Analysis
-
max time kernel
157s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 11:43
Static task
static1
Behavioral task
behavioral1
Sample
2211.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2211.exe
Resource
win10v2004-20221111-en
General
-
Target
2211.exe
-
Size
653KB
-
MD5
aeb1becc0f251e643e27c95d2fa1d91b
-
SHA1
f14bbc296f1da0a6e11993286871f2e9bacff72c
-
SHA256
8cdd2376c22a3f37faafe3a39f3730b7c03c9e641b729607ca2b083abbc3f05e
-
SHA512
0f2f2d370b257796b73f227adb055bfdd57621f34198cfabf66eef1dee43c5904263f32a7ce699ef716709dd3119b46639726e571e495533f15a2e8c403c9dec
-
SSDEEP
12288:ggF5Mgmsq8We1+CGGpKw65AHm9RCBT3g5AnttzyrMNkaM8:ggF5asqb+BFV2RKT/ntMMKaM8
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 4 IoCs
Processes:
bzbvzlhl.exebzbvzlhl.exebzbvzlhl.exebzbvzlhl.exepid process 1620 bzbvzlhl.exe 1556 bzbvzlhl.exe 1548 bzbvzlhl.exe 4392 bzbvzlhl.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
bzbvzlhl.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bzbvzlhl.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bzbvzlhl.exe Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bzbvzlhl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bzbvzlhl.exebzbvzlhl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbhhsudlkg = "C:\\Users\\Admin\\AppData\\Roaming\\aqpvijntejq\\thpai.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bzbvzlhl.exe\" \"C:\\Users\\Admin\\AppData\\Loca" bzbvzlhl.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MYAPP = "C:\\Users\\Admin\\AppData\\Roaming\\MYAPP\\MYAPP.exe" bzbvzlhl.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 api.ipify.org 38 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bzbvzlhl.exedescription pid process target process PID 1620 set thread context of 4392 1620 bzbvzlhl.exe bzbvzlhl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
bzbvzlhl.exepid process 4392 bzbvzlhl.exe 4392 bzbvzlhl.exe 4392 bzbvzlhl.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
bzbvzlhl.exepid process 1620 bzbvzlhl.exe 1620 bzbvzlhl.exe 1620 bzbvzlhl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bzbvzlhl.exedescription pid process Token: SeDebugPrivilege 4392 bzbvzlhl.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
bzbvzlhl.exepid process 1620 bzbvzlhl.exe 1620 bzbvzlhl.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
bzbvzlhl.exepid process 1620 bzbvzlhl.exe 1620 bzbvzlhl.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
2211.exebzbvzlhl.exedescription pid process target process PID 4956 wrote to memory of 1620 4956 2211.exe bzbvzlhl.exe PID 4956 wrote to memory of 1620 4956 2211.exe bzbvzlhl.exe PID 4956 wrote to memory of 1620 4956 2211.exe bzbvzlhl.exe PID 1620 wrote to memory of 1556 1620 bzbvzlhl.exe bzbvzlhl.exe PID 1620 wrote to memory of 1556 1620 bzbvzlhl.exe bzbvzlhl.exe PID 1620 wrote to memory of 1556 1620 bzbvzlhl.exe bzbvzlhl.exe PID 1620 wrote to memory of 1548 1620 bzbvzlhl.exe bzbvzlhl.exe PID 1620 wrote to memory of 1548 1620 bzbvzlhl.exe bzbvzlhl.exe PID 1620 wrote to memory of 1548 1620 bzbvzlhl.exe bzbvzlhl.exe PID 1620 wrote to memory of 4392 1620 bzbvzlhl.exe bzbvzlhl.exe PID 1620 wrote to memory of 4392 1620 bzbvzlhl.exe bzbvzlhl.exe PID 1620 wrote to memory of 4392 1620 bzbvzlhl.exe bzbvzlhl.exe PID 1620 wrote to memory of 4392 1620 bzbvzlhl.exe bzbvzlhl.exe -
outlook_office_path 1 IoCs
Processes:
bzbvzlhl.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bzbvzlhl.exe -
outlook_win_path 1 IoCs
Processes:
bzbvzlhl.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bzbvzlhl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2211.exe"C:\Users\Admin\AppData\Local\Temp\2211.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe"C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe" "C:\Users\Admin\AppData\Local\Temp\ooumeqge.au3"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe"C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe" "C:\Users\Admin\AppData\Local\Temp\ooumeqge.au3"3⤵
- Executes dropped EXE
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe"C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe" "C:\Users\Admin\AppData\Local\Temp\ooumeqge.au3"3⤵
- Executes dropped EXE
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe"C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exe" "C:\Users\Admin\AppData\Local\Temp\ooumeqge.au3"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\avqvqsomdl.xbFilesize
296KB
MD551b916511c0aea57ca2897190bb3e539
SHA1d39eaa300d71355228bcc21a0ec46c4d3f7f0016
SHA256b15acc30ffbeb3cfb395eb9431b851d1a290351f33fa949d32764766aa970aa9
SHA5129e6baf8b61509b79e069090eba870df4d8149fd57ac8cd1e57283613f1f0964827e7c80f2a0619edcd3cfeb9db5476f96346c3257b84ccb50b759936894980e3
-
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\bzbvzlhl.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\ooumeqge.au3Filesize
5KB
MD53269fd188633739100bdb419077af27b
SHA13002dc219e2ad8962925a9c5d2eee1f65b013b34
SHA256f43d648a96bf10e8f16ee249ed7720cb397b5b3ace8984b89394cc3c89d9bd2b
SHA512036c8a02f6bd7e4b7acc0c5eab35791b7c971c63c9baae228fbdcab535486f4ad93ce4516d77b34c4990a98a90fe3215d1a830989bd08a5c08dc7b5d17a06b73
-
C:\Users\Admin\AppData\Local\Temp\wbdoha.zmFilesize
53KB
MD54d0605d5d6f7c6d6ab3aa83ec69864b1
SHA1fb135fb2f48eb124a0483780a937f06ce9e2facf
SHA25691c90ec3f95d41d190a54c7e27637cebae0749c0db1b805a28729e077e0df0c5
SHA512abd50e6877e9c9e592afe661b28957b4640e0a0084135e5a35fb955378f9f995693c000d85aff972d4e987ac262400f8e5c7cd40ab8e04a9ed1b8c7d8ac33a40
-
memory/1548-139-0x0000000000000000-mapping.dmp
-
memory/1556-138-0x0000000000000000-mapping.dmp
-
memory/1620-132-0x0000000000000000-mapping.dmp
-
memory/4392-142-0x0000000000000000-mapping.dmp
-
memory/4392-144-0x0000000006080000-0x0000000006624000-memory.dmpFilesize
5.6MB
-
memory/4392-145-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/4392-146-0x00000000059D0000-0x0000000005A6C000-memory.dmpFilesize
624KB
-
memory/4392-147-0x0000000006CC0000-0x0000000006D26000-memory.dmpFilesize
408KB
-
memory/4392-148-0x0000000007FC0000-0x0000000008010000-memory.dmpFilesize
320KB
-
memory/4392-149-0x00000000080B0000-0x0000000008142000-memory.dmpFilesize
584KB
-
memory/4392-150-0x0000000006050000-0x000000000605A000-memory.dmpFilesize
40KB