Analysis
-
max time kernel
108s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
08-02-2023 01:16
Static task
static1
Behavioral task
behavioral1
Sample
edf2482324868bd3843ba4e73258493c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
edf2482324868bd3843ba4e73258493c.exe
Resource
win10v2004-20221111-en
General
-
Target
edf2482324868bd3843ba4e73258493c.exe
-
Size
400KB
-
MD5
edf2482324868bd3843ba4e73258493c
-
SHA1
63ea0ccb381e1e765ed550c7b39b577f64c5bc48
-
SHA256
c6eeabef48a629434a613caade883ec827de3e2061750bbd807df2a3e5c19809
-
SHA512
6b95b11955a025df3dcb1997b206dfe096d9a54eb4a504724c60b932faba705f53c4e621b50438d2ff11594942018ebb356bdd79da0dbfc818cc8e598074cf26
-
SSDEEP
12288:LYemnabRqoBtSHZp+sv+BW7jyPtdsPGZRae:LYemazSHBqP9
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
xfzbh.exexfzbh.exepid process 2500 xfzbh.exe 2688 xfzbh.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
xfzbh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xfzbh.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xfzbh.exe Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xfzbh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
xfzbh.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\miirmmvfb = "C:\\Users\\Admin\\AppData\\Roaming\\vrrbwggplueea\\jffoxttd.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\xfzbh.exe\" C:\\Users\\Admin\\AppData\\Loc" xfzbh.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xfzbh.exedescription pid process target process PID 2500 set thread context of 2688 2500 xfzbh.exe xfzbh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
xfzbh.exepid process 2500 xfzbh.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xfzbh.exedescription pid process Token: SeDebugPrivilege 2688 xfzbh.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
xfzbh.exepid process 2688 xfzbh.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
edf2482324868bd3843ba4e73258493c.exexfzbh.exedescription pid process target process PID 404 wrote to memory of 2500 404 edf2482324868bd3843ba4e73258493c.exe xfzbh.exe PID 404 wrote to memory of 2500 404 edf2482324868bd3843ba4e73258493c.exe xfzbh.exe PID 404 wrote to memory of 2500 404 edf2482324868bd3843ba4e73258493c.exe xfzbh.exe PID 2500 wrote to memory of 2688 2500 xfzbh.exe xfzbh.exe PID 2500 wrote to memory of 2688 2500 xfzbh.exe xfzbh.exe PID 2500 wrote to memory of 2688 2500 xfzbh.exe xfzbh.exe PID 2500 wrote to memory of 2688 2500 xfzbh.exe xfzbh.exe -
outlook_office_path 1 IoCs
Processes:
xfzbh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xfzbh.exe -
outlook_win_path 1 IoCs
Processes:
xfzbh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xfzbh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edf2482324868bd3843ba4e73258493c.exe"C:\Users\Admin\AppData\Local\Temp\edf2482324868bd3843ba4e73258493c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\xfzbh.exe"C:\Users\Admin\AppData\Local\Temp\xfzbh.exe" C:\Users\Admin\AppData\Local\Temp\jspemy.qt2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\xfzbh.exe"C:\Users\Admin\AppData\Local\Temp\xfzbh.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD53926773019a3f2ab0834d45972870963
SHA18ac86237a1bf4d5d37e1aa48a467a470ef714508
SHA2560c21aa1cda8ef133d18784c245f7fa318ce17b9dc68229a4f750a05ad891c802
SHA5121f66f246c65e02acc91252088487b383001e78e176eccd622c2d9ba944fe2835d1e0e094b9f51d216a37a5e076d162262e383e7b1899f7ed5d4790c8ad2041b0
-
Filesize
266KB
MD51800de52920159770f15dfa35893893e
SHA18d3b7e82ceafdb0b3560e02033f24900194117e3
SHA2568bad231472ce99bbe48777d8c381b7563587e137bba62d88e08d218d849bbf92
SHA512962cd6697594644513332cff75258227b44d4f19b3d6453e9fd865130139eaf30170d1a9c7579be6f0db9abb0a24ce78598125f66363fa3628171ccfc5d9fc57
-
Filesize
361KB
MD52051a52d6c8e148e037dcf09d9df7015
SHA104c5cd0d1cafed7af3474379d9b774e6953c416e
SHA256417c63ba2b158bafde49f36255b5a28456adfd11b7912178393a40eb3c248839
SHA512d0bce8c2bed856a3454680adea072a9015fddc1053db6c34b2d3da517cfa0016bce7158a46edf22e16edd1f56eee0cba3ba5b263381e9fd7a79cfa1a484d25c4
-
Filesize
361KB
MD52051a52d6c8e148e037dcf09d9df7015
SHA104c5cd0d1cafed7af3474379d9b774e6953c416e
SHA256417c63ba2b158bafde49f36255b5a28456adfd11b7912178393a40eb3c248839
SHA512d0bce8c2bed856a3454680adea072a9015fddc1053db6c34b2d3da517cfa0016bce7158a46edf22e16edd1f56eee0cba3ba5b263381e9fd7a79cfa1a484d25c4
-
Filesize
361KB
MD52051a52d6c8e148e037dcf09d9df7015
SHA104c5cd0d1cafed7af3474379d9b774e6953c416e
SHA256417c63ba2b158bafde49f36255b5a28456adfd11b7912178393a40eb3c248839
SHA512d0bce8c2bed856a3454680adea072a9015fddc1053db6c34b2d3da517cfa0016bce7158a46edf22e16edd1f56eee0cba3ba5b263381e9fd7a79cfa1a484d25c4