Overview

overview

10

Static

static

3

doc01002372.exe

windows7-x64

10

doc01002372.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/06/2023, 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc01002372.exe

  • Size

    331KB

  • MD5

    91697062207628ac69072dfa42c0b59d

  • SHA1

    3900d82634526d2701f6febe4975f8ac84b56a4b

  • SHA256

    6631aace38dd7550a1a18350a43606bc2eb26380cc99fd6acafdf75f226498bb

  • SHA512

    4bb68522386ca17a580f2667fcfcdf823d0a3b44ad069034208c77966d4dccfc84c30735a3940649eb5a9e1a91894f1aad1b26943f7cf4cf20e45036de1785c9

  • SSDEEP

    6144:wYa6R3QL/klDalb8eNatTpTemlJtu1lXLS7wAW6MhEt1LC:wYH3No8/TpT5xuu3W6zt1LC

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\doc01002372.exe
    "C:\Users\Admin\AppData\Local\Temp\doc01002372.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\doc01002372.exe
      "C:\Users\Admin\AppData\Local\Temp\doc01002372.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nse6C3E.tmp\wiuiz.dll
    Filesize

    80KB

    MD5

    aa10117686c34ab60bc5dab1af3a8ec0

    SHA1

    a20b8f5cc7eff0fb32767c29d36cd5994b86cfc7

    SHA256

    eedf97e49ffd43fe6a1e1fd312a96bd1d1b6efe3bc19ce52e96aa8300315f443

    SHA512

    6ed1f7b36d738b09fa193b286181331731d2d0360485ed6c023ab06ee8e6426550112a289ebfce033d2d30f222efa703ea351026e3f879fa41f4bc559e30df4b

    Download Submit

  • memory/4900-139-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4900-140-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4900-141-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4900-142-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4900-143-0x0000000004AA0000-0x0000000005044000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4900-144-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4900-145-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4900-146-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4900-147-0x00000000049F0000-0x0000000004A56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4900-148-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4900-149-0x00000000055A0000-0x00000000055F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4900-150-0x00000000055F0000-0x00000000057B2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4900-151-0x00000000057C0000-0x0000000005852000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4900-152-0x00000000058C0000-0x00000000058CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4900-154-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4900-155-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4900-156-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4900-157-0x0000000004A90000-0x0000000004AA0000-memory.dmp

    Filesize

    64KB

    Download