Analysis
-
max time kernel
126s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2024 01:31
Behavioral task
behavioral1
Sample
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe
Resource
win10v2004-20240802-en
General
-
Target
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe
-
Size
790KB
-
MD5
c17695e30b4eca8c1ea15dfc6b4741f7
-
SHA1
3aad8f4df2826bf777654a39af944011ead7cb1b
-
SHA256
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f
-
SHA512
8e0f8b79a82792caa152542fda3d7a11ba7da341267ca84eab3935a8f96b6aa887703e1a4d43178196e93d70afb1b71a08fa299ed386e0b812d54fc2f387d206
-
SSDEEP
24576:nMTsaArNuC1Un3ld9AYt75cAdwAnflsA2:ndPrW3l7PuAnflsA2
Malware Config
Extracted
redline
biss
172.81.131.198:16383
Extracted
agenttesla
https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3844-0-0x0000000000820000-0x00000000008EC000-memory.dmp family_redline C:\Users\Admin\AppData\Local\Temp\okyKYSzsLb\build.exe family_redline behavioral2/memory/1636-27-0x0000000000010000-0x000000000002E000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3844-0-0x0000000000820000-0x00000000008EC000-memory.dmp family_sectoprat C:\Users\Admin\AppData\Local\Temp\okyKYSzsLb\build.exe family_sectoprat behavioral2/memory/1636-27-0x0000000000010000-0x000000000002E000-memory.dmp family_sectoprat -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 3880 powershell.exe 1364 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exeF1zIEr8LymmYf1N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation F1zIEr8LymmYf1N.exe -
Executes dropped EXE 3 IoCs
Processes:
build.exeF1zIEr8LymmYf1N.exeF1zIEr8LymmYf1N.exepid process 1636 build.exe 2876 F1zIEr8LymmYf1N.exe 1660 F1zIEr8LymmYf1N.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
F1zIEr8LymmYf1N.exedescription pid process target process PID 2876 set thread context of 1660 2876 F1zIEr8LymmYf1N.exe F1zIEr8LymmYf1N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exeschtasks.exeF1zIEr8LymmYf1N.exeF1zIEr8LymmYf1N.exebuild.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F1zIEr8LymmYf1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F1zIEr8LymmYf1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language build.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3888 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exebuild.exeF1zIEr8LymmYf1N.exepowershell.exepowershell.exeF1zIEr8LymmYf1N.exepid process 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe 1636 build.exe 1636 build.exe 2876 F1zIEr8LymmYf1N.exe 2876 F1zIEr8LymmYf1N.exe 2876 F1zIEr8LymmYf1N.exe 1364 powershell.exe 3880 powershell.exe 2876 F1zIEr8LymmYf1N.exe 2876 F1zIEr8LymmYf1N.exe 3880 powershell.exe 1364 powershell.exe 1660 F1zIEr8LymmYf1N.exe 1660 F1zIEr8LymmYf1N.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exeWMIC.exebuild.exeF1zIEr8LymmYf1N.exepowershell.exepowershell.exeF1zIEr8LymmYf1N.exedescription pid process Token: SeDebugPrivilege 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe Token: SeIncreaseQuotaPrivilege 4340 WMIC.exe Token: SeSecurityPrivilege 4340 WMIC.exe Token: SeTakeOwnershipPrivilege 4340 WMIC.exe Token: SeLoadDriverPrivilege 4340 WMIC.exe Token: SeSystemProfilePrivilege 4340 WMIC.exe Token: SeSystemtimePrivilege 4340 WMIC.exe Token: SeProfSingleProcessPrivilege 4340 WMIC.exe Token: SeIncBasePriorityPrivilege 4340 WMIC.exe Token: