Resubmissions
13-02-2024 12:04
240213-n8wg3ahc2z 1004-12-2023 18:50
231204-xg8gzsec21 1004-12-2023 18:47
231204-xe7gxaec2v 10Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2024 12:04
Static task
static1
Behavioral task
behavioral1
Sample
Kviitung_04-12-2023.rar
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Kviitung_04-12-2023.rar
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
Kviitung_04-12-2023.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Kviitung_04-12-2023.exe
Resource
win10v2004-20231215-en
General
-
Target
Kviitung_04-12-2023.exe
-
Size
626KB
-
MD5
a98f880aefb9f770cf0f280b6aabfc63
-
SHA1
9aa8fbe199f4f7386e418076438f72a958147f0c
-
SHA256
f4c0c2490f385084d7673926acb7c950c30dfba656a77c85493cfc04889d002a
-
SHA512
f2fc8169d950b39e1387a44613418196f70fb719e2c8ee055fd5f7cb18e73803dffe548f38a1653e22af8174ddaedf193b46ae30f8f8c84dcc3d1155e8076e8e
-
SSDEEP
12288:FI45+po2V1kWEOIVim9yY7gRMpMCuaA9NV+wuSyW4hIcKvSwkPAg:FL+pJQnJyY7gepOaA9NV+gyW4hIpKP
Malware Config
Extracted
Protocol: smtp- Host:
sg3plcpnl0195.prod.sin3.secureserver.net - Port:
587 - Username:
[email protected] - Password:
V#[email protected]&Qo!
Extracted
agenttesla
Protocol: smtp- Host:
sg3plcpnl0195.prod.sin3.secureserver.net - Port:
587 - Username:
[email protected] - Password:
V#[email protected]&Qo! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 api.ipify.org 27 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Kviitung_04-12-2023.exedescription pid process target process PID 2320 set thread context of 3032 2320 Kviitung_04-12-2023.exe Kviitung_04-12-2023.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3364 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Kviitung_04-12-2023.exepid process 3032 Kviitung_04-12-2023.exe 3032 Kviitung_04-12-2023.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Kviitung_04-12-2023.exedescription pid process Token: SeDebugPrivilege 3032 Kviitung_04-12-2023.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
EXCEL.EXEpid process 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE 3364 EXCEL.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Kviitung_04-12-2023.exedescription pid process target process PID 2320 wrote to memory of 3032 2320 Kviitung_04-12-2023.exe Kviitung_04-12-2023.exe PID 2320 wrote to memory of 3032 2320 Kviitung_04-12-2023.exe Kviitung_04-12-2023.exe PID 2320 wrote to memory of 3032 2320 Kviitung_04-12-2023.exe Kviitung_04-12-2023.exe PID 2320 wrote to memory of 3032 2320 Kviitung_04-12-2023.exe Kviitung_04-12-2023.exe PID 2320 wrote to memory of 3032 2320 Kviitung_04-12-2023.exe Kviitung_04-12-2023.exe PID 2320 wrote to memory of 3032 2320 Kviitung_04-12-2023.exe Kviitung_04-12-2023.exe PID 2320 wrote to memory of 3032 2320 Kviitung_04-12-2023.exe Kviitung_04-12-2023.exe PID 2320 wrote to memory of 3032 2320 Kviitung_04-12-2023.exe Kviitung_04-12-2023.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Kviitung_04-12-2023.exe"C:\Users\Admin\AppData\Local\Temp\Kviitung_04-12-2023.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\Kviitung_04-12-2023.exe"C:\Users\Admin\AppData\Local\Temp\Kviitung_04-12-2023.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3716
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\CheckpointWatch.ods"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD593d52c1bc7c38d958583ebbd3dc09cd4
SHA14c5ee6f9c9ae190c9a0cccb91fa2257ddcb8b0d5
SHA2562905f3a06dd8907ddbcbe64389cffcc8a5273d1822e25f8bea385bdd01653c76
SHA512dfc55c3247d7734c5a531fb5a3de689e8bb823e82c14ad6cab16923d50d51e03e5e86165a7d65b3059a66b67968b611368b010a6d9f755916b01ef7b67c5228e