Analysis
-
max time kernel
108s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2023 05:56
Static task
static1
Behavioral task
behavioral1
Sample
PO 0051-23.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO 0051-23.exe
Resource
win10v2004-20230220-en
General
-
Target
PO 0051-23.exe
-
Size
318KB
-
MD5
76d08c9a795cb286eb92d8ab41d1bff5
-
SHA1
b00f94fc957f25fcb4fdccb8aad1d679247cde04
-
SHA256
0e4ea6322dba2d469a0e405188c76f6cd9332e193071048192621abf85bf7cdc
-
SHA512
2fb51728fcaca60b38094278e9e9571bc6e4ddd33226614dd9eedd066d7a551fc714a2f8d336ccadf8f8ca690b56339e85b089efdfe315b26f7728e84da23002
-
SSDEEP
6144:PYa63sAnyhbptQUF310y/LGcCn75IDouSHwoX1TzseW6:PYlFn2tFFF0y/LS7ohSHwoX1/seW6
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
omhrw.exeomhrw.exepid process 3520 omhrw.exe 1644 omhrw.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
omhrw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 omhrw.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 omhrw.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 omhrw.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 api.ipify.org 16 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
omhrw.exedescription pid process target process PID 3520 set thread context of 1644 3520 omhrw.exe omhrw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
omhrw.exepid process 3520 omhrw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
omhrw.exedescription pid process Token: SeDebugPrivilege 1644 omhrw.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
omhrw.exepid process 1644 omhrw.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
PO 0051-23.exeomhrw.exedescription pid process target process PID 1668 wrote to memory of 3520 1668 PO 0051-23.exe omhrw.exe PID 1668 wrote to memory of 3520 1668 PO 0051-23.exe omhrw.exe PID 1668 wrote to memory of 3520 1668 PO 0051-23.exe omhrw.exe PID 3520 wrote to memory of 1644 3520 omhrw.exe omhrw.exe PID 3520 wrote to memory of 1644 3520 omhrw.exe omhrw.exe PID 3520 wrote to memory of 1644 3520 omhrw.exe omhrw.exe PID 3520 wrote to memory of 1644 3520 omhrw.exe omhrw.exe -
outlook_office_path 1 IoCs
Processes:
omhrw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 omhrw.exe -
outlook_win_path 1 IoCs
Processes:
omhrw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 omhrw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 0051-23.exe"C:\Users\Admin\AppData\Local\Temp\PO 0051-23.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\omhrw.exe"C:\Users\Admin\AppData\Local\Temp\omhrw.exe" C:\Users\Admin\AppData\Local\Temp\uceqap.bxh2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\omhrw.exe"C:\Users\Admin\AppData\Local\Temp\omhrw.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1644
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD57c1528ff96a4e33fba3f401186a9c885
SHA183fd43831c6afa49adb54793e8ea440d66d30250
SHA256b36388b29d54b1aa24fd414820edac458b28bcabc4036d10064c6754cb94560e
SHA512d54d2ddf479eedaeca856df99d0c111bc06a69a467c5aff5bda951904566d2203d0cddcb69fbb7a49f2c24e1f82f85b80c1831492922c4cc8366e797866c8394
-
Filesize
108KB
MD57c1528ff96a4e33fba3f401186a9c885
SHA183fd43831c6afa49adb54793e8ea440d66d30250
SHA256b36388b29d54b1aa24fd414820edac458b28bcabc4036d10064c6754cb94560e
SHA512d54d2ddf479eedaeca856df99d0c111bc06a69a467c5aff5bda951904566d2203d0cddcb69fbb7a49f2c24e1f82f85b80c1831492922c4cc8366e797866c8394
-
Filesize
108KB
MD57c1528ff96a4e33fba3f401186a9c885
SHA183fd43831c6afa49adb54793e8ea440d66d30250
SHA256b36388b29d54b1aa24fd414820edac458b28bcabc4036d10064c6754cb94560e
SHA512d54d2ddf479eedaeca856df99d0c111bc06a69a467c5aff5bda951904566d2203d0cddcb69fbb7a49f2c24e1f82f85b80c1831492922c4cc8366e797866c8394
-
Filesize
262KB
MD502d0659ec77eca2c92bd1294d93c1eed
SHA1cfb7e814e9f18879aa77809f43a15120a681e9cb
SHA2569f425158aadce203ae04418efbe68a611fb0ec2aa0c937b3f2cdc6d3ae051ada
SHA5123bd84272baefcceec80218cbfe3321d13c7f276c2af7391e0cd457deb61bf76b4bf465f97726b195f4d9d44293e71f78206242937faa15ac2b4a921f49388803
-
Filesize
5KB
MD55385be9904edda97bbb87728125289a7
SHA10132c31f501081c8a45c044b91d2915bee538f15
SHA256d1f81293d981c41ef85c9ab029a914435e57c6d7fb3bea89f01e924b3595182f
SHA512b1494090a3e102c45825d3ce194027eeaae066ba0031313b12282e9a5ba8035b915a8ee82be2e4c573f7f302dda7e95463edbafa9ff730e41683ffd75f9638a1