Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 03:10
Static task
static1
Behavioral task
behavioral1
Sample
b353f9892d8169f4e0ee5046d64ad301386ada46356f2e66e18c28ae8d17679d.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
b353f9892d8169f4e0ee5046d64ad301386ada46356f2e66e18c28ae8d17679d.exe
Resource
win10v2004-20231127-en
General
-
Target
b353f9892d8169f4e0ee5046d64ad301386ada46356f2e66e18c28ae8d17679d.exe
-
Size
364KB
-
MD5
0c4bb2454ce93e6c26ced4785805455f
-
SHA1
597867955dfab7a5e3a30cbad3912f2a25b360f2
-
SHA256
b353f9892d8169f4e0ee5046d64ad301386ada46356f2e66e18c28ae8d17679d
-
SHA512
f824237372a82f2c07d1c65bc88667f091b138bb984b3b31289d2aff4e05509b01e136b78f596377c443086b0805e1d2e58e105d82ed8f1c50018e856a012363
-
SSDEEP
6144:P8LxB0Pi+VX4gGvnaMvFs1l5BQLUmYmcMTAPDIYsqUU6SlE4t7n6Sh0VcyqkXLTw:xwHZvGv7QL1RcEAbUc6oEOOVVnqk7Tw
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
pgqnmj.exepgqnmj.exepid process 3460 pgqnmj.exe 5028 pgqnmj.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
pgqnmj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pgqnmj.exe Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pgqnmj.exe Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pgqnmj.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pgqnmj.exedescription pid process target process PID 3460 set thread context of 5028 3460 pgqnmj.exe pgqnmj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pgqnmj.exepid process 3460 pgqnmj.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pgqnmj.exedescription pid process Token: SeDebugPrivilege 5028 pgqnmj.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
b353f9892d8169f4e0ee5046d64ad301386ada46356f2e66e18c28ae8d17679d.exepgqnmj.exedescription pid process target process PID 4076 wrote to memory of 3460 4076 b353f9892d8169f4e0ee5046d64ad301386ada46356f2e66e18c28ae8d17679d.exe pgqnmj.exe PID 4076 wrote to memory of 3460 4076 b353f9892d8169f4e0ee5046d64ad301386ada46356f2e66e18c28ae8d17679d.exe pgqnmj.exe PID 4076 wrote to memory of 3460 4076 b353f9892d8169f4e0ee5046d64ad301386ada46356f2e66e18c28ae8d17679d.exe pgqnmj.exe PID 3460 wrote to memory of 5028 3460 pgqnmj.exe pgqnmj.exe PID 3460 wrote to memory of 5028 3460 pgqnmj.exe pgqnmj.exe PID 3460 wrote to memory of 5028 3460 pgqnmj.exe pgqnmj.exe PID 3460 wrote to memory of 5028 3460 pgqnmj.exe pgqnmj.exe -
outlook_office_path 1 IoCs
Processes:
pgqnmj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pgqnmj.exe -
outlook_win_path 1 IoCs
Processes:
pgqnmj.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 pgqnmj.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b353f9892d8169f4e0ee5046d64ad301386ada46356f2e66e18c28ae8d17679d.exe"C:\Users\Admin\AppData\Local\Temp\b353f9892d8169f4e0ee5046d64ad301386ada46356f2e66e18c28ae8d17679d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\pgqnmj.exe"C:\Users\Admin\AppData\Local\Temp\pgqnmj.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\pgqnmj.exe"C:\Users\Admin\AppData\Local\Temp\pgqnmj.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD5fdd06e963e6883d1f02e1e2caeabccf7
SHA1b18a6c4a004f4c50052b10872a388ca3612b1a25
SHA256c6cb8ecdce5278f041c56e7e5d7181087107b4c476a35e851669b2831658625e
SHA512810a2cd90bb506ff50ba1effa833cc72a7fe9f5b9e7f8d8d8562225c200d7fc6214b5133d0d74b3b97446c8c121ca2f3b69a7b90242240dc44187336d91f2e38
-
Filesize
174KB
MD5fdd06e963e6883d1f02e1e2caeabccf7
SHA1b18a6c4a004f4c50052b10872a388ca3612b1a25
SHA256c6cb8ecdce5278f041c56e7e5d7181087107b4c476a35e851669b2831658625e
SHA512810a2cd90bb506ff50ba1effa833cc72a7fe9f5b9e7f8d8d8562225c200d7fc6214b5133d0d74b3b97446c8c121ca2f3b69a7b90242240dc44187336d91f2e38
-
Filesize
174KB
MD5fdd06e963e6883d1f02e1e2caeabccf7
SHA1b18a6c4a004f4c50052b10872a388ca3612b1a25
SHA256c6cb8ecdce5278f041c56e7e5d7181087107b4c476a35e851669b2831658625e
SHA512810a2cd90bb506ff50ba1effa833cc72a7fe9f5b9e7f8d8d8562225c200d7fc6214b5133d0d74b3b97446c8c121ca2f3b69a7b90242240dc44187336d91f2e38
-
Filesize
262KB
MD5409c870e86d7faec1b379fbbd2df418b
SHA194cab11508a786836a20d62e772d50d99bbd5332
SHA256b216038ab54c08cdf8cd09f241d2ec9ac4f8596351e75d2c1e6b97dbd6662f1d
SHA512c43ee1b4419581f619dc70e601cfb1aa16b04aceeca56f3c4ce54bac2378440ba46786e2ce155bc58bb6f49ea907f230b1e51bbdf420662cb68d247c86dd395b