Analysis

  • max time kernel
    126s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2024 01:31

General

  • Target

    09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe

  • Size

    790KB

  • MD5

    c17695e30b4eca8c1ea15dfc6b4741f7

  • SHA1

    3aad8f4df2826bf777654a39af944011ead7cb1b

  • SHA256

    09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f

  • SHA512

    8e0f8b79a82792caa152542fda3d7a11ba7da341267ca84eab3935a8f96b6aa887703e1a4d43178196e93d70afb1b71a08fa299ed386e0b812d54fc2f387d206

  • SSDEEP

    24576:nMTsaArNuC1Un3ld9AYt75cAdwAnflsA2:ndPrW3l7PuAnflsA2

Malware Config

Extracted

Family

redline

Botnet

biss

C2

172.81.131.198:16383

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 3 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe
    "C:\Users\Admin\AppData\Local\Temp\09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3844
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C wmic path win32_ComputerSystem get model
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path win32_ComputerSystem get model
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4340
    • C:\Users\Admin\AppData\Local\Temp\okyKYSzsLb\build.exe
      "C:\Users\Admin\AppData\Local\Temp\okyKYSzsLb\build.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1636
    • C:\Users\Admin\AppData\Local\Temp\VrKxVdcjIJha\F1zIEr8LymmYf1N.exe
      "C:\Users\Admin\AppData\Local\Temp\VrKxVdcjIJha\F1zIEr8LymmYf1N.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\VrKxVdcjIJha\F1zIEr8LymmYf1N.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3880
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gpGmOsnKqxu.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1364
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gpGmOsnKqxu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED5D.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2412
      • C:\Users\Admin\AppData\Local\Temp\VrKxVdcjIJha\F1zIEr8LymmYf1N.exe
        "C:\Users\Admin\AppData\Local\Temp\VrKxVdcjIJha\F1zIEr8LymmYf1N.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1660
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\09705f03e3cd697bab38eb3a5c1c551bf6269c77f82eabb9a94871939b59170f.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Windows\system32\timeout.exe
        TIMEOUT /T 3
        3⤵
        • Delays execution with timeout.exe
        PID:3888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    18KB

    MD5

    e2c4f8c08e871872dc0f9bee0a99b71f

    SHA1

    66cf7d25af4f33d3c1efe97873d793f10d7f3a4c

    SHA256

    120911a6fb35cf56cb20b69b0daaac0d9294ebce265524683a5333809ce15bf8

    SHA512

    410e59d3e552313ff5a5064df2c7971b324e32470fe9939960a8a74949bf733dd668f54c034474bba8c25755eeee0bfb9c2f1534b24dded5f6085a015de0af1c

  • C:\Users\Admin\AppData\Local\Temp\VrKxVdcjIJha\F1zIEr8LymmYf1N.exe

    Filesize

    682KB

    MD5

    699306ec02e3559349c05b65b0121d99

    SHA1

    1209add8d6c69c7f38390b9877317370ebb89590

    SHA256

    7a84173e1943cfb94e015aee5590b89d99814e9865c6f8602f88dbb28207eb99

    SHA512

    111a66d0ed10d68145012adf36f2e90fba109034336f3c108d3c24e3df99bdf56ca05f3d555694ca3dc834173b23c95759470c2b9df0ad2cf2bb46f54f7ac5df

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_swxj0jrv.tzm.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Users\Admin\AppData\Local\Temp\okyKYSzsLb\build.exe

    Filesize

    95KB

    MD5

    e18aaa8463e5c50aa14900b782c86dfa

    SHA1

    1ae0219a277685e3122389a7f46df7d1289381d1

    SHA256

    51a0f360052dc819f3f27677e13e93684ff3089e34d1f9e42fa76e4471fcb245

    SHA512

    b9767adaf7273c8d1501e288d998af22493d30c066cce10de77d02bbd450f02501bc9581b87a14bd0ab081cc1a52c2371e3059b890e7e386d6f1e1e48329df92

  • C:\Users\Admin\AppData\Local\Temp\tmpED5D.tmp

    Filesize

    1KB

    MD5

    e952060200dcd4e5dfb03be067573834

    SHA1

    bbbae527f6860584887dd3bd56ff41ec2acf1626

    SHA256

    0a37ecf236e5b0e2d9fd3d05e9c9389c1bc08c2d54cb6a0e0f62f8dc7e488855

    SHA512

    f5e8a1448bc950510ea2ac8f924946080486a6eea1e6f7cc5e94e67e7abe83757fc07861ca45b0702ef478bce15c7e7ec0b2e9809d5de8078863ff381c0d39e5

