Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 07:32
Static task
static1
Behavioral task
behavioral1
Sample
rInquiry.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
rInquiry.exe
Resource
win10v2004-20240226-en
General
-
Target
rInquiry.exe
-
Size
602KB
-
MD5
cdef16a2a2116cd907aa817b11217cfd
-
SHA1
d23ba1f017c0e65ba65203c889a2bea963d63d3a
-
SHA256
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6
-
SHA512
9ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae
-
SSDEEP
12288:lYyGYZS6ESbpYa4i2BzmVNhsBQN/nRTOPihFr3iUR42q6N:IUDESbwylT/nRKWrPN
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
terminal4.veeblehosting.com - Port:
587 - Username:
[email protected] - Password:
Ifeanyi1987@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2104 svchost.exe -
Loads dropped DLL 6 IoCs
Processes:
cmd.exeWerFault.exepid process 2860 cmd.exe 2476 WerFault.exe 2476 WerFault.exe 2476 WerFault.exe 2476 WerFault.exe 2476 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rInquiry.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" rInquiry.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2104 set thread context of 2388 2104 svchost.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2560 timeout.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
rInquiry.exeAddInProcess32.exepid process 2648 rInquiry.exe 2648 rInquiry.exe 2648 rInquiry.exe 2388 AddInProcess32.exe 2388 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rInquiry.exesvchost.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 2648 rInquiry.exe Token: SeDebugPrivilege 2104 svchost.exe Token: SeDebugPrivilege 2388 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
rInquiry.execmd.execmd.exesvchost.exedescription pid process target process PID 2648 wrote to memory of 2688 2648 rInquiry.exe cmd.exe PID 2648 wrote to memory of 2688 2648 rInquiry.exe cmd.exe PID 2648 wrote to memory of 2688 2648 rInquiry.exe cmd.exe PID 2648 wrote to memory of 2860 2648 rInquiry.exe cmd.exe PID 2648 wrote to memory of 2860 2648 rInquiry.exe cmd.exe PID 2648 wrote to memory of 2860 2648 rInquiry.exe cmd.exe PID 2688 wrote to memory of 2628 2688 cmd.exe schtasks.exe PID 2688 wrote to memory of 2628 2688 cmd.exe schtasks.exe PID 2688 wrote to memory of 2628 2688 cmd.exe schtasks.exe PID 2860 wrote to memory of 2560 2860 cmd.exe timeout.exe PID 2860 wrote to memory of 2560 2860 cmd.exe timeout.exe PID 2860 wrote to memory of 2560 2860 cmd.exe timeout.exe PID 2860 wrote to memory of 2104 2860 cmd.exe svchost.exe PID 2860 wrote to memory of 2104 2860 cmd.exe svchost.exe PID 2860 wrote to memory of 2104 2860 cmd.exe svchost.exe PID 2104 wrote to memory of 2388 2104 svchost.exe AddInProcess32.exe PID 2104 wrote to memory of 2388 2104 svchost.exe AddInProcess32.exe PID 2104 wrote to memory of 2388 2104 svchost.exe AddInProcess32.exe PID 2104 wrote to memory of 2388 2104 svchost.exe AddInProcess32.exe PID 2104 wrote to memory of 2388 2104 svchost.exe AddInProcess32.exe PID 2104 wrote to memory of 2388 2104 svchost.exe AddInProcess32.exe PID 2104 wrote to memory of 2388 2104 svchost.exe AddInProcess32.exe PID 2104 wrote to memory of 2388 2104 svchost.exe AddInProcess32.exe PID 2104 wrote to memory of 2388 2104 svchost.exe AddInProcess32.exe PID 2104 wrote to memory of 2476 2104 svchost.exe WerFault.exe PID 2104 wrote to memory of 2476 2104 svchost.exe WerFault.exe PID 2104 wrote to memory of 2476 2104 svchost.exe WerFault.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rInquiry.exe"C:\Users\Admin\AppData\Local\Temp\rInquiry.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2104 -s 7164⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA035.tmp.batFilesize
151B
MD5b328cb1a708abd4e62460de0f2fe2a43
SHA1d8db2f72b13fea3ba3ee8a515752bb4342cab714
SHA25680c44f5a07ddc916a886b653b0fd49d957235204a8b4921a2965fa3698d4b050
SHA5127989747101a6f393e9fc4d139244180c3fe538a328cc8f0c855e5c8ed79212484c20f39bfc1a0c45d8440d12bba12626fdc5853c3b163d5eba08f84250554680
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
166KB
MD5243c38b5243444b13e12bf19105b0704
SHA15f5620901df29375a41b1109e3d051f03fee39ee
SHA25685562d2e0699843de3ba0c059c8d5c97886484ac532bfea2f7b8da37e0a1a186
