Analysis
-
max time kernel
31s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-06-2023 01:41
Static task
static1
Behavioral task
behavioral1
Sample
8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe
Resource
win10v2004-20230220-en
General
-
Target
8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe
-
Size
223KB
-
MD5
87c8443a664240d005a686eb2e10506f
-
SHA1
8e6b12aa9c0a245b9a025ed37161a7bd4a7c675b
-
SHA256
8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7
-
SHA512
2f53f5cad7adc76c9ad5308598356b6dade3647a20897fb21f79c058eaffacb8beaa2749edad35a8e08248419c98d04b9190bc98619f7dc11901c4d1b5e2d33c
-
SSDEEP
6144:OmpbEf1ei2XTQTMGoW0orTO1r0JTbav6+fSvj5:OdZ2XMTMQdvY0Tbav6+fS
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.ocp.mx - Port:
21 - Username:
useme@ocp.mx - Password:
lasco4000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exedescription pid process target process PID 820 set thread context of 1084 820 8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
aspnet_compiler.exedescription pid process Token: SeDebugPrivilege 1084 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exedescription pid process target process PID 820 wrote to memory of 1084 820 8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe aspnet_compiler.exe PID 820 wrote to memory of 1084 820 8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe aspnet_compiler.exe PID 820 wrote to memory of 1084 820 8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe aspnet_compiler.exe PID 820 wrote to memory of 1084 820 8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe aspnet_compiler.exe PID 820 wrote to memory of 1084 820 8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe aspnet_compiler.exe PID 820 wrote to memory of 1084 820 8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe aspnet_compiler.exe PID 820 wrote to memory of 1084 820 8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe aspnet_compiler.exe PID 820 wrote to memory of 1084 820 8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe aspnet_compiler.exe PID 820 wrote to memory of 1084 820 8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe aspnet_compiler.exe -
outlook_office_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
outlook_win_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe"C:\Users\Admin\AppData\Local\Temp\8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/820-54-0x0000000000C30000-0x0000000000C68000-memory.dmpFilesize
224KB
-
memory/820-55-0x0000000000630000-0x000000000065A000-memory.dmpFilesize
168KB
-
memory/820-56-0x0000000000660000-0x000000000066C000-memory.dmpFilesize
48KB
-
memory/1084-57-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1084-58-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1084-59-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1084-60-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1084-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1084-62-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1084-64-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1084-66-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1084-67-0x0000000002010000-0x0000000002050000-memory.dmpFilesize
256KB