Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 01:19
Static task
static1
Behavioral task
behavioral1
Sample
0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe
Resource
win10v2004-20231130-en
General
-
Target
0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe
-
Size
330KB
-
MD5
9defa32ab3c74af8e29aea03a454934e
-
SHA1
04dac45bb456d502638ac199f8a4bb9285167658
-
SHA256
0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364
-
SHA512
b43c24dcf817b310c94743efd49e803d3c48a24192bed6ab99cfa813af5df20e69ac67f052ba613a185519ef5f0b1e9aaeacf7d77a40d0a32e4aa03747ca282f
-
SSDEEP
6144:wBlL/Di/CcLN+BiYHbAabwWZKhl/fnT6vWKupX4ZWK2j1Mu9nBE:CZiFN4rbRbtYZnTsW7U22mE
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
dkudxis.exedkudxis.exepid process 1956 dkudxis.exe 2752 dkudxis.exe -
Loads dropped DLL 3 IoCs
Processes:
0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exedkudxis.exepid process 1908 0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe 1908 0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe 1956 dkudxis.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
dkudxis.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dkudxis.exe Key opened \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dkudxis.exe Key opened \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dkudxis.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dkudxis.exedescription pid process target process PID 1956 set thread context of 2752 1956 dkudxis.exe dkudxis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
dkudxis.exepid process 1956 dkudxis.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
dkudxis.exedescription pid process Token: SeDebugPrivilege 2752 dkudxis.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exedkudxis.exedescription pid process target process PID 1908 wrote to memory of 1956 1908 0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe dkudxis.exe PID 1908 wrote to memory of 1956 1908 0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe dkudxis.exe PID 1908 wrote to memory of 1956 1908 0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe dkudxis.exe PID 1908 wrote to memory of 1956 1908 0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe dkudxis.exe PID 1956 wrote to memory of 2752 1956 dkudxis.exe dkudxis.exe PID 1956 wrote to memory of 2752 1956 dkudxis.exe dkudxis.exe PID 1956 wrote to memory of 2752 1956 dkudxis.exe dkudxis.exe PID 1956 wrote to memory of 2752 1956 dkudxis.exe dkudxis.exe PID 1956 wrote to memory of 2752 1956 dkudxis.exe dkudxis.exe -
outlook_office_path 1 IoCs
Processes:
dkudxis.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dkudxis.exe -
outlook_win_path 1 IoCs
Processes:
dkudxis.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1514849007-2165033493-4114354048-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dkudxis.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe"C:\Users\Admin\AppData\Local\Temp\0523f7cfc131c52445b00d8c354b91658bc0b5f970d5c5ffc01b8480a84b9364.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\dkudxis.exe"C:\Users\Admin\AppData\Local\Temp\dkudxis.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\dkudxis.exe"C:\Users\Admin\AppData\Local\Temp\dkudxis.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD5265d03e2362687fa11bd38903296c90a
SHA195ec7500a11ff8bf5809bbdd2e86ebafc2ce9765
SHA256437cd124c76c0f79962fea99694cbd9bed574a2428c6e174ef7391ed52fe277c
SHA512cf21e66e5f21ad43ad4e2ad5e7cdde8ca7530309afea2d7a5df047ae0bf8d9bf5c4dc8b6de7a9f2d24b9524a5ae2ff16c3af0cb3493942646016a67bc8c91c59
-
Filesize
165KB
MD5265d03e2362687fa11bd38903296c90a
SHA195ec7500a11ff8bf5809bbdd2e86ebafc2ce9765
SHA256437cd124c76c0f79962fea99694cbd9bed574a2428c6e174ef7391ed52fe277c
SHA512cf21e66e5f21ad43ad4e2ad5e7cdde8ca7530309afea2d7a5df047ae0bf8d9bf5c4dc8b6de7a9f2d24b9524a5ae2ff16c3af0cb3493942646016a67bc8c91c59
-
Filesize
165KB
MD5265d03e2362687fa11bd38903296c90a
SHA195ec7500a11ff8bf5809bbdd2e86ebafc2ce9765
SHA256437cd124c76c0f79962fea99694cbd9bed574a2428c6e174ef7391ed52fe277c
SHA512cf21e66e5f21ad43ad4e2ad5e7cdde8ca7530309afea2d7a5df047ae0bf8d9bf5c4dc8b6de7a9f2d24b9524a5ae2ff16c3af0cb3493942646016a67bc8c91c59
-
Filesize
165KB
MD5265d03e2362687fa11bd38903296c90a
SHA195ec7500a11ff8bf5809bbdd2e86ebafc2ce9765
SHA256437cd124c76c0f79962fea99694cbd9bed574a2428c6e174ef7391ed52fe277c
SHA512cf21e66e5f21ad43ad4e2ad5e7cdde8ca7530309afea2d7a5df047ae0bf8d9bf5c4dc8b6de7a9f2d24b9524a5ae2ff16c3af0cb3493942646016a67bc8c91c59
-
Filesize
262KB
MD52df4d71b568e778685d268ca305207bb
SHA1703aff435d69a6a57801cdb394b5563bb9053eee
SHA2566d9fa06d84ba86dc703b7f5704112cef0aa877c47b8bf8f51282d5f017f881bc
SHA512e37a8fd2802334cc45fcb988e9c3a22ebd6cfe15d292f5bff12275abcc1d15648556bf3850a56c8705a8b3c77dddd9a4c6e4688fa71569fdf073d381713564bd
-
Filesize
165KB
MD5265d03e2362687fa11bd38903296c90a
SHA195ec7500a11ff8bf5809bbdd2e86ebafc2ce9765
SHA256437cd124c76c0f79962fea99694cbd9bed574a2428c6e174ef7391ed52fe277c
SHA512cf21e66e5f21ad43ad4e2ad5e7cdde8ca7530309afea2d7a5df047ae0bf8d9bf5c4dc8b6de7a9f2d24b9524a5ae2ff16c3af0cb3493942646016a67bc8c91c59
-
Filesize
165KB
MD5265d03e2362687fa11bd38903296c90a
SHA195ec7500a11ff8bf5809bbdd2e86ebafc2ce9765
SHA256437cd124c76c0f79962fea99694cbd9bed574a2428c6e174ef7391ed52fe277c
SHA512cf21e66e5f21ad43ad4e2ad5e7cdde8ca7530309afea2d7a5df047ae0bf8d9bf5c4dc8b6de7a9f2d24b9524a5ae2ff16c3af0cb3493942646016a67bc8c91c59
-
Filesize
165KB
MD5265d03e2362687fa11bd38903296c90a
SHA195ec7500a11ff8bf5809bbdd2e86ebafc2ce9765
SHA256437cd124c76c0f79962fea99694cbd9bed574a2428c6e174ef7391ed52fe277c
SHA512cf21e66e5f21ad43ad4e2ad5e7cdde8ca7530309afea2d7a5df047ae0bf8d9bf5c4dc8b6de7a9f2d24b9524a5ae2ff16c3af0cb3493942646016a67bc8c91c59