984ef8a3ba0
SHA512700d24caf59b288d1cdbb990d107b48c69fcb8b20a1b1f4d175031a04fa2222186494e85ba85be2b3895b12ba230e82fc043bf6ef87c9d921444341b8c7955f5
-
C:\Users\Admin\AppData\Local\Temp\dnghzmauol.exeFilesize
108KB
MD51f4ac6a4a2fe279b1ab731afe0c7087e
SHA1c84769ff37ee558c7f37c5c40ef03f36cb7f8f52
SHA2561ee50c13963ba8c141c9995af7a01089d5fc57315b09945c5aa3a984ef8a3ba0
SHA512700d24caf59b288d1cdbb990d107b48c69fcb8b20a1b1f4d175031a04fa2222186494e85ba85be2b3895b12ba230e82fc043bf6ef87c9d921444341b8c7955f5
-
C:\Users\Admin\AppData\Local\Temp\dnghzmauol.exeFilesize
108KB
MD51f4ac6a4a2fe279b1ab731afe0c7087e
SHA1c84769ff37ee558c7f37c5c40ef03f36cb7f8f52
SHA2561ee50c13963ba8c141c9995af7a01089d5fc57315b09945c5aa3a984ef8a3ba0
SHA512700d24caf59b288d1cdbb990d107b48c69fcb8b20a1b1f4d175031a04fa2222186494e85ba85be2b3895b12ba230e82fc043bf6ef87c9d921444341b8c7955f5
-
C:\Users\Admin\AppData\Local\Temp\sebcx.doFilesize
5KB
MD54dd10a2acbd323f745a69f123fce1733
SHA1ce7cad4836b3a7325dfdbd15714e2e4025859d0f
SHA25641f7bc5a9bdce68a49056f99bc23abf9289fb955bdeca5f5230e952c652e2ccd
SHA51201e5faf28b37c36563036670b653192293d46b5c52e7e6007efd47609ca294ae5620bfaa641cfeaedefa8b1d0155faecf023963ce311fe0693cf82d1276e3fa0
-
\Users\Admin\AppData\Local\Temp\dnghzmauol.exeFilesize
108KB
MD51f4ac6a4a2fe279b1ab731afe0c7087e
SHA1c84769ff37ee558c7f37c5c40ef03f36cb7f8f52
SHA2561ee50c13963ba8c141c9995af7a01089d5fc57315b09945c5aa3a984ef8a3ba0
SHA512700d24caf59b288d1cdbb990d107b48c69fcb8b20a1b1f4d175031a04fa2222186494e85ba85be2b3895b12ba230e82fc043bf6ef87c9d921444341b8c7955f5
-
\Users\Admin\AppData\Local\Temp\dnghzmauol.exeFilesize
108KB
MD51f4ac6a4a2fe279b1ab731afe0c7087e
SHA1c84769ff37ee558c7f37c5c40ef03f36cb7f8f52
SHA2561ee50c13963ba8c141c9995af7a01089d5fc57315b09945c5aa3a984ef8a3ba0
SHA512700d24caf59b288d1cdbb990d107b48c69fcb8b20a1b1f4d175031a04fa2222186494e85ba85be2b3895b12ba230e82fc043bf6ef87c9d921444341b8c7955f5
-
memory/556-66-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/556-70-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/556-71-0x0000000000390000-0x00000000003C0000-memory.dmpFilesize
192KB
-
memory/556-72-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/556-73-0x00000000049A0000-0x00000000049E0000-memory.dmpFilesize
256KB
-
memory/944-62-0x0000000000090000-0x0000000000092000-memory.dmpFilesize
8KB