SeCreatePagefilePrivilege 4340 WMIC.exe Token: SeBackupPrivilege 4340 WMIC.exe Token: SeRestorePrivilege 4340 WMIC.exe Token: SeShutdownPrivilege 4340 WMIC.exe Token: SeDebugPrivilege 4340 WMIC.exe Token: SeSystemEnvironmentPrivilege 4340 WMIC.exe Token: SeRemoteShutdownPrivilege 4340 WMIC.exe Token: SeUndockPrivilege 4340 WMIC.exe Token: SeManageVolumePrivilege 4340 WMIC.exe Token: 33 4340 WMIC.exe Token: 34 4340 WMIC.exe Token: 35 4340 WMIC.exe Token: 36 4340 WMIC.exe Token: SeIncreaseQuotaPrivilege 4340 WMIC.exe Token: SeSecurityPrivilege 4340 WMIC.exe Token: SeTakeOwnershipPrivilege 4340 WMIC.exe Token: SeLoadDriverPrivilege 4340 WMIC.exe Token: SeSystemProfilePrivilege 4340 WMIC.exe Token: SeSystemtimePrivilege 4340 WMIC.exe Token: SeProfSingleProcessPrivilege 4340 WMIC.exe Token: SeIncBasePriorityPrivilege 4340 WMIC.exe Token: SeCreatePagefilePrivilege 4340 WMIC.exe Token: SeBackupPrivilege 4340 WMIC.exe Token: SeRestorePrivilege 4340 WMIC.exe Token: SeShutdownPrivilege 4340 WMIC.exe Token: SeDebugPrivilege 4340 WMIC.exe Token: SeSystemEnvironmentPrivilege 4340 WMIC.exe Token: SeRemoteShutdownPrivilege 4340 WMIC.exe Token: SeUndockPrivilege 4340 WMIC.exe Token: SeManageVolumePrivilege 4340 WMIC.exe Token: 33 4340 WMIC.exe Token: 34 4340 WMIC.exe Token: 35 4340 WMIC.exe Token: 36 4340 WMIC.exe Token: SeDebugPrivilege 1636 build.exe Token: SeDebugPrivilege 2876 F1zIEr8LymmYf1N.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeDebugPrivilege 3880 powershell.exe Token: SeDebugPrivilege 1660 F1zIEr8LymmYf1N.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
F1zIEr8LymmYf1N.exepid process 1660 F1zIEr8LymmYf1N.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.execmd.execmd.exeF1zIEr8LymmYf1N.exedescription pid process target process PID 3844 wrote to memory of 4688 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe cmd.exe PID 3844 wrote to memory of 4688 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe cmd.exe PID 4688 wrote to memory of 4340 4688 cmd.exe WMIC.exe PID 4688 wrote to memory of 4340 4688 cmd.exe WMIC.exe PID 3844 wrote to memory of 1636 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe build.exe PID 3844 wrote to memory of 1636 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe build.exe PID 3844 wrote to memory of 1636 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe build.exe PID 3844 wrote to memory of 2876 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe F1zIEr8LymmYf1N.exe PID 3844 wrote to memory of 2876 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe F1zIEr8LymmYf1N.exe PID 3844 wrote to memory of 2876 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe F1zIEr8LymmYf1N.exe PID 3844 wrote to memory of 3052 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe cmd.exe PID 3844 wrote to memory of 3052 3844 09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe cmd.exe PID 3052 wrote to memory of 3888 3052 cmd.exe timeout.exe PID 3052 wrote to memory of 3888 3052 cmd.exe timeout.exe PID 2876 wrote to memory of 3880 2876 F1zIEr8LymmYf1N.exe powershell.exe PID 2876 wrote to memory of 3880 2876 F1zIEr8LymmYf1N.exe powershell.exe PID 2876 wrote to memory of 3880 2876 F1zIEr8LymmYf1N.exe powershell.exe PID 2876 wrote to memory of 1364 2876 F1zIEr8LymmYf1N.exe powershell.exe PID 2876 wrote to memory of 1364 2876 