Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 07:31
Static task
static1
Behavioral task
behavioral1
Sample
rInquiry.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
rInquiry.exe
Resource
win10v2004-20240226-en
General
-
Target
rInquiry.exe
-
Size
602KB
-
MD5
cdef16a2a2116cd907aa817b11217cfd
-
SHA1
d23ba1f017c0e65ba65203c889a2bea963d63d3a
-
SHA256
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6
-
SHA512
9ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae
-
SSDEEP
12288:lYyGYZS6ESbpYa4i2BzmVNhsBQN/nRTOPihFr3iUR42q6N:IUDESbwylT/nRKWrPN
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
terminal4.veeblehosting.com - Port:
587 - Username:
[email protected] - Password:
Ifeanyi1987@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2604 svchost.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exeWerFault.exepid process 2496 cmd.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe 2352 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rInquiry.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" rInquiry.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2604 set thread context of 2856 2604 svchost.exe installutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2508 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rInquiry.exeinstallutil.exepid process 1764 rInquiry.exe 1764 rInquiry.exe 2856 installutil.exe 2856 installutil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rInquiry.exesvchost.exeinstallutil.exedescription pid process Token: SeDebugPrivilege 1764 rInquiry.exe Token: SeDebugPrivilege 2604 svchost.exe Token: SeDebugPrivilege 2856 installutil.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
rInquiry.execmd.execmd.exesvchost.exedescription pid process target process PID 1764 wrote to memory of 2688 1764 rInquiry.exe cmd.exe PID 1764 wrote to memory of 2688 1764 rInquiry.exe cmd.exe PID 1764 wrote to memory of 2688 1764 rInquiry.exe cmd.exe PID 1764 wrote to memory of 2496 1764 rInquiry.exe cmd.exe PID 1764 wrote to memory of 2496 1764 rInquiry.exe cmd.exe PID 1764 wrote to memory of 2496 1764 rInquiry.exe cmd.exe PID 2496 wrote to memory of 2508 2496 cmd.exe timeout.exe PID 2496 wrote to memory of 2508 2496 cmd.exe timeout.exe PID 2496 wrote to memory of 2508 2496 cmd.exe timeout.exe PID 2688 wrote to memory of 2476 2688 cmd.exe schtasks.exe PID 2688 wrote to memory of 2476 2688 cmd.exe schtasks.exe PID 2688 wrote to memory of 2476 2688 cmd.exe schtasks.exe PID 2496 wrote to memory of 2604 2496 cmd.exe svchost.exe PID 2496 wrote to memory of 2604 2496 cmd.exe svchost.exe PID 2496 wrote to memory of 2604 2496 cmd.exe svchost.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2856 2604 svchost.exe installutil.exe PID 2604 wrote to memory of 2352 2604 svchost.exe WerFault.exe PID 2604 wrote to memory of 2352 2604 svchost.exe WerFault.exe PID 2604 wrote to memory of 2352 2604 svchost.exe WerFault.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rInquiry.exe"C:\Users\Admin\AppData\Local\Temp\rInquiry.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1F82.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2604 -s 7124⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1F82.tmp.batFilesize
151B
MD592f308274d1dc168324d3753c721d50a
SHA16c36f0b5d34ccf40fceab8a8184c6316612ed9ba
SHA2560d2caf6be19f89f2e64efe03a0aa639c7fcc783913eed3569c5614287e7253f9
SHA512f384b83835c09c507a237c3dd633d718ed76f4c65b7e614aecd2143edd294da955ce7a600268c68ad35630d95e6975acc589659597f0fe1f477db155942bd113
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
602KB
MD5cdef16a2a2116cd907aa817b11217cfd
SHA1d23ba1f017c0e65ba65203c889a2bea963d63d3a
SHA256da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6
SHA5129ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae
-
memory/1764-0-0x0000000000220000-0x0000000000228000-memory.dmpFilesize
32KB
-
memory/1764-1-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmpFilesize
9.9MB
-
memory/1764-2-0x000000001B280000-0x000000001B300000-memory.dmpFilesize
512KB
-
memory/1764-3-0x0000000001EA0000-0x0000000001F36000-memory.dmpFilesize
600KB
-
memory/1764-13-0x000007FEF5B10000-0x000007FEF64FC000-memory.dmpFilesize
9.9MB
-
memory/2604-18-0x0000000001350000-0x0000000001358000-memory.dmpFilesize
32KB
-
memory/2604-19-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmpFilesize
9.9MB
-
memory/2604-20-0x000000001B330000-0x000000001B3B0000-memory.dmpFilesize
512KB
-
memory/2604-39-0x000000001B330000-0x000000001B3B0000-memory.dmpFilesize
512KB
-
memory/2604-38-0x000007FEF5120000-0x000007FEF5B0C000-memory.dmpFilesize
9.9MB
-
memory/2856-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2856-24-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2856-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2856-26-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2856-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2856-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2856-35-0x0000000074810000-0x0000000074EFE000-memory.dmpFilesize
6.9MB
-
memory/2856-37-0x0000000000470000-0x00000000004B0000-memory.dmpFilesize
256KB
-
memory/2856-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2856-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2856-40-0x0000000074810000-0x0000000074EFE000-memory.dmpFilesize
6.9MB
-
memory/2856-41-0x0000000000470000-0x00000000004B0000-memory.dmpFilesize
256KB