Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 19:13
Static task
static1
Behavioral task
behavioral1
Sample
49136 E2K 610622871149136 E2K 6106228711.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
49136 E2K 610622871149136 E2K 6106228711.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
kigtiqm.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
kigtiqm.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
xmnxoix.vbs
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
xmnxoix.vbs
Resource
win10v2004-20240226-en
General
-
Target
49136 E2K 610622871149136 E2K 6106228711.exe
-
Size
804KB
-
MD5
e8b61b099af93918a7d59477334471e0
-
SHA1
a2ce7a730e96bf6c8f9cd512993fd67cf0c10767
-
SHA256
e7456c57dba442a7e63f2bd45ff5be6c8168f2fcfd15c5e405536fb3bb212dcb
-
SHA512
30b93418d244b71718a7fbf6683c27ac4bc799338f67d915367cb7cb5b93dab661b5b9071f49e055e9701d721ef3e788a0632adc062ecd32d1ffe225712bd855
-
SSDEEP
12288:IYgBDMwdNEb40oLhLr1+vuYdCllN9cnUstwbvhz58lZNKXGLfR:IYgB7mINL/vbDci1p2d
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
kigtiqm.exekigtiqm.exepid process 1516 kigtiqm.exe 4708 kigtiqm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
kigtiqm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kigtiqm.exe Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kigtiqm.exe Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kigtiqm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
kigtiqm.exekigtiqm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dvuibsk = "C:\\Users\\Admin\\AppData\\Roaming\\rhal\\heuy.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\kigtiqm.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xm" kigtiqm.exe Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\APP = "C:\\Users\\Admin\\AppData\\Roaming\\APP\\APP.exe" kigtiqm.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 api.ipify.org 14 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kigtiqm.exedescription pid process target process PID 1516 set thread context of 4708 1516 kigtiqm.exe kigtiqm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
kigtiqm.exepid process 1516 kigtiqm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kigtiqm.exedescription pid process Token: SeDebugPrivilege 4708 kigtiqm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
kigtiqm.exepid process 1516 kigtiqm.exe 1516 kigtiqm.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
kigtiqm.exepid process 1516 kigtiqm.exe 1516 kigtiqm.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
49136 E2K 610622871149136 E2K 6106228711.exekigtiqm.exedescription pid process target process PID 4124 wrote to memory of 1516 4124 49136 E2K 610622871149136 E2K 6106228711.exe kigtiqm.exe PID 4124 wrote to memory of 1516 4124 49136 E2K 610622871149136 E2K 6106228711.exe kigtiqm.exe PID 4124 wrote to memory of 1516 4124 49136 E2K 610622871149136 E2K 6106228711.exe kigtiqm.exe PID 1516 wrote to memory of 4708 1516 kigtiqm.exe kigtiqm.exe PID 1516 wrote to memory of 4708 1516 kigtiqm.exe kigtiqm.exe PID 1516 wrote to memory of 4708 1516 kigtiqm.exe kigtiqm.exe PID 1516 wrote to memory of 4708 1516 kigtiqm.exe kigtiqm.exe -
outlook_office_path 1 IoCs
Processes:
kigtiqm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kigtiqm.exe -
outlook_win_path 1 IoCs
Processes:
kigtiqm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 kigtiqm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49136 E2K 610622871149136 E2K 6106228711.exe"C:\Users\Admin\AppData\Local\Temp\49136 E2K 610622871149136 E2K 6106228711.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Temp\kigtiqm.exe"C:\Users\Admin\AppData\Local\Temp\kigtiqm.exe" "C:\Users\Admin\AppData\Local\Temp\xmnxoix.au3"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\kigtiqm.exe"C:\Users\Admin\AppData\Local\Temp\kigtiqm.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD53fcceb6589669e4f6c1f159a9b6fa0d9
SHA137b0be703e1bb6c1b0eb06fd25a91724f5ce5264
SHA256935134c9d742e8364884a2647aef3490ddd89aa5c1f99183a57bbc5829fe02c0
SHA51205537dc4d259dc0e0cd9f83b8d816aef4154aedc6c96642c8b7979ee41760d8cb35ccd6eed2f9c5416fa132a53ab9f62bab57cff9800f203906509c86c8c509c
-
Filesize
263KB
MD568e51dc63d26a2e2f8e8bd9a4a0be275
SHA12616ce912fc994ecabe75b853511b9aa4202fc97
SHA2569f27f632aac3e100bbbb7969deaf2c731c01755c1085e92e80ddd9c360487d76
SHA512574d8864bf4f048be5207f0a71e26e1a8ae5e182f73d5b956c41d5fd703899446824e85f287c8c4f3c50aed21da53596a57435e10f4a9cfd37688e97683fa62d
-
Filesize
328KB
MD530bd178b2c72a8585b82eec71a6c2ef7
SHA181c506c6c2733307b58d6627725a1fe10616990d
SHA256589c226f1387328de9faebc92ef4f55d3f714d7b602a6b82b60bf8a538d3708f
SHA51262c0cfcf53a4ed24308ef7f11e03e8ace7c253b66b3a157d2d8f906099e54051032a5df33f8a9b08431882c8eb51ab19ec512c682a0798e0d92a84cc3af6e82e
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
4KB
MD50d013f6baac0a09a1fb8e14217317503
SHA1453fba3488930e98d075946a31e5455b84eed5ba
SHA2560a78523b6163a8372ba64e5cc275d68f6582b7ca3a93e3163ad96251cc788d83
SHA51205032c4bbdc56992768a87ebaa9a9f43cb9092df401bb61a20673c1bec3a1f3fe4ee7c55c0572ceac9d862538ac765d0e0577cb63424c5edf137f7948feb8ced