Analysis
-
max time kernel
435s -
max time network
443s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-es -
resource tags
arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
12-10-2023 03:09
Static task
static1
Behavioral task
behavioral1
Sample
united scientific equipent.exe
Resource
win7-20230831-es
Behavioral task
behavioral2
Sample
united scientific equipent.exe
Resource
win10v2004-20230915-es
General
-
Target
united scientific equipent.exe
-
Size
710KB
-
MD5
71536be72d8cc9dc156f1ff70b7f69a5
-
SHA1
ff0bb0d7e4dfa01c187c80d2e42d85feb22d98b9
-
SHA256
9909753bfb0ac8ab165bab3555233d03b01a9274a92e57c022f87ccbe51ca415
-
SHA512
9a98d57116a638e4ec0df224c243a074de233bf1859ea6a5efbf0d4d36ef470a9421d535e2d35371c1191d72f09aa0352ba9d147dae62ef6e4fc5c0650df07c9
-
SSDEEP
12288:v1XZi970Oz6hGy69oswvYeMW5+uCwpla6Mqbjvkgb3I9S0dbp5Ne:dXZ7DnY/WcuCd1qbjvkWI9S0Fp5Ne
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cybernetics.co.za - Port:
587 - Username:
[email protected] - Password:
P@ssw0rd
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4768-18-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
united scientific equipent.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation united scientific equipent.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
united scientific equipent.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 united scientific equipent.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 united scientific equipent.exe Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 united scientific equipent.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
united scientific equipent.exedescription pid process target process PID 2680 set thread context of 4768 2680 united scientific equipent.exe united scientific equipent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
united scientific equipent.exeunited scientific equipent.exepid process 2680 united scientific equipent.exe 2680 united scientific equipent.exe 2680 united scientific equipent.exe 4768 united scientific equipent.exe 4768 united scientific equipent.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
united scientific equipent.exeunited scientific equipent.exedescription pid process Token: SeDebugPrivilege 2680 united scientific equipent.exe Token: SeDebugPrivilege 4768 united scientific equipent.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
united scientific equipent.exepid process 4768 united scientific equipent.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
united scientific equipent.exedescription pid process target process PID 2680 wrote to memory of 220 2680 united scientific equipent.exe schtasks.exe PID 2680 wrote to memory of 220 2680 united scientific equipent.exe schtasks.exe PID 2680 wrote to memory of 220 2680 united scientific equipent.exe schtasks.exe PID 2680 wrote to memory of 4236 2680 united scientific equipent.exe united scientific equipent.exe PID 2680 wrote to memory of 4236 2680 united scientific equipent.exe united scientific equipent.exe PID 2680 wrote to memory of 4236 2680 united scientific equipent.exe united scientific equipent.exe PID 2680 wrote to memory of 4768 2680 united scientific equipent.exe united scientific equipent.exe PID 2680 wrote to memory of 4768 2680 united scientific equipent.exe united scientific equipent.exe PID 2680 wrote to memory of 4768 2680 united scientific equipent.exe united scientific equipent.exe PID 2680 wrote to memory of 4768 2680 united scientific equipent.exe united scientific equipent.exe PID 2680 wrote to memory of 4768 2680 united scientific equipent.exe united scientific equipent.exe PID 2680 wrote to memory of 4768 2680 united scientific equipent.exe united scientific equipent.exe PID 2680 wrote to memory of 4768 2680 united scientific equipent.exe united scientific equipent.exe PID 2680 wrote to memory of 4768 2680 united scientific equipent.exe united scientific equipent.exe -
outlook_office_path 1 IoCs
Processes:
united scientific equipent.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 united scientific equipent.exe -
outlook_win_path 1 IoCs
Processes:
united scientific equipent.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 united scientific equipent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyganvy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE932.tmp"2⤵
- Creates scheduled task(s)
PID:220 -
C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"2⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
Filesize
1KB
MD57e4996d1cf7eba9e5f341b83089d46b8
SHA1d3a6ec04f4350f32a5e77a6a6cc816a0b9abdc33
SHA256f375585fc91ee7857f2cc4b528273f55fa09d2a4a139bf25eb738321ed8a6884
SHA5121864463d63ddf4a91ad9157af34a1ced1454f5545daf8c21f6b16ca9b06cf15ff854c7bcdf7ddfcdd691201555e8b6d99c66678d55afcc62c8a1df48f752de29