Analysis
-
max time kernel
147s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 07:32
Static task
static1
Behavioral task
behavioral1
Sample
c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe
Resource
win10v2004-20231130-en
General
-
Target
c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe
-
Size
351KB
-
MD5
ebdf9dcf04da8f500480fd73171e6b7d
-
SHA1
e30c81881d0933f4a03a692345cc4c7cce6d571f
-
SHA256
c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488
-
SHA512
e714241ccefb2f854b7f21274bc7af00bf63b751fc1edf361fd810a83deacf9d98cea2e1f6836f05f6c73eebb0f62cbfcbacdd08c498dc0fc581312242856205
-
SSDEEP
6144:wBlL/COT4k6135ecz+IyDJy6Fc/bFQ0odCih1TTZT732b58Oqa8OYRVjogSryENs:CE461JX+IyDJysc/9odCETT5y58OFgKe
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
oweoyjcg.exeoweoyjcg.exepid process 2916 oweoyjcg.exe 4896 oweoyjcg.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
oweoyjcg.exedescription pid process target process PID 2916 set thread context of 4896 2916 oweoyjcg.exe oweoyjcg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
oweoyjcg.exepid process 4896 oweoyjcg.exe 4896 oweoyjcg.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
oweoyjcg.exepid process 2916 oweoyjcg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
oweoyjcg.exedescription pid process Token: SeDebugPrivilege 4896 oweoyjcg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
oweoyjcg.exepid process 4896 oweoyjcg.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exeoweoyjcg.exedescription pid process target process PID 3756 wrote to memory of 2916 3756 c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe oweoyjcg.exe PID 3756 wrote to memory of 2916 3756 c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe oweoyjcg.exe PID 3756 wrote to memory of 2916 3756 c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe oweoyjcg.exe PID 2916 wrote to memory of 4896 2916 oweoyjcg.exe oweoyjcg.exe PID 2916 wrote to memory of 4896 2916 oweoyjcg.exe oweoyjcg.exe PID 2916 wrote to memory of 4896 2916 oweoyjcg.exe oweoyjcg.exe PID 2916 wrote to memory of 4896 2916 oweoyjcg.exe oweoyjcg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe"C:\Users\Admin\AppData\Local\Temp\c590f753b04774ae8e45fdece3d31ceafc9df7445a1473e63fc281cad03b5488.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe"C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe"C:\Users\Admin\AppData\Local\Temp\oweoyjcg.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4896
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
339KB
MD5a28c928f1a34038cccf03fcecba4c758
SHA1cc6b0abe6bb26323ea48c68829446dfc91a6e340
SHA256587562c17c3a27d9f722893b9c73ec7e2dbbb015c3618ee2cdf45414663c83c3
SHA512c3268557e55068eaafaa7301afcb199af74f67d04b7cd512cb52daf04b2154efc950e5ec92f58993de2c417f390776c81ae2993d03e5c24f312fa2ade3664e62
-
Filesize
165KB
MD5436e291267ad544e575b6eb53e4336e1
SHA1cb8acd02eda4a509c050d388c7e3ca323d5ae253
SHA256c64f01d9a0430d0c42a41931e16d383fd8d84bc2ebb8aa07e600ae6cd7ee37cb
SHA5123c52151057ebea8e67201cd2f01dd7e121b004eb7032e551154c1e753b561c51cd30c5b86f51a05fa0cf66acc5e2fcbb381809c6138fa6a70cf292b266bdb6da
-
Filesize
165KB
MD5436e291267ad544e575b6eb53e4336e1
SHA1cb8acd02eda4a509c050d388c7e3ca323d5ae253
SHA256c64f01d9a0430d0c42a41931e16d383fd8d84bc2ebb8aa07e600ae6cd7ee37cb
SHA5123c52151057ebea8e67201cd2f01dd7e121b004eb7032e551154c1e753b561c51cd30c5b86f51a05fa0cf66acc5e2fcbb381809c6138fa6a70cf292b266bdb6da
-
Filesize
165KB
MD5436e291267ad544e575b6eb53e4336e1
SHA1cb8acd02eda4a509c050d388c7e3ca323d5ae253
SHA256c64f01d9a0430d0c42a41931e16d383fd8d84bc2ebb8aa07e600ae6cd7ee37cb
SHA5123c52151057ebea8e67201cd2f01dd7e121b004eb7032e551154c1e753b561c51cd30c5b86f51a05fa0cf66acc5e2fcbb381809c6138fa6a70cf292b266bdb6da