Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 16:08
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231127-en
General
-
Target
tmp.exe
-
Size
406KB
-
MD5
87eadc10467ceef110fad5e3a24bd624
-
SHA1
c5aefcdab3a35395896fd386f5bd8fdebb9f6e5c
-
SHA256
8f299dbb55f0eca6fbb067425149e6664b6ebb4a4974d87fed4a412a2a2116d8
-
SHA512
046b70292a36cdc76b44ebe307401eb07511d29cb86e5cfb9c82dd482a918e64e16cc7ff087ac3e737059a15b2982d9853819b5cf37cde9e62f54fa701f749c4
-
SSDEEP
12288:xscKqDGarphL8/kiJ2e6ju44V7mlkErfCs:x1VVLOkfe64yO4fD
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
gxlcmvruxg.exegxlcmvruxg.exepid process 2748 gxlcmvruxg.exe 2704 gxlcmvruxg.exe -
Loads dropped DLL 3 IoCs
Processes:
tmp.exegxlcmvruxg.exepid process 1196 tmp.exe 1196 tmp.exe 2748 gxlcmvruxg.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
gxlcmvruxg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 gxlcmvruxg.exe Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 gxlcmvruxg.exe Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 gxlcmvruxg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gxlcmvruxg.exedescription pid process target process PID 2748 set thread context of 2704 2748 gxlcmvruxg.exe gxlcmvruxg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
gxlcmvruxg.exepid process 2704 gxlcmvruxg.exe 2704 gxlcmvruxg.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
gxlcmvruxg.exepid process 2748 gxlcmvruxg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gxlcmvruxg.exedescription pid process Token: SeDebugPrivilege 2704 gxlcmvruxg.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
tmp.exegxlcmvruxg.exedescription pid process target process PID 1196 wrote to memory of 2748 1196 tmp.exe gxlcmvruxg.exe PID 1196 wrote to memory of 2748 1196 tmp.exe gxlcmvruxg.exe PID 1196 wrote to memory of 2748 1196 tmp.exe gxlcmvruxg.exe PID 1196 wrote to memory of 2748 1196 tmp.exe gxlcmvruxg.exe PID 2748 wrote to memory of 2704 2748 gxlcmvruxg.exe gxlcmvruxg.exe PID 2748 wrote to memory of 2704 2748 gxlcmvruxg.exe gxlcmvruxg.exe PID 2748 wrote to memory of 2704 2748 gxlcmvruxg.exe gxlcmvruxg.exe PID 2748 wrote to memory of 2704 2748 gxlcmvruxg.exe gxlcmvruxg.exe PID 2748 wrote to memory of 2704 2748 gxlcmvruxg.exe gxlcmvruxg.exe -
outlook_office_path 1 IoCs
Processes:
gxlcmvruxg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 gxlcmvruxg.exe -
outlook_win_path 1 IoCs
Processes:
gxlcmvruxg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 gxlcmvruxg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\gxlcmvruxg.exe"C:\Users\Admin\AppData\Local\Temp\gxlcmvruxg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\gxlcmvruxg.exe"C:\Users\Admin\AppData\Local\Temp\gxlcmvruxg.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
191KB
MD5f9e285fb3622eaf93d2955acff722b8a
SHA1f3264751e652d1e98469b85cfe84f2bdf0cbfb21
SHA256b04355e18932c2e5b1ed5b6cf6fa8872ba05cb2b2374a0379409c3182e9a01ea
SHA5128f7147c75397523495afe541becb37d99f97beb35e066fe769d1b014a50cbf0e99791e3838b8600874b4cc8042218c4d4bb4a4a12e44ea49ffa0f8d1fd03987a
-
Filesize
191KB
MD5f9e285fb3622eaf93d2955acff722b8a
SHA1f3264751e652d1e98469b85cfe84f2bdf0cbfb21
SHA256b04355e18932c2e5b1ed5b6cf6fa8872ba05cb2b2374a0379409c3182e9a01ea
SHA5128f7147c75397523495afe541becb37d99f97beb35e066fe769d1b014a50cbf0e99791e3838b8600874b4cc8042218c4d4bb4a4a12e44ea49ffa0f8d1fd03987a
-
Filesize
191KB
MD5f9e285fb3622eaf93d2955acff722b8a
SHA1f3264751e652d1e98469b85cfe84f2bdf0cbfb21
SHA256b04355e18932c2e5b1ed5b6cf6fa8872ba05cb2b2374a0379409c3182e9a01ea
SHA5128f7147c75397523495afe541becb37d99f97beb35e066fe769d1b014a50cbf0e99791e3838b8600874b4cc8042218c4d4bb4a4a12e44ea49ffa0f8d1fd03987a
-
Filesize
191KB
MD5f9e285fb3622eaf93d2955acff722b8a
SHA1f3264751e652d1e98469b85cfe84f2bdf0cbfb21
SHA256b04355e18932c2e5b1ed5b6cf6fa8872ba05cb2b2374a0379409c3182e9a01ea
SHA5128f7147c75397523495afe541becb37d99f97beb35e066fe769d1b014a50cbf0e99791e3838b8600874b4cc8042218c4d4bb4a4a12e44ea49ffa0f8d1fd03987a
-
Filesize
335KB
MD54efb5c722c472c001cc845b442c4d1aa
SHA1e1b9665597b7a8a4a12c56d21db13a3f43dc77e4
SHA2566dab7765c1722e03dd643d2c1d16a1c5f896d4a450ba46f3ff9789f8950ef7e4
SHA5128ca85e54fc5b3fa5affe8326cc378f78567a49dd3ad32a8d79c040cc90ff94d58f91c9629a57fb158561f96b0908af2c369af9b8d5e76c57bfe196b1322ecf32
-
Filesize
191KB
MD5f9e285fb3622eaf93d2955acff722b8a
SHA1f3264751e652d1e98469b85cfe84f2bdf0cbfb21
SHA256b04355e18932c2e5b1ed5b6cf6fa8872ba05cb2b2374a0379409c3182e9a01ea
SHA5128f7147c75397523495afe541becb37d99f97beb35e066fe769d1b014a50cbf0e99791e3838b8600874b4cc8042218c4d4bb4a4a12e44ea49ffa0f8d1fd03987a
-
Filesize
191KB
MD5f9e285fb3622eaf93d2955acff722b8a
SHA1f3264751e652d1e98469b85cfe84f2bdf0cbfb21
SHA256b04355e18932c2e5b1ed5b6cf6fa8872ba05cb2b2374a0379409c3182e9a01ea
SHA5128f7147c75397523495afe541becb37d99f97beb35e066fe769d1b014a50cbf0e99791e3838b8600874b4cc8042218c4d4bb4a4a12e44ea49ffa0f8d1fd03987a
-
Filesize
191KB
MD5f9e285fb3622eaf93d2955acff722b8a
SHA1f3264751e652d1e98469b85cfe84f2bdf0cbfb21
SHA256b04355e18932c2e5b1ed5b6cf6fa8872ba05cb2b2374a0379409c3182e9a01ea
SHA5128f7147c75397523495afe541becb37d99f97beb35e066fe769d1b014a50cbf0e99791e3838b8600874b4cc8042218c4d4bb4a4a12e44ea49ffa0f8d1fd03987a