Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2024 07:31
Static task
static1
Behavioral task
behavioral1
Sample
rInquiry.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
rInquiry.exe
Resource
win10v2004-20240226-en
General
-
Target
rInquiry.exe
-
Size
602KB
-
MD5
cdef16a2a2116cd907aa817b11217cfd
-
SHA1
d23ba1f017c0e65ba65203c889a2bea963d63d3a
-
SHA256
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6
-
SHA512
9ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae
-
SSDEEP
12288:lYyGYZS6ESbpYa4i2BzmVNhsBQN/nRTOPihFr3iUR42q6N:IUDESbwylT/nRKWrPN
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
terminal4.veeblehosting.com - Port:
587 - Username:
[email protected] - Password:
Ifeanyi1987@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rInquiry.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation rInquiry.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3680 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rInquiry.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" rInquiry.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3680 set thread context of 4916 3680 svchost.exe regsvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3764 timeout.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
rInquiry.exeregsvcs.exepid process 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 2328 rInquiry.exe 4916 regsvcs.exe 4916 regsvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rInquiry.exesvchost.exeregsvcs.exedescription pid process Token: SeDebugPrivilege 2328 rInquiry.exe Token: SeDebugPrivilege 3680 svchost.exe Token: SeDebugPrivilege 4916 regsvcs.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
rInquiry.execmd.execmd.exesvchost.exedescription pid process target process PID 2328 wrote to memory of 740 2328 rInquiry.exe cmd.exe PID 2328 wrote to memory of 740 2328 rInquiry.exe cmd.exe PID 2328 wrote to memory of 1780 2328 rInquiry.exe cmd.exe PID 2328 wrote to memory of 1780 2328 rInquiry.exe cmd.exe PID 740 wrote to memory of 4252 740 cmd.exe schtasks.exe PID 740 wrote to memory of 4252 740 cmd.exe schtasks.exe PID 1780 wrote to memory of 3764 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 3764 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 3680 1780 cmd.exe svchost.exe PID 1780 wrote to memory of 3680 1780 cmd.exe svchost.exe PID 3680 wrote to memory of 4916 3680 svchost.exe regsvcs.exe PID 3680 wrote to memory of 4916 3680 svchost.exe regsvcs.exe PID 3680 wrote to memory of 4916 3680 svchost.exe regsvcs.exe PID 3680 wrote to memory of 4916 3680 svchost.exe regsvcs.exe PID 3680 wrote to memory of 4916 3680 svchost.exe regsvcs.exe PID 3680 wrote to memory of 4916 3680 svchost.exe regsvcs.exe PID 3680 wrote to memory of 4916 3680 svchost.exe regsvcs.exe PID 3680 wrote to memory of 4916 3680 svchost.exe regsvcs.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rInquiry.exe"C:\Users\Admin\AppData\Local\Temp\rInquiry.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3D09.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3D09.tmp.batFilesize
151B
MD5eb65ee0566126b25b9be85ca785dcbaf
SHA123fafa84d2dae602963735830604eae353e1f3e6
SHA256b0fdb545e35d95d4f5e8fcdda37db9ee6c8057d3f3c264df17eb68b5162f2290
SHA51254a9bf9eefba0a925f79aaf6860168594b3b87955f9567ff4e849c30120e12d657655e2eb3e49b697b938cc84043891f245a943e85e45b301c8eabca064f1f17
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
602KB
MD5cdef16a2a2116cd907aa817b11217cfd
SHA1d23ba1f017c0e65ba65203c889a2bea963d63d3a
SHA256da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6
SHA5129ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae
-
memory/2328-1-0x00007FFF27130000-0x00007FFF27BF1000-memory.dmpFilesize
10.8MB
-
memory/2328-2-0x000002C877580000-0x000002C877590000-memory.dmpFilesize
64KB
-
memory/2328-3-0x000002C8773A0000-0x000002C877436000-memory.dmpFilesize
600KB
-
memory/2328-8-0x00007FFF27130000-0x00007FFF27BF1000-memory.dmpFilesize
10.8MB
-
memory/2328-0-0x000002C874D70000-0x000002C874D78000-memory.dmpFilesize
32KB
-
memory/3680-19-0x00007FFF25B10000-0x00007FFF265D1000-memory.dmpFilesize
10.8MB
-
memory/3680-13-0x00007FFF25B10000-0x00007FFF265D1000-memory.dmpFilesize
10.8MB
-
memory/4916-14-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4916-16-0x0000000005D10000-0x00000000062B4000-memory.dmpFilesize
5.6MB
-
memory/4916-17-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB
-
memory/4916-18-0x00000000057D0000-0x0000000005836000-memory.dmpFilesize
408KB
-
memory/4916-15-0x0000000075310000-0x0000000075AC0000-memory.dmpFilesize
7.7MB
-
memory/4916-20-0x0000000006AB0000-0x0000000006B00000-memory.dmpFilesize
320KB
-
memory/4916-21-0x0000000006BA0000-0x0000000006C32000-memory.dmpFilesize
584KB
-
memory/4916-22-0x0000000006B40000-0x0000000006B4A000-memory.dmpFilesize
40KB
-
memory/4916-23-0x0000000075310000-0x0000000075AC0000-memory.dmpFilesize
7.7MB
-
memory/4916-24-0x00000000055C0000-0x00000000055D0000-memory.dmpFilesize
64KB