Analysis
-
max time kernel
114s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2023 02:37
Static task
static1
Behavioral task
behavioral1
Sample
946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7.exe
Resource
win10v2004-20231023-en
General
-
Target
946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7.exe
-
Size
657KB
-
MD5
44b3f77611eb5683fd24afe8dbd7b51e
-
SHA1
0676080c4436fcd309e8dbef2446c4e24d2944e5
-
SHA256
946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7
-
SHA512
302c50f5c2be68a170d62bbd426184d5a7a5327b72292cae2f2ca63a37cc10c3a0531c2f6d8e0aee992b2416f05742f3679ab49aef6cc5b8e996681784931cc8
-
SSDEEP
12288:vwxPgUrwBabekPXpxSHIjxrpLFm7OoOWf0h5KkrNGg7fqq/5pv:wKBabdPvS4Lp3m0hIkrN9LR
Malware Config
Extracted
Protocol: smtp- Host:
premium185.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
cooldown2013
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
pid Process 2756 gkspqgbsg.exe 3380 gkspqgbsg.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SzvWIzD = "C:\\Users\\Admin\\AppData\\Roaming\\SzvWIzD\\SzvWIzD.exe" gkspqgbsg.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 api.ipify.org 16 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2756 set thread context of 3380 2756 gkspqgbsg.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3380 gkspqgbsg.exe 3380 gkspqgbsg.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2756 gkspqgbsg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3380 gkspqgbsg.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4428 wrote to memory of 2756 4428 946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7.exe 86 PID 4428 wrote to memory of 2756 4428 946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7.exe 86 PID 4428 wrote to memory of 2756 4428 946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7.exe 86 PID 2756 wrote to memory of 3380 2756 gkspqgbsg.exe 88 PID 2756 wrote to memory of 3380 2756 gkspqgbsg.exe 88 PID 2756 wrote to memory of 3380 2756 gkspqgbsg.exe 88 PID 2756 wrote to memory of 3380 2756 gkspqgbsg.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7.exe"C:\Users\Admin\AppData\Local\Temp\946efedd1031acb02565b20f7457ba5e9ddfb660f4e8b008285bfc0b758109c7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe"C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe"C:\Users\Admin\AppData\Local\Temp\gkspqgbsg.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
523KB
MD5da25a3a223aab46ac3989923028ead8d
SHA153053eb02e5acba55297024b08419afe4bd33b37
SHA25632f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78
SHA5120a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac
-
Filesize
523KB
MD5da25a3a223aab46ac3989923028ead8d
SHA153053eb02e5acba55297024b08419afe4bd33b37
SHA25632f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78
SHA5120a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac
-
Filesize
523KB
MD5da25a3a223aab46ac3989923028ead8d
SHA153053eb02e5acba55297024b08419afe4bd33b37
SHA25632f6a05579898840b3d49e60bde1270221e90f31b8f6c67e64ec307c5fd6dc78
SHA5120a598476684ca10d0b1b40bdc02e3c0ebaf3039f0a7ac51ed1b9c558685824334240cba19522f8a2270a9c18ff508115c9e047bd93b71c1dd49c59637b8242ac
-
Filesize
333KB
MD572f0328b8d9c87ab8df933e0b2263b56
SHA158dddc7412282e05cb3c85b8f7565633cf3f6159
SHA256653d5667465616ac704fc2622d2e65cbe79ba2433792715c86c11a900c3ff6f6
SHA512e151dd66104a61bffb37880e6a08f54c9972f274151748609861b9d83c24d938d3e6fbf26863edb251dce616dd19570b69a6e437c1c9645189100c3aebd66a8e