Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 03:44
Static task
static1
Behavioral task
behavioral1
Sample
8bfd7886121330aca3002b5b1e768740.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8bfd7886121330aca3002b5b1e768740.exe
Resource
win10v2004-20231127-en
General
-
Target
8bfd7886121330aca3002b5b1e768740.exe
-
Size
405KB
-
MD5
8bfd7886121330aca3002b5b1e768740
-
SHA1
1dae238a6f5c6fb2074f8f7e9dccdaa625ccc71e
-
SHA256
03b950d316f2e66e637a9cfdd2f769d5a53296b0459df9cb6ed0fc0d25282958
-
SHA512
48354e5f6af35bce559d1476752cea9ebc4637e7792f8531b452b076c9949dca2892948c85e5b42ceebdc45cc3c21d03ce039c22983451c7c38b939a08528ee1
-
SSDEEP
6144:P8LxBsXwwT1Y0cFlY/gryMLsow0D4XWGUugY2zh6haFpT5JQajkcnu0tbhQKYh:xXlT1Ys4uMLsL0DXGhIz+YO4HtyKG
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 3 IoCs
Processes:
doubbdi.exedoubbdi.exedoubbdi.exepid process 1080 doubbdi.exe 4752 doubbdi.exe 2012 doubbdi.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
doubbdi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe Key opened \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe Key opened \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
doubbdi.exedescription pid process target process PID 1080 set thread context of 2012 1080 doubbdi.exe doubbdi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
doubbdi.exepid process 2012 doubbdi.exe 2012 doubbdi.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
doubbdi.exepid process 1080 doubbdi.exe 1080 doubbdi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
doubbdi.exedescription pid process Token: SeDebugPrivilege 2012 doubbdi.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
8bfd7886121330aca3002b5b1e768740.exedoubbdi.exedescription pid process target process PID 2060 wrote to memory of 1080 2060 8bfd7886121330aca3002b5b1e768740.exe doubbdi.exe PID 2060 wrote to memory of 1080 2060 8bfd7886121330aca3002b5b1e768740.exe doubbdi.exe PID 2060 wrote to memory of 1080 2060 8bfd7886121330aca3002b5b1e768740.exe doubbdi.exe PID 1080 wrote to memory of 4752 1080 doubbdi.exe doubbdi.exe PID 1080 wrote to memory of 4752 1080 doubbdi.exe doubbdi.exe PID 1080 wrote to memory of 4752 1080 doubbdi.exe doubbdi.exe PID 1080 wrote to memory of 2012 1080 doubbdi.exe doubbdi.exe PID 1080 wrote to memory of 2012 1080 doubbdi.exe doubbdi.exe PID 1080 wrote to memory of 2012 1080 doubbdi.exe doubbdi.exe PID 1080 wrote to memory of 2012 1080 doubbdi.exe doubbdi.exe -
outlook_office_path 1 IoCs
Processes:
doubbdi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe -
outlook_win_path 1 IoCs
Processes:
doubbdi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 doubbdi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bfd7886121330aca3002b5b1e768740.exe"C:\Users\Admin\AppData\Local\Temp\8bfd7886121330aca3002b5b1e768740.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"3⤵
- Executes dropped EXE
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"C:\Users\Admin\AppData\Local\Temp\doubbdi.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
191KB
MD55a1232108d4d199c99de71a08c45f068
SHA1817bb4b675853d2b36c99f0d6d9bf4d162c6000e
SHA2561eaf29f23168f7506f681545f3355eafefa715d574d7f5e68a5523b6b4d92f55
SHA512572facb4bf5e8415b37cb73992e843fffd9188b6929da139433f4ccc5a950a61dfbd8031f73667f1a4d976dbe06da7e0e747e168d5f23ac261608f72f8f62b5b
-
Filesize
334KB
MD5043bdf6ecd9749b3947423bc584f7af9
SHA17705ddeb913cb220c29a79859d6a76d64f3f7c46
SHA256e53e05f266ca0f1e7e5f7c5fc91df1c9801cc708be3ae080f994aef1c2ef011c
SHA5123e47886d7704bdcaa50e1484650e9ec01bc9c86ce3ee3d58bb74d09326e3d94ab83fe90009c75a4acdaa0a1fa7cd5e377f8f059040ef019737218b3f14fce065