Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 02:17
Static task
static1
Behavioral task
behavioral1
Sample
fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exe
Resource
win10v2004-20231127-en
General
-
Target
fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exe
-
Size
429KB
-
MD5
bdf2b3b191432b2beb2d9280bc15cfc5
-
SHA1
490bdef6de2ea69eb1363e4dc790e132e4b73a3b
-
SHA256
fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453
-
SHA512
c37b9994381c17a9a3e3576b0ddfd4a77d56deeb6529c19033138a2cfe7d016c4e9a1ee1cbfd8723bac1121a42d8bef9941212262c27f3dd74d780eea72bad2c
-
SSDEEP
6144:Z8LxB9Z0Q7EjnhEXc0ZBnVHlN4T6XoFy8RiwjiI0CAi2FCnfSDRWXHSAu:eZ17ghr0rnLN4T6Gy8905FCnqAXfu
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
jukgiw.exejukgiw.exepid process 2120 jukgiw.exe 1624 jukgiw.exe -
Loads dropped DLL 3 IoCs
Processes:
fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exejukgiw.exepid process 1080 fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exe 1080 fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exe 2120 jukgiw.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jukgiw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jukgiw.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jukgiw.exe Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jukgiw.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
jukgiw.exedescription pid process target process PID 2120 set thread context of 1624 2120 jukgiw.exe jukgiw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jukgiw.exepid process 1624 jukgiw.exe 1624 jukgiw.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
jukgiw.exepid process 2120 jukgiw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
jukgiw.exedescription pid process Token: SeDebugPrivilege 1624 jukgiw.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exejukgiw.exedescription pid process target process PID 1080 wrote to memory of 2120 1080 fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exe jukgiw.exe PID 1080 wrote to memory of 2120 1080 fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exe jukgiw.exe PID 1080 wrote to memory of 2120 1080 fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exe jukgiw.exe PID 1080 wrote to memory of 2120 1080 fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exe jukgiw.exe PID 2120 wrote to memory of 1624 2120 jukgiw.exe jukgiw.exe PID 2120 wrote to memory of 1624 2120 jukgiw.exe jukgiw.exe PID 2120 wrote to memory of 1624 2120 jukgiw.exe jukgiw.exe PID 2120 wrote to memory of 1624 2120 jukgiw.exe jukgiw.exe PID 2120 wrote to memory of 1624 2120 jukgiw.exe jukgiw.exe -
outlook_office_path 1 IoCs
Processes:
jukgiw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jukgiw.exe -
outlook_win_path 1 IoCs
Processes:
jukgiw.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jukgiw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exe"C:\Users\Admin\AppData\Local\Temp\fd1e71506e6acef86142f01c0f8550f6c8908b7337b86b627ace2af6cbda1453.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\jukgiw.exe"C:\Users\Admin\AppData\Local\Temp\jukgiw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\AppData\Local\Temp\jukgiw.exe"C:\Users\Admin\AppData\Local\Temp\jukgiw.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
MD59f6a2873c23844f5bb87f61f8bcb85da
SHA19f09ef10b302eaca69c09ebf0cbf02d71a30a539
SHA2567e8fb52391815c523f44a3312f90cf3e651520b9cd84eee473519eb51cba1421
SHA5127e9536dceca743c32ce16156aacc2283f25df78872fd0215839860fd8defbf4a5e76dd08c55aa92b2525036bbfa9f334642e7a99e586fc03b3d8102dfed48fce
-
Filesize
164KB
MD59f6a2873c23844f5bb87f61f8bcb85da
SHA19f09ef10b302eaca69c09ebf0cbf02d71a30a539
SHA2567e8fb52391815c523f44a3312f90cf3e651520b9cd84eee473519eb51cba1421
SHA5127e9536dceca743c32ce16156aacc2283f25df78872fd0215839860fd8defbf4a5e76dd08c55aa92b2525036bbfa9f334642e7a99e586fc03b3d8102dfed48fce
-
Filesize
164KB
MD59f6a2873c23844f5bb87f61f8bcb85da
SHA19f09ef10b302eaca69c09ebf0cbf02d71a30a539
SHA2567e8fb52391815c523f44a3312f90cf3e651520b9cd84eee473519eb51cba1421
SHA5127e9536dceca743c32ce16156aacc2283f25df78872fd0215839860fd8defbf4a5e76dd08c55aa92b2525036bbfa9f334642e7a99e586fc03b3d8102dfed48fce
-
Filesize
164KB
MD59f6a2873c23844f5bb87f61f8bcb85da
SHA19f09ef10b302eaca69c09ebf0cbf02d71a30a539
SHA2567e8fb52391815c523f44a3312f90cf3e651520b9cd84eee473519eb51cba1421
SHA5127e9536dceca743c32ce16156aacc2283f25df78872fd0215839860fd8defbf4a5e76dd08c55aa92b2525036bbfa9f334642e7a99e586fc03b3d8102dfed48fce
-
Filesize
335KB
MD5e5f99a0ba62a85ac626ef91ec8d5a63f
SHA1e9fef4dfe6bfc2470dc9e0a53ff2e6798cfe49f9
SHA256de0b61bbeeefc52d9f2360aec938e7b1f7349d917b47dcc96b9f144fa36dcf3d
SHA512ad766be6570ca39b3254f5c3eb54c3a89e712ba1b65974749e303470ce33877ce9dad86a3dbbd07068682cfb4a2bc5b5f0bf750ce7011c9da29ff636c25718f2
-
Filesize
164KB
MD59f6a2873c23844f5bb87f61f8bcb85da
SHA19f09ef10b302eaca69c09ebf0cbf02d71a30a539
SHA2567e8fb52391815c523f44a3312f90cf3e651520b9cd84eee473519eb51cba1421
SHA5127e9536dceca743c32ce16156aacc2283f25df78872fd0215839860fd8defbf4a5e76dd08c55aa92b2525036bbfa9f334642e7a99e586fc03b3d8102dfed48fce
-
Filesize
164KB
MD59f6a2873c23844f5bb87f61f8bcb85da
SHA19f09ef10b302eaca69c09ebf0cbf02d71a30a539
SHA2567e8fb52391815c523f44a3312f90cf3e651520b9cd84eee473519eb51cba1421
SHA5127e9536dceca743c32ce16156aacc2283f25df78872fd0215839860fd8defbf4a5e76dd08c55aa92b2525036bbfa9f334642e7a99e586fc03b3d8102dfed48fce
-
Filesize
164KB
MD59f6a2873c23844f5bb87f61f8bcb85da
SHA19f09ef10b302eaca69c09ebf0cbf02d71a30a539
SHA2567e8fb52391815c523f44a3312f90cf3e651520b9cd84eee473519eb51cba1421
SHA5127e9536dceca743c32ce16156aacc2283f25df78872fd0215839860fd8defbf4a5e76dd08c55aa92b2525036bbfa9f334642e7a99e586fc03b3d8102dfed48fce