Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 05:34
Static task
static1
Behavioral task
behavioral1
Sample
img3181-2020-876567.scr
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
img3181-2020-876567.scr
Resource
win10v2004-20240226-en
General
-
Target
img3181-2020-876567.scr
-
Size
1.3MB
-
MD5
76aabc4357230893d7c0171d7a088831
-
SHA1
097b4609dcd3537bd89351d6a90604cf7da4b65d
-
SHA256
dcc39ce58dfbb4a76b2cc553cd796cb23f0c6b18ec44a3eeef7303d470002139
-
SHA512
78dcc95267f04be2ad5860aad49b4f64c2fd9157cfed6ca66b672593bc7f35eeedb866b53e607d5cc57258e202af1a0468425ab9c8d5b8cf06a2acd764c89b28
-
SSDEEP
24576:DgKKsmIaznKHfsIBDI2COHHTacrLpFQF1D2+IvnP1eL:DSKH0Iy2COne2Lo1D2+inUL
Malware Config
Extracted
nanocore
1.2.2.0
95.217.140.37:1104
e5408f25-998f-4f80-8f75-173c98ecf237
-
activate_away_mode
true
-
backup_connection_host
95.217.140.37
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-02-27T20:20:36.627695536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1104
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
e5408f25-998f-4f80-8f75-173c98ecf237
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
95.217.140.37
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/1252-35-0x0000000000400000-0x00000000004B1000-memory.dmp family_agenttesla behavioral2/memory/1252-33-0x00000000008B0000-0x0000000000902000-memory.dmp family_agenttesla behavioral2/memory/1252-32-0x00000000008B0000-0x0000000000902000-memory.dmp family_agenttesla behavioral2/memory/1252-31-0x0000000000400000-0x00000000004B1000-memory.dmp family_agenttesla behavioral2/memory/1252-30-0x0000000000400000-0x00000000004B1000-memory.dmp family_agenttesla behavioral2/memory/1252-29-0x0000000000400000-0x00000000004B1000-memory.dmp family_agenttesla behavioral2/memory/1252-60-0x0000000000400000-0x00000000004B1000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
web.exeiSjc3t29EfjInqO.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation web.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation iSjc3t29EfjInqO.exe -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\web.exe.vbs notepad.exe -
Executes dropped EXE 4 IoCs
Processes:
web.exeiSjc3t29EfjInqO.exeweb.exeweb.exepid process 4236 web.exe 4280 iSjc3t29EfjInqO.exe 1252 web.exe 4016 web.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/1252-25-0x0000000000400000-0x00000000004B1000-memory.dmp upx behavioral2/memory/1252-28-0x0000000000400000-0x00000000004B1000-memory.dmp upx behavioral2/memory/1252-35-0x0000000000400000-0x00000000004B1000-memory.dmp upx behavioral2/memory/1252-31-0x0000000000400000-0x00000000004B1000-memory.dmp upx behavioral2/memory/1252-30-0x0000000000400000-0x00000000004B1000-memory.dmp upx behavioral2/memory/1252-29-0x0000000000400000-0x00000000004B1000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
web.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 web.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 web.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 web.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
web.exeiSjc3t29EfjInqO.exedescription pid process target process PID 4236 set thread context of 1252 4236 web.exe web.exe PID 4280 set thread context of 3224 4280 iSjc3t29EfjInqO.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
NTFS ADS 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\startup\web.exe:ZoneIdentifier notepad.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
img3181-2020-876567.scrweb.exeweb.exeweb.exeiSjc3t29EfjInqO.exeRegSvcs.exepid process 4848 img3181-2020-876567.scr 4848 img3181-2020-876567.scr 4236 web.exe 4236 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 4016 web.exe 1252 web.exe 1252 web.exe 4016 web.exe 4016 web.exe 4280 iSjc3t29EfjInqO.exe 4280 iSjc3t29EfjInqO.exe 4280 iSjc3t29EfjInqO.exe 4280 iSjc3t29EfjInqO.exe 4280 iSjc3t29EfjInqO.exe 3224 RegSvcs.exe 3224 RegSvcs.exe 3224 RegSvcs.exe 3224 RegSvcs.exe 4280 iSjc3t29EfjInqO.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 3224 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
web.exepid process 4236 web.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
web.exepid process 1252 web.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
iSjc3t29EfjInqO.exeweb.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4280 iSjc3t29EfjInqO.exe Token: SeDebugPrivilege 1252 web.exe Token: SeDebugPrivilege 3224 RegSvcs.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
img3181-2020-876567.scrnotepad.exeweb.exeiSjc3t29EfjInqO.exeweb.exedescription pid process target process PID 4848 wrote to memory of 3980 4848 img3181-2020-876567.scr notepad.exe PID 4848 wrote to memory of 3980 4848 img3181-2020-876567.scr notepad.exe PID 4848 wrote to memory of 3980 4848 img3181-2020-876567.scr notepad.exe PID 4848 wrote to memory of 3980 4848 img3181-2020-876567.scr notepad.exe PID 4848 wrote to memory of 3980 4848 img3181-2020-876567.scr notepad.exe PID 3980 wrote to memory of 4236 3980 notepad.exe web.exe PID 3980 wrote to memory of 4236 3980 notepad.exe web.exe PID 3980 wrote to memory of 4236 3980 notepad.exe web.exe PID 4236 wrote to memory of 4280 4236 web.exe iSjc3t29EfjInqO.exe PID 4236 wrote to memory of 4280 4236 web.exe iSjc3t29EfjInqO.exe PID 4236 wrote to memory of 4280 4236 web.exe iSjc3t29EfjInqO.exe