Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2023 01:55
Static task
static1
Behavioral task
behavioral1
Sample
a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe
Resource
win10v2004-20231127-en
General
-
Target
a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe
-
Size
587KB
-
MD5
1ec275d581b7efc115153bb6a8915ba5
-
SHA1
869acb34500897d1d9ebe06bf3f52eeaeb8c1eaa
-
SHA256
a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f
-
SHA512
001f23bea4fd2ae52fd88d01f1d9bf9539954ac3e02ae7b7dd0dcc9f57d1c9ac89f242a0128d2126313bd3099c40eb622516081298d98b2d05abdb805785d1c5
-
SSDEEP
6144:O8LxB3Qx8ayrbordY+VxuOveqXd0N+UMq1zSvEFWcbqX7TZPTvV3AWgbyG1aSmWD:GxPgUrdJE0Wx+YWc871PTWbHfmWPYMf
Malware Config
Extracted
Protocol: smtp- Host:
premium185.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
cooldown2013
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
pid Process 3380 aodoeww.exe 2788 aodoeww.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SzvWIzD = "C:\\Users\\Admin\\AppData\\Roaming\\SzvWIzD\\SzvWIzD.exe" aodoeww.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 36 api.ipify.org 37 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3380 set thread context of 2788 3380 aodoeww.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2788 aodoeww.exe 2788 aodoeww.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3380 aodoeww.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2788 aodoeww.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2816 wrote to memory of 3380 2816 a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe 86 PID 2816 wrote to memory of 3380 2816 a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe 86 PID 2816 wrote to memory of 3380 2816 a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe 86 PID 3380 wrote to memory of 2788 3380 aodoeww.exe 89 PID 3380 wrote to memory of 2788 3380 aodoeww.exe 89 PID 3380 wrote to memory of 2788 3380 aodoeww.exe 89 PID 3380 wrote to memory of 2788 3380 aodoeww.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe"C:\Users\Admin\AppData\Local\Temp\a331d8169961a13fabdff8a264ff22687770e49794d63b9ac526055c8c929b1f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Users\Admin\AppData\Local\Temp\aodoeww.exe"C:\Users\Admin\AppData\Local\Temp\aodoeww.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\aodoeww.exe"C:\Users\Admin\AppData\Local\Temp\aodoeww.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
165KB
MD561489aebd8bfdeec13ef3861873f9e45
SHA17cbb9b36b807b4b79b7f17d7494f6de0ff38edfb
SHA2567f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8
SHA5126897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5
-
Filesize
165KB
MD561489aebd8bfdeec13ef3861873f9e45
SHA17cbb9b36b807b4b79b7f17d7494f6de0ff38edfb
SHA2567f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8
SHA5126897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5
-
Filesize
165KB
MD561489aebd8bfdeec13ef3861873f9e45
SHA17cbb9b36b807b4b79b7f17d7494f6de0ff38edfb
SHA2567f782878abf2380b3fd7953a2eb73f52c7fb8f0ae80e83b4c613118e7d02d4f8
SHA5126897a33996afa73c5f843f9089acef9ed59b812fd149befe044e191ead3f834a0a90ce09b36e498c8dc33a73d14ac3522724ffdf922bacf8082c595429e172a5
-
Filesize
333KB
MD596b2d3902a0e83e8566903c45773664b
SHA158fa09c32f35cfd8b31d0a53230fdfa184d9eede
SHA256bf6daa91ecdf8ec351ab89424d323865fd8f5b2124a9f2b9954ffc4539a44033
SHA5122c9ec68e765a1c677b7e4493dbd9105f0edf93052b2c4612ff64c0954fc455123e6871a712ffec04f1a3d7c1be9f6406eb9046056fbbf1a50ca0324cc8679f73