SHA5120cc293c16594457319c7abb23469258714237a17d89d5e3d293dc2cfdad7f50d4c348d997421c97c2e8517cfea59c4c7c09d6fe998499aba2be002b61780f337
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
129KB
MD58efc85ba9f1710d4956c76a472813a83
SHA1571250d6779d10e870d3d4923f0b90c46467700d
SHA256aac242264a552500b02eba11ed880f99f843f976c7770fcfc773030cc25f5da0
SHA512d447a3c3ea53396427a7718e5ba736961f1203659e462a7643ecd1c4c0e31bd5515ce5cc904acdfde48d50fba062ae6241696c778d5d853d0fa4b851d120ca79
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
210KB
MD51a829a898785d5b43ef12ffb74f2e8ab
SHA16743250ef50732806b8ee02bfcb47c659771af93
SHA256116df9b93e8a0309cbf89fc1a3154daf6b69b3a7f63b665d2665996f883da4e4
SHA512370d3392a0707e90793b8863dba615c893bc634a2ea4d620c3a9b465cc92f607258382c5a36272545d8363cb6c8679f9b935aad31eb1c7a54537686a3bb3b111
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
43KB
MD5d80d59f3a4fba8ff131d18a862a8f53e
SHA1a5dba2d03cb61b70f099e74dec056f5eb5341032
SHA2569aaa6e3ef7dce7c443d1d6ac938a8bd64687efff63bbda34c131881700a0c3cd
SHA51209047dc97f53bf864de8868fea0adb2e4762d29e4bb5bc612ff7d979543e8251a587cd4a3571437a8656bff24131a8795e1a749dad91083658feb6c517cc5622
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
24KB
MD56a2999d2bfcd05c08f4740ec549ea184
SHA1fa1f0bbca2d7b20b8300d1deb827d277addcae08
SHA2563a412138af3e4c441bcf84b9f60fdaffe3e3ab0af1b1d1962113871cc1e882d3
SHA512d642dbd5c93daceb2b279b3670fea3cd6a8f61e5cdaddaf44242ec37042ba0ce3d3dddc62f18ba05c0b2499089e3cb4df3f3152b61ea74b5e644dee5f1627bdb
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
21KB
MD5c00c4e39b1e48279fdf778a249975d5c
SHA1bad8c79d4a4323c6c9f8a6ac8a05ea3600846ddf
SHA256dd1f66698caef1bd6c457eea525a1420d011b3bf8e9e16d9a26a0a21fc1c5b02
SHA512652dfae4d9aeeb678dbe847a98cf5d127fbe152f3c0283d7e59b409a97f4dbb96a8929839c716edb563b3854364da5bb7b9eb547c0c5fa5abb6ada1b19ce21f8
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
58KB
MD51280ddb0a9e080c32c25a69905fddf03
SHA1693273c5e7c0af9531627e2fce47fe7ac286fd54
SHA25673e416856ab5d0fc18fddbbc249dd55b3557db6b67e33d85e789723997f845fd
SHA51244a9b65181d580283329300953a6fe0c6d4ef88e692fb7b624e3545f50e03a2810291cc87e2d33ffe263a7d606ddab385a83679b3b1a2c50435260547b8ce71e
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
287KB
MD562d13cc3cb768257f2f3ac94d9251701
SHA1f12b0f074c5ac15ecd1885793a2816603a4465e0
SHA256a05f7292d5b3a9521cdb618636ee48a0f7a3e377cad793c8aff400deafa92fa9
SHA5127bf1d4635f8611a9b11e95b210c3b9476ed7b81b19685688f6704ae4ed4756bd28f4460e457b45e48431662f6b206fcb91a0aeae4eb0fd8770cefd684fb22948
-
memory/2104-18-0x0000000000AA0000-0x0000000000AA8000-memory.dmpFilesize
32KB
-
memory/2104-19-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmpFilesize
9.9MB
-
memory/2104-20-0x000000001B0A0000-0x000000001B120000-memory.dmpFilesize
512KB
-
memory/2104-39-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmpFilesize
9.9MB
-
memory/2104-40-0x000000001B0A0000-0x000000001B120000-memory.dmpFilesize
512KB
-
memory/2388-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2388-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2388-31-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2388-24-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2388-42-0x0000000004BD0000-0x0000000004C10000-memory.dmpFilesize
256KB
-
memory/2388-27-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2388-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2388-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2388-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2388-41-0x0000000074610000-0x0000000074CFE000-memory.dmpFilesize
6.9MB
-
memory/2388-36-0x0000000074610000-0x0000000074CFE000-memory.dmpFilesize
6.9MB
-
memory/2388-38-0x0000000004BD0000-0x0000000004C10000-memory.dmpFilesize
256KB
-
memory/2648-3-0x0000000000E70000-0x0000000000F06000-memory.dmpFilesize
600KB
-
memory/2648-2-0x000000001B420000-0x000000001B4A0000-memory.dmpFilesize
512KB
-
memory/2648-1-0x000007FEF5A70000-0x000007FEF645C000-memory.dmpFilesize
9.9MB
-
memory/2648-0-0x0000000000F30000-0x0000000000F38000-memory.dmpFilesize
32KB
-
memory/2648-13-0x000007FEF5A70000-0x000007FEF645C000-memory.dmpFilesize
9.9MB