Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 10:00
Static task
static1
Behavioral task
behavioral1
Sample
4.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
keelhauls.scr
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
keelhauls.scr
Resource
win10v2004-20240508-en
General
-
Target
4.exe
-
Size
849KB
-
MD5
1e6cb04df9502e8cb007a482c663bc9d
-
SHA1
f53cf395db96bca467de325491ac09cfb8d388fc
-
SHA256
a7afb33b403ad33bf2421901d5ed9aad4e7ee362f343a86f313897713f595625
-
SHA512
8c962d165a951644c0c5bf52b95159185a49657facd1f6b3c443fe3dc2af11ab6af8c3e511a37e2581e2cf3e27b7671b0bc5b7762a3fb38b3a273afee6790e57
-
SSDEEP
12288:hcIjd3nQIQsk3na+QidVt1+DXuY4Dc25c2YDX8Y/RN4Yx6m:hcIjUna3imz4DTg5vl
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://mail.hearing-vision.com - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
4.exepid process 5060 4.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
4.exepid process 4892 4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
4.exe4.exepid process 5060 4.exe 4892 4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4.exedescription pid process target process PID 5060 set thread context of 4892 5060 4.exe 4.exe -
Drops file in Windows directory 1 IoCs
Processes:
4.exedescription ioc process File opened for modification C:\Windows\reassigned\sandi.ini 4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
4.exepid process 4892 4.exe 4892 4.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4.exepid process 5060 4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
4.exedescription pid process Token: SeDebugPrivilege 4892 4.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
4.exedescription pid process target process PID 5060 wrote to memory of 4892 5060 4.exe 4.exe PID 5060 wrote to memory of 4892 5060 4.exe 4.exe PID 5060 wrote to memory of 4892 5060 4.exe 4.exe PID 5060 wrote to memory of 4892 5060 4.exe 4.exe PID 5060 wrote to memory of 4892 5060 4.exe 4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsm7234.tmp\System.dllFilesize
11KB
MD555a26d7800446f1373056064c64c3ce8
SHA180256857e9a0a9c8897923b717f3435295a76002
SHA256904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
SHA51204b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b
-
memory/4892-32-0x0000000077941000-0x0000000077A61000-memory.dmpFilesize
1.1MB
-
memory/4892-37-0x0000000035F30000-0x0000000035F80000-memory.dmpFilesize
320KB
-
memory/4892-31-0x00000000004A0000-0x00000000016F4000-memory.dmpFilesize
18.3MB
-
memory/4892-27-0x0000000001700000-0x000000000270D000-memory.dmpFilesize
16.1MB
-
memory/4892-41-0x0000000001700000-0x000000000270D000-memory.dmpFilesize
16.1MB
-
memory/4892-39-0x0000000036050000-0x000000003605A000-memory.dmpFilesize
40KB
-
memory/4892-30-0x00000000779E5000-0x00000000779E6000-memory.dmpFilesize
4KB
-
memory/4892-34-0x00000000004A0000-0x00000000004E2000-memory.dmpFilesize
264KB
-
memory/4892-38-0x0000000035F80000-0x0000000036012000-memory.dmpFilesize
584KB
-
memory/4892-28-0x00000000779C8000-0x00000000779C9000-memory.dmpFilesize
4KB
-
memory/4892-36-0x0000000035620000-0x0000000035686000-memory.dmpFilesize
408KB
-
memory/4892-35-0x0000000035070000-0x0000000035614000-memory.dmpFilesize
5.6MB
-
memory/5060-24-0x0000000004B70000-0x0000000005B7D000-memory.dmpFilesize
16.1MB
-
memory/5060-25-0x0000000077941000-0x0000000077A61000-memory.dmpFilesize
1.1MB
-
memory/5060-26-0x0000000010004000-0x0000000010005000-memory.dmpFilesize
4KB
-
memory/5060-29-0x0000000004B70000-0x0000000005B7D000-memory.dmpFilesize
16.1MB
-
memory/5060-33-0x0000000004B70000-0x0000000005B7D000-memory.dmpFilesize
16.1MB