Analysis
-
max time kernel
120s -
max time network
117s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 08:23
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
gunzipped.exe
Resource
win10
General
-
Target
gunzipped.exe
-
Size
556KB
-
MD5
605bf3ac2dc392025ee5ad634175c532
-
SHA1
0b59ca04e25f42f814fa0ec20ceee0ee75b3044c
-
SHA256
522611d9bc8c8a566e73a6c1126e01da0814748e422fce48805949c152408868
-
SHA512
c555a860cb99d6ef283bec328b59f43ada20037395479329f61e8efcaec2fb406f719b9db69f45c9fbd8282d7783ee2bcf77db7b5f9566ee148afaf299f4d1f5
Malware Config
Extracted
Protocol: smtp- Host:
smtp.elittacop.com - Port:
587 - Username:
[email protected] - Password:
@eaSYuc8
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
gunzipped.exedescription pid process target process PID 344 wrote to memory of 3496 344 gunzipped.exe gunzipped.exe PID 344 wrote to memory of 3496 344 gunzipped.exe gunzipped.exe PID 344 wrote to memory of 3496 344 gunzipped.exe gunzipped.exe PID 344 wrote to memory of 3496 344 gunzipped.exe gunzipped.exe PID 344 wrote to memory of 3496 344 gunzipped.exe gunzipped.exe PID 344 wrote to memory of 3496 344 gunzipped.exe gunzipped.exe PID 344 wrote to memory of 3496 344 gunzipped.exe gunzipped.exe PID 344 wrote to memory of 3496 344 gunzipped.exe gunzipped.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gunzipped.exedescription pid process Token: SeDebugPrivilege 3496 gunzipped.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
gunzipped.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gunzipped.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gunzipped.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
gunzipped.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions gunzipped.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
gunzipped.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools gunzipped.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gunzipped.exedescription pid process target process PID 344 set thread context of 3496 344 gunzipped.exe gunzipped.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
gunzipped.exepid process 3496 gunzipped.exe 3496 gunzipped.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
gunzipped.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum gunzipped.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 gunzipped.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Suspicious use of WriteProcessMemory
- Checks BIOS information in registry
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Suspicious use of SetThreadContext
- Maps connected drives based on registry
PID:344 -
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3496