Analysis
-
max time kernel
112s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 10:07
Static task
static1
Behavioral task
behavioral1
Sample
ÖnderGrup-2023,jpg.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ÖnderGrup-2023,jpg.exe
Resource
win10v2004-20230220-en
General
-
Target
ÖnderGrup-2023,jpg.exe
-
Size
647KB
-
MD5
b042d473798b5f1075e53e178ad7e0da
-
SHA1
422377a595c6559d0e0878bc0edc04c0d19a87e7
-
SHA256
706dcbef87d17593d63504485cca84f2ba9ceea75873d08eea041c7b5c1291ae
-
SHA512
fc1914704bd0748f1ec306b54e5e837afadc7b415ce2038191f34c452ea29ac2bbc5acbe5fa5f47117d59385f6ca9ee76a1c9ab054fca7b867e6aa6a67a2851e
-
SSDEEP
12288:3Yx/BJIdm3xOZHUrb4j9uTEAmHedQUrAto1:3Yx8d7erJuedsto1
Malware Config
Extracted
Protocol: ftp- Host:
ftp.greenvalleycharity.org - Port:
21 - Username:
[email protected] - Password:
mike63976460
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
jwdwqngy.exejwdwqngy.exepid process 4164 jwdwqngy.exe 5060 jwdwqngy.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jwdwqngy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jwdwqngy.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jwdwqngy.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jwdwqngy.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
jwdwqngy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Newapp = "C:\\Users\\Admin\\AppData\\Roaming\\Newapp\\Newapp.exe" jwdwqngy.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.ipify.org 14 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jwdwqngy.exedescription pid process target process PID 4164 set thread context of 5060 4164 jwdwqngy.exe jwdwqngy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
jwdwqngy.exepid process 4164 jwdwqngy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
jwdwqngy.exedescription pid process Token: SeDebugPrivilege 5060 jwdwqngy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jwdwqngy.exepid process 5060 jwdwqngy.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
ÖnderGrup-2023,jpg.exejwdwqngy.exedescription pid process target process PID 1080 wrote to memory of 4164 1080 ÖnderGrup-2023,jpg.exe jwdwqngy.exe PID 1080 wrote to memory of 4164 1080 ÖnderGrup-2023,jpg.exe jwdwqngy.exe PID 1080 wrote to memory of 4164 1080 ÖnderGrup-2023,jpg.exe jwdwqngy.exe PID 4164 wrote to memory of 5060 4164 jwdwqngy.exe jwdwqngy.exe PID 4164 wrote to memory of 5060 4164 jwdwqngy.exe jwdwqngy.exe PID 4164 wrote to memory of 5060 4164 jwdwqngy.exe jwdwqngy.exe PID 4164 wrote to memory of 5060 4164 jwdwqngy.exe jwdwqngy.exe -
outlook_office_path 1 IoCs
Processes:
jwdwqngy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jwdwqngy.exe -
outlook_win_path 1 IoCs
Processes:
jwdwqngy.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jwdwqngy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ÖnderGrup-2023,jpg.exe"C:\Users\Admin\AppData\Local\Temp\ÖnderGrup-2023,jpg.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exe"C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exe" C:\Users\Admin\AppData\Local\Temp\ibppwaz.pz2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exe"C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cqfmuven.oFilesize
484KB
MD531c938ef24d29328daa90623419d755e
SHA1551db4b18a75c35d36fe2a5f147271a3c573eaa3
SHA256332b49c1a7ac90781f8e9caa30e32160cf292cf9ba0ee82dbe9c42080552126c
SHA512349588db681b60104984d31a95be4ced0c429c192606987c56f68d1ba4fe83cf13b89be9867b647dec1f146c45e1b2c0a5cea3e4d65c94c8624cd94661652df1
-
C:\Users\Admin\AppData\Local\Temp\ibppwaz.pzFilesize
5KB
MD5ee268f13d66ab09f0b273e9ec0a6ab46
SHA1946799e5d61864e14843114d3b82f07d3d21bd96
SHA2568081b7af19cabcf99c3bd5fb8c171ddcdfa6c373666b529513c6b1876e995e9b
SHA5120bb1b22b454690f781d432c95f2425efe292a01751f0c68d21df31fe196c9389bacfc299fea25a184ae536921fdaf4551cf289822c879c22c96fc5d380da36a5
-
C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exeFilesize
108KB
MD5630cbcb500563f7d4594be641b20f4c4
SHA13345c1a4aed091312820e02791d2de8389da576b
SHA2561ee1e6bb891d87b93d53bea44d50e3978eb58b0555c37574a84c9c4a50bb60d3
SHA512048c610d229e00f5dd4c590ccb905af50dad3fcf7d08d9cb90be4589a1f2ce97cc9270bbc4c243d7fc43dd4753ca08e5dc50a815f469a30d666319f24a772c5a
-
C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exeFilesize
108KB
MD5630cbcb500563f7d4594be641b20f4c4
SHA13345c1a4aed091312820e02791d2de8389da576b
SHA2561ee1e6bb891d87b93d53bea44d50e3978eb58b0555c37574a84c9c4a50bb60d3
SHA512048c610d229e00f5dd4c590ccb905af50dad3fcf7d08d9cb90be4589a1f2ce97cc9270bbc4c243d7fc43dd4753ca08e5dc50a815f469a30d666319f24a772c5a
-
C:\Users\Admin\AppData\Local\Temp\jwdwqngy.exeFilesize
108KB
MD5630cbcb500563f7d4594be641b20f4c4
SHA13345c1a4aed091312820e02791d2de8389da576b
SHA2561ee1e6bb891d87b93d53bea44d50e3978eb58b0555c37574a84c9c4a50bb60d3
SHA512048c610d229e00f5dd4c590ccb905af50dad3fcf7d08d9cb90be4589a1f2ce97cc9270bbc4c243d7fc43dd4753ca08e5dc50a815f469a30d666319f24a772c5a
-
memory/4164-141-0x0000000000E30000-0x0000000000E32000-memory.dmpFilesize
8KB
-
memory/5060-147-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/5060-152-0x0000000003320000-0x0000000003330000-memory.dmpFilesize
64KB
-
memory/5060-145-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/5060-149-0x0000000003320000-0x0000000003330000-memory.dmpFilesize
64KB
-
memory/5060-150-0x0000000003320000-0x0000000003330000-memory.dmpFilesize
64KB
-
memory/5060-148-0x0000000003320000-0x0000000003330000-memory.dmpFilesize
64KB
-
memory/5060-142-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/5060-151-0x0000000005E70000-0x0000000006414000-memory.dmpFilesize
5.6MB
-
memory/5060-153-0x0000000005970000-0x00000000059D6000-memory.dmpFilesize
408KB
-
memory/5060-144-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/5060-154-0x0000000007130000-0x00000000071C2000-memory.dmpFilesize
584KB
-
memory/5060-155-0x0000000007100000-0x000000000710A000-memory.dmpFilesize
40KB
-
memory/5060-156-0x0000000007360000-0x00000000073B0000-memory.dmpFilesize
320KB
-
memory/5060-157-0x0000000007620000-0x00000000077E2000-memory.dmpFilesize
1.8MB
-
memory/5060-164-0x0000000003320000-0x0000000003330000-memory.dmpFilesize
64KB
-
memory/5060-165-0x0000000003320000-0x0000000003330000-memory.dmpFilesize
64KB
-
memory/5060-166-0x0000000003320000-0x0000000003330000-memory.dmpFilesize
64KB
-
memory/5060-167-0x0000000003320000-0x0000000003330000-memory.dmpFilesize
64KB