Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
29-05-2024 05:34
General
-
Target
img3181-2020-876567.scr
-
Size
1.3MB
-
MD5
76aabc4357230893d7c0171d7a088831
-
SHA1
097b4609dcd3537bd89351d6a90604cf7da4b65d
-
SHA256
dcc39ce58dfbb4a76b2cc553cd796cb23f0c6b18ec44a3eeef7303d470002139
-
SHA512
78dcc95267f04be2ad5860aad49b4f64c2fd9157cfed6ca66b672593bc7f35eeedb866b53e607d5cc57258e202af1a0468425ab9c8d5b8cf06a2acd764c89b28
-
SSDEEP
24576:DgKKsmIaznKHfsIBDI2COHHTacrLpFQF1D2+IvnP1eL:DSKH0Iy2COne2Lo1D2+inUL
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.nirvana-voyage.com - Port:
587 - Username:
[email protected] - Password:
intermoB$1
Extracted
nanocore
1.2.2.0
95.217.140.37:1104
e5408f25-998f-4f80-8f75-173c98ecf237
-
activate_away_mode
true
-
backup_connection_host
95.217.140.37
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-27T20:20:36.627695536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1104
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e5408f25-998f-4f80-8f75-173c98ecf237
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
95.217.140.37
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
AgentTesla payload 3 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 42 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\img3181-2020-876567.scr"C:\Users\Admin\AppData\Local\Temp\img3181-2020-876567.scr" /S1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\startup\web.exe"C:\Users\Admin\AppData\Roaming\startup\web.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iSjc3t29EfjInqO.exe"C:\Users\Admin\AppData\Local\Temp\iSjc3t29EfjInqO.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GSECCr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E9F.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\startup\web.exe"C:\Users\Admin\AppData\Roaming\startup\web.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile5⤵
-
C:\Users\Admin\AppData\Roaming\startup\web.exe"C:\Users\Admin\AppData\Roaming\startup\web.exe" 2 2808 2594012864⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2E9F.tmpFilesize
1KB
MD5a6354c0d0c188603ca7ca1ec2621de10
SHA1979307559a354a4c6b63303c529cb251cad85fad
SHA25640cb63c492e06f5994e66c74323d5109add262d122ea4e4aee4fb29f83cf1bfd
SHA512e411b076538d2cbc58b17113544c9ffb4fec1d8916dd8a64f8d743d3f09a3140f33ab35c51e836d5a2349b38036c456fbd61c492247e4dce92ac5f6285a7f126
-
\Users\Admin\AppData\Local\Temp\iSjc3t29EfjInqO.exeFilesize
391KB
MD5ee085d20d05b3485e7e422f2c6194a8c
SHA10790dd30549fc3d8161ffc59eac642b1c436a117
SHA256b0f584b01ced1030686cd251ce83152669b8372a64d67378c0757bfe3ad80c1d
SHA51229b757a4dc42a1dbd88bb61f96e189a4f5a2da0620706bdf8431f23ca59accc5252fa7bbd36b8836ff3564aa66c1a0a7b19fad7df63fcde50f794e59d89b25bb
-
\Users\Admin\AppData\Roaming\startup\web.exeFilesize
1.3MB
MD576aabc4357230893d7c0171d7a088831
SHA1097b4609dcd3537bd89351d6a90604cf7da4b65d
SHA256dcc39ce58dfbb4a76b2cc553cd796cb23f0c6b18ec44a3eeef7303d470002139
SHA51278dcc95267f04be2ad5860aad49b4f64c2fd9157cfed6ca66b672593bc7f35eeedb866b53e607d5cc57258e202af1a0468425ab9c8d5b8cf06a2acd764c89b28
-
memory/112-63-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/112-60-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/112-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/112-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/112-56-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/112-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/112-65-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/112-54-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1208-6-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1208-3-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2312-48-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/2620-17-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2620-18-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/2808-33-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2808-35-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2808-36-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/2808-37-0x0000000000340000-0x0000000000392000-memory.dmpFilesize
328KB
-
memory/2808-67-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/3004-0-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/3004-2-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/3004-1-0x0000000000460000-0x0000000000467000-memory.dmpFilesize
28KB