PID 4236 wrote to memory of 1252 4236 web.exe web.exe PID 4236 wrote to memory of 1252 4236 web.exe web.exe PID 4236 wrote to memory of 1252 4236 web.exe web.exe PID 4236 wrote to memory of 4016 4236 web.exe web.exe PID 4236 wrote to memory of 4016 4236 web.exe web.exe PID 4236 wrote to memory of 4016 4236 web.exe web.exe PID 4280 wrote to memory of 4636 4280 iSjc3t29EfjInqO.exe schtasks.exe PID 4280 wrote to memory of 4636 4280 iSjc3t29EfjInqO.exe schtasks.exe PID 4280 wrote to memory of 4636 4280 iSjc3t29EfjInqO.exe schtasks.exe PID 4280 wrote to memory of 3656 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3656 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3656 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3628 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3628 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3628 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3224 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3224 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3224 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3224 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3224 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3224 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3224 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 4280 wrote to memory of 3224 4280 iSjc3t29EfjInqO.exe RegSvcs.exe PID 1252 wrote to memory of 1668 1252 web.exe netsh.exe PID 1252 wrote to memory of 1668 1252 web.exe netsh.exe PID 1252 wrote to memory of 1668 1252 web.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
web.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 web.exe -
outlook_win_path 1 IoCs
Processes:
web.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 web.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\img3181-2020-876567.scr"C:\Users\Admin\AppData\Local\Temp\img3181-2020-876567.scr" /S1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\startup\web.exe"C:\Users\Admin\AppData\Roaming\startup\web.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\iSjc3t29EfjInqO.exe"C:\Users\Admin\AppData\Local\Temp\iSjc3t29EfjInqO.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GSECCr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2BCE.tmp"5⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\startup\web.exe"C:\Users\Admin\AppData\Roaming\startup\web.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile5⤵
-
C:\Users\Admin\AppData\Roaming\startup\web.exe"C:\Users\Admin\AppData\Roaming\startup\web.exe" 2 1252 2406542654⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\iSjc3t29EfjInqO.exeFilesize
391KB
MD5ee085d20d05b3485e7e422f2c6194a8c
SHA10790dd30549fc3d8161ffc59eac642b1c436a117
SHA256b0f584b01ced1030686cd251ce83152669b8372a64d67378c0757bfe3ad80c1d
SHA51229b757a4dc42a1dbd88bb61f96e189a4f5a2da0620706bdf8431f23ca59accc5252fa7bbd36b8836ff3564aa66c1a0a7b19fad7df63fcde50f794e59d89b25bb
-
C:\Users\Admin\AppData\Local\Temp\tmp2BCE.tmpFilesize
1KB
MD54a7622986b47becf8ea2d46a27a752af
SHA1156f73c86017a8ecff7e5fae675269c2c185804e
SHA2562c9166a32d9573457bf3613a3d777fb4b85e503a74728a6addbf0049b93ec561
SHA5124ef1dbc6d773d0d2beed7a01397964e1754c160f2650b2a4f6662a3aa190e5b962694ae54f6a457e7892d774825d642d6db771454e34eb3423100feaa149a792
-
C:\Users\Admin\AppData\Roaming\startup\web.exeFilesize
1.3MB
MD576aabc4357230893d7c0171d7a088831
SHA1097b4609dcd3537bd89351d6a90604cf7da4b65d
SHA256dcc39ce58dfbb4a76b2cc553cd796cb23f0c6b18ec44a3eeef7303d470002139
SHA51278dcc95267f04be2ad5860aad49b4f64c2fd9157cfed6ca66b672593bc7f35eeedb866b53e607d5cc57258e202af1a0468425ab9c8d5b8cf06a2acd764c89b28
-
memory/1252-49-0x0000000004B60000-0x0000000004BFC000-memory.dmpFilesize
624KB
-
memory/1252-30-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1252-73-0x00000000007C0000-0x00000000007CA000-memory.dmpFilesize
40KB
-
memory/1252-64-0x0000000005F00000-0x0000000005F50000-memory.dmpFilesize
320KB
-
memory/1252-60-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1252-25-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1252-28-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1252-35-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1252-33-0x00000000008B0000-0x0000000000902000-memory.dmpFilesize
328KB
-
memory/1252-32-0x00000000008B0000-0x0000000000902000-memory.dmpFilesize
328KB
-
memory/1252-31-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1252-52-0x0000000005960000-0x00000000059C6000-memory.dmpFilesize
408KB
-
memory/1252-29-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1252-47-0x0000000004D80000-0x0000000005324000-memory.dmpFilesize
5.6MB
-
memory/1252-48-0x0000000004A80000-0x0000000004B12000-memory.dmpFilesize
584KB
-
memory/1252-51-0x0000000005930000-0x0000000005948000-memory.dmpFilesize
96KB
-
memory/3224-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3980-3-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/4016-50-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4236-12-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/4236-11-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/4848-0-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/4848-1-0x0000000000460000-0x0000000000467000-memory.dmpFilesize
28KB
-
memory/4848-2-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB