Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 02:33
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Inquiry.exe
Resource
win10v2004-20240226-en
General
-
Target
Inquiry.exe
-
Size
602KB
-
MD5
cdef16a2a2116cd907aa817b11217cfd
-
SHA1
d23ba1f017c0e65ba65203c889a2bea963d63d3a
-
SHA256
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6
-
SHA512
9ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae
-
SSDEEP
12288:lYyGYZS6ESbpYa4i2BzmVNhsBQN/nRTOPihFr3iUR42q6N:IUDESbwylT/nRKWrPN
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
terminal4.veeblehosting.com - Port:
587 - Username:
[email protected] - Password:
Ifeanyi1987@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2468-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2468-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2424-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2424-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2424-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2468-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2468-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2424-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2424-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2424-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2468-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/2468-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/2424-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/2424-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral1/memory/2424-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects executables packed with or use KoiVM 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1932-3-0x000000001B3F0000-0x000000001B486000-memory.dmp INDICATOR_EXE_Packed_KoiVM -
Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2468-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2468-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2424-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2424-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2424-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2468-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2468-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2424-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2424-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2424-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2468-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2468-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2424-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2424-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2424-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2468-24-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2468-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2424-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2424-33-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2424-35-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2708 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2660 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Inquiry.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" Inquiry.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2708 set thread context of 2424 2708 svchost.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2548 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Inquiry.exejsc.exepid process 1932 Inquiry.exe 1932 Inquiry.exe 2424 jsc.exe 2424 jsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Inquiry.exesvchost.exejsc.exedescription pid process Token: SeDebugPrivilege 1932 Inquiry.exe Token: SeDebugPrivilege 2708 svchost.exe Token: SeDebugPrivilege 2424 jsc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
Inquiry.execmd.execmd.exesvchost.exedescription pid process target process PID 1932 wrote to memory of 3044 1932 Inquiry.exe cmd.exe PID 1932 wrote to memory of 3044 1932 Inquiry.exe cmd.exe PID 1932 wrote to memory of 3044 1932 Inquiry.exe cmd.exe PID 1932 wrote to memory of 2660 1932 Inquiry.exe cmd.exe PID 1932 wrote to memory of 2660 1932 Inquiry.exe cmd.exe PID 1932 wrote to memory of 2660 1932 Inquiry.exe cmd.exe PID 3044 wrote to memory of 2700 3044 cmd.exe schtasks.exe PID 3044 wrote to memory of 2700 3044 cmd.exe schtasks.exe PID 3044 wrote to memory of 2700 3044 cmd.exe schtasks.exe PID 2660 wrote to memory of 2548 2660 cmd.exe timeout.exe PID 2660 wrote to memory of 2548 2660 cmd.exe timeout.exe PID 2660 wrote to memory of 2548 2660 cmd.exe timeout.exe PID 2660 wrote to memory of 2708 2660 cmd.exe svchost.exe PID 2660 wrote to memory of 2708 2660 cmd.exe svchost.exe PID 2660 wrote to memory of 2708 2660 cmd.exe svchost.exe PID 2708 wrote to memory of 2468 2708 svchost.exe msbuild.exe PID 2708 wrote to memory of 2468 2708 svchost.exe msbuild.exe PID 2708 wrote to memory of 2468 2708 svchost.exe msbuild.exe PID 2708 wrote to memory of 2468 2708 svchost.exe msbuild.exe PID 2708 wrote to memory of 2468 2708 svchost.exe msbuild.exe PID 2708 wrote to memory of 2468 2708 svchost.exe msbuild.exe PID 2708 wrote to memory of 2468 2708 svchost.exe msbuild.exe PID 2708 wrote to memory of 2468 2708 svchost.exe msbuild.exe PID 2708 wrote to memory of 2424 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2424 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2424 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2424 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2424 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2424 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2424 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2424 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2424 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2488 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2488 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2488 2708 svchost.exe jsc.exe PID 2708 wrote to memory of 2488 2708 svchost.exe jsc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp54D4.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp54D4.tmp.batFilesize
151B
MD59f88b38e03886641a432f95be1b0c7ac
SHA179ed46073d9d3a16bb4083facfc95f74fc1d6017
SHA256cf4b2940a6920fe940ef1cd25c0c47460477918b200f79a643794d57b493fc73
SHA512000317761dbf88a42fd462b5173267ffd8ebdd4ee007e0df1763a2cc55d08b41726dc21b2a1d0596844b7a10b0ba5f12b02200f0cefdfc7464da8088327bf308
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
602KB
MD5cdef16a2a2116cd907aa817b11217cfd
SHA1d23ba1f017c0e65ba65203c889a2bea963d63d3a
SHA256da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6
SHA5129ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae
-
memory/1932-0-0x0000000001170000-0x0000000001178000-memory.dmpFilesize
32KB
-
memory/1932-1-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmpFilesize
9.9MB
-
memory/1932-2-0x000000001B120000-0x000000001B1A0000-memory.dmpFilesize
512KB
-
memory/1932-3-0x000000001B3F0000-0x000000001B486000-memory.dmpFilesize
600KB
-
memory/1932-13-0x000007FEF5480000-0x000007FEF5E6C000-memory.dmpFilesize
9.9MB
-
memory/2424-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2424-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2424-38-0x0000000074300000-0x00000000749EE000-memory.dmpFilesize
6.9MB
-
memory/2424-37-0x0000000004C90000-0x0000000004CD0000-memory.dmpFilesize
256KB
-
memory/2424-36-0x0000000074300000-0x00000000749EE000-memory.dmpFilesize
6.9MB
-
memory/2424-35-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2424-33-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2468-24-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2468-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2468-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2468-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2708-18-0x0000000000810000-0x0000000000818000-memory.dmpFilesize
32KB
-
memory/2708-32-0x000007FEF4A90000-0x000007FEF547C000-memory.dmpFilesize
9.9MB
-
memory/2708-19-0x000007FEF4A90000-0x000007FEF547C000-memory.dmpFilesize
9.9MB
-
memory/2708-20-0x000000001AB80000-0x000000001AC00000-memory.dmpFilesize
512KB