F1zIEr8LymmYf1N.exe powershell.exe PID 2876 wrote to memory of 1364 2876 F1zIEr8LymmYf1N.exe powershell.exe PID 2876 wrote to memory of 2412 2876 F1zIEr8LymmYf1N.exe schtasks.exe PID 2876 wrote to memory of 2412 2876 F1zIEr8LymmYf1N.exe schtasks.exe PID 2876 wrote to memory of 2412 2876 F1zIEr8LymmYf1N.exe schtasks.exe PID 2876 wrote to memory of 1660 2876 F1zIEr8LymmYf1N.exe F1zIEr8LymmYf1N.exe PID 2876 wrote to memory of 1660 2876 F1zIEr8LymmYf1N.exe F1zIEr8LymmYf1N.exe PID 2876 wrote to memory of 1660 2876 F1zIEr8LymmYf1N.exe F1zIEr8LymmYf1N.exe PID 2876 wrote to memory of 1660 2876 F1zIEr8LymmYf1N.exe F1zIEr8LymmYf1N.exe PID 2876 wrote to memory of 1660 2876 F1zIEr8LymmYf1N.exe F1zIEr8LymmYf1N.exe PID 2876 wrote to memory of 1660 2876 F1zIEr8LymmYf1N.exe F1zIEr8LymmYf1N.exe PID 2876 wrote to memory of 1660 2876 F1zIEr8LymmYf1N.exe F1zIEr8LymmYf1N.exe PID 2876 wrote to memory of 1660 2876 F1zIEr8LymmYf1N.exe F1zIEr8LymmYf1N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe"C:\Users\Admin\AppData\Local\Temp\09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SYSTEM32\cmd.exe"cmd" /C wmic path win32_ComputerSystem get model2⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_ComputerSystem get model3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\okyKYSzsLb\build.exe"C:\Users\Admin\AppData\Local\Temp\okyKYSzsLb\build.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\VrKxVdcjIJha\F1zIEr8LymmYf1N.exe"C:\Users\Admin\AppData\Local\Temp\VrKxVdcjIJha\F1zIEr8LymmYf1N.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\VrKxVdcjIJha\F1zIEr8LymmYf1N.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gpGmOsnKqxu.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gpGmOsnKqxu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED5D.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\VrKxVdcjIJha\F1zIEr8LymmYf1N.exe"C:\Users\Admin\AppData\Local\Temp\VrKxVdcjIJha\F1zIEr8LymmYf1N.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\system32\timeout.exeTIMEOUT /T 33⤵
- Delays execution with timeout.exe
PID:3888
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5e2c4f8c08e871872dc0f9bee0a99b71f
SHA166cf7d25af4f33d3c1efe97873d793f10d7f3a4c
SHA256120911a6fb35cf56cb20b69b0daaac0d9294ebce265524683a5333809ce15bf8
SHA512410e59d3e552313ff5a5064df2c7971b324e32470fe9939960a8a74949bf733dd668f54c034474bba8c25755eeee0bfb9c2f1534b24dded5f6085a015de0af1c
-
Filesize
682KB
MD5699306ec02e3559349c05b65b0121d99
SHA11209add8d6c69c7f38390b9877317370ebb89590
SHA2567a84173e1943cfb94e015aee5590b89d99814e9865c6f8602f88dbb28207eb99
SHA512111a66d0ed10d68145012adf36f2e90fba109034336f3c108d3c24e3df99bdf56ca05f3d555694ca3dc834173b23c95759470c2b9df0ad2cf2bb46f54f7ac5df
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
95KB
MD5e18aaa8463e5c50aa14900b782c86dfa
SHA11ae0219a277685e3122389a7f46df7d1289381d1
SHA25651a0f360052dc819f3f27677e13e93684ff3089e34d1f9e42fa76e4471fcb245
SHA512b9767adaf7273c8d1501e288d998af22493d30c066cce10de77d02bbd450f02501bc9581b87a14bd0ab081cc1a52c2371e3059b890e7e386d6f1e1e48329df92
-
Filesize
1KB
MD5e952060200dcd4e5dfb03be067573834
SHA1bbbae527f6860584887dd3bd56ff41ec2acf1626
SHA2560a37ecf236e5b0e2d9fd3d05e9c9389c1bc08c2d54cb6a0e0f62f8dc7e488855
SHA512f5e8a1448bc950510ea2ac8f924946080486a6eea1e6f7cc5e94e67e7abe83757fc07861ca45b0702ef478bce15c7e7ec0b2e9809d5de8078863ff381c0d39e5