  • memory/1364-130-0x00000000072B0000-0x0000000007346000-memory.dmp

    Filesize

    600KB

  • memory/1364-131-0x0000000007230000-0x0000000007241000-memory.dmp

    Filesize

    68KB

  • memory/1364-78-0x0000000005640000-0x00000000056A6000-memory.dmp

    Filesize

    408KB

  • memory/1364-134-0x0000000007370000-0x000000000738A000-memory.dmp

    Filesize

    104KB

  • memory/1364-77-0x0000000004E40000-0x0000000004E62000-memory.dmp

    Filesize

    136KB

  • memory/1364-116-0x00000000752F0000-0x000000007533C000-memory.dmp

    Filesize

    304KB

  • memory/1364-135-0x0000000007350000-0x0000000007358000-memory.dmp

    Filesize

    32KB

  • memory/1364-133-0x0000000007270000-0x0000000007284000-memory.dmp

    Filesize

    80KB

  • memory/1364-127-0x0000000007030000-0x000000000704A000-memory.dmp

    Filesize

    104KB

  • memory/1364-132-0x0000000007260000-0x000000000726E000-memory.dmp

    Filesize

    56KB

  • memory/1364-92-0x0000000005720000-0x0000000005A74000-memory.dmp

    Filesize

    3.3MB

  • memory/1636-34-0x0000000004940000-0x000000000498C000-memory.dmp

    Filesize

    304KB

  • memory/1636-40-0x0000000005E10000-0x0000000005E76000-memory.dmp

    Filesize

    408KB

  • memory/1636-41-0x0000000006460000-0x00000000064D6000-memory.dmp

    Filesize

    472KB

  • memory/1636-42-0x0000000006560000-0x000000000657E000-memory.dmp

    Filesize

    120KB

  • memory/1636-39-0x0000000006580000-0x0000000006AAC000-memory.dmp

    Filesize

    5.2MB

  • memory/1636-38-0x0000000005E80000-0x0000000006042000-memory.dmp

    Filesize

    1.8MB

  • memory/1636-36-0x0000000004BA0000-0x0000000004CAA000-memory.dmp

    Filesize

    1.0MB

  • memory/1636-33-0x0000000004900000-0x000000000493C000-memory.dmp

    Filesize

    240KB

  • memory/1636-32-0x00000000048A0000-0x00000000048B2000-memory.dmp

    Filesize

    72KB

  • memory/1636-31-0x0000000004E00000-0x0000000005418000-memory.dmp

    Filesize

    6.1MB

  • memory/1636-27-0x0000000000010000-0x000000000002E000-memory.dmp

    Filesize

    120KB

  • memory/1660-99-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

  • memory/1660-139-0x0000000006BD0000-0x0000000006C20000-memory.dmp

    Filesize

    320KB

  • memory/2876-35-0x00000000056F0000-0x00000000056FA000-memory.dmp

    Filesize

    40KB

  • memory/2876-69-0x000000000A790000-0x000000000A82C000-memory.dmp

    Filesize

    624KB

  • memory/2876-28-0x0000000000CE0000-0x0000000000D90000-memory.dmp

    Filesize

    704KB

  • memory/2876-29-0x0000000005CA0000-0x0000000006244000-memory.dmp

    Filesize

    5.6MB

  • memory/2876-30-0x0000000005620000-0x00000000056B2000-memory.dmp

    Filesize

    584KB

  • memory/2876-37-0x0000000008230000-0x0000000008246000-memory.dmp

    Filesize

    88KB

  • memory/2876-67-0x0000000006950000-0x000000000695E000-memory.dmp

    Filesize

    56KB

  • memory/2876-68-0x0000000006990000-0x0000000006A16000-memory.dmp

    Filesize

    536KB

  • memory/3844-1-0x00007FFF9EEC3000-0x00007FFF9EEC5000-memory.dmp

    Filesize

    8KB

  • memory/3844-0-0x0000000000820000-0x00000000008EC000-memory.dmp

    Filesize

    816KB

  • memory/3880-115-0x0000000006970000-0x000000000698E000-memory.dmp

    Filesize

    120KB

  • memory/3880-129-0x0000000006D90000-0x0000000006D9A000-memory.dmp

    Filesize

    40KB

  • memory/3880-128-0x0000000007370000-0x00000000079EA000-memory.dmp

    Filesize

    6.5MB

  • memory/3880-117-0x00000000069F0000-0x0000000006A93000-memory.dmp

    Filesize

    652KB

  • memory/3880-75-0x0000000002110000-0x0000000002146000-memory.dmp

    Filesize

    216KB

  • memory/3880-104-0x00000000069B0000-0x00000000069E2000-memory.dmp

    Filesize

    200KB

  • memory/3880-76-0x0000000004B20000-0x0000000005148000-memory.dmp

    Filesize

    6.2MB

  • memory/3880-105-0x00000000752F0000-0x000000007533C000-memory.dmp

    Filesize

    304KB

  • memory/3880-103-0x0000000005A90000-0x0000000005ADC000-memory.dmp

    Filesize

    304KB

  • memory/3880-102-0x0000000005A00000-0x0000000005A1E000-memory.dmp

    Filesize

    120KB