Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 01:32
Static task
static1
Behavioral task
behavioral1
Sample
f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exe
Resource
win10v2004-20231130-en
General
-
Target
f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exe
-
Size
406KB
-
MD5
da3e7fb79e5432ba9a9ec8dcb7e06cde
-
SHA1
3f156007d8bce03b4ce8aab2ce955bb7367027ba
-
SHA256
f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79
-
SHA512
cac7cbbb737342b53daca5d1c9c9192ea2c9e88e39ae49b7b7a3c77fcd538e92264c834b8698a4a245f1dc95dc8b5a4f6c0a4abc3f20959b6b4abc249bbbdfd5
-
SSDEEP
12288:wy4uGuYFIhy2jT842ridRj0wDU+GXXLhE:wy4uGumIE2jw42iNJH+XC
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
kqytz.exekqytz.exepid process 2440 kqytz.exe 1772 kqytz.exe -
Loads dropped DLL 3 IoCs
Processes:
f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exekqytz.exepid process 1764 f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exe 1764 f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exe 2440 kqytz.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kqytz.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\xbUuw = "C:\\Users\\Admin\\AppData\\Roaming\\xbUuw\\xbUuw.exe" kqytz.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kqytz.exedescription pid process target process PID 2440 set thread context of 1772 2440 kqytz.exe kqytz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
kqytz.exepid process 1772 kqytz.exe 1772 kqytz.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
kqytz.exepid process 2440 kqytz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kqytz.exedescription pid process Token: SeDebugPrivilege 1772 kqytz.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
kqytz.exepid process 1772 kqytz.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exekqytz.exedescription pid process target process PID 1764 wrote to memory of 2440 1764 f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exe kqytz.exe PID 1764 wrote to memory of 2440 1764 f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exe kqytz.exe PID 1764 wrote to memory of 2440 1764 f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exe kqytz.exe PID 1764 wrote to memory of 2440 1764 f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exe kqytz.exe PID 2440 wrote to memory of 1772 2440 kqytz.exe kqytz.exe PID 2440 wrote to memory of 1772 2440 kqytz.exe kqytz.exe PID 2440 wrote to memory of 1772 2440 kqytz.exe kqytz.exe PID 2440 wrote to memory of 1772 2440 kqytz.exe kqytz.exe PID 2440 wrote to memory of 1772 2440 kqytz.exe kqytz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exe"C:\Users\Admin\AppData\Local\Temp\f2827994224ee4c40151c42c38044dadb2e6111966028afd127fefa8636edb79.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\kqytz.exe"C:\Users\Admin\AppData\Local\Temp\kqytz.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\kqytz.exe"C:\Users\Admin\AppData\Local\Temp\kqytz.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD547cc6f48191eb6a9be84fdf5446826e4
SHA12e3ca7823cc49aa445c37e9808cb1a7ce38295ea
SHA256a1810d95e3ce91fb6a5eb153fe055604c436808e9394a3435cb681efa3bd8895
SHA5123bbff66a0a087da687d0fffe32b59a8bc6e8a7e3099086e7612920a3339c7f4c9ecef80c4e851635ee14b8bf833bada3848785b1df18b8fd12f9b722acbfbfaf
-
Filesize
191KB
MD5afe66b2e3f1dc414b17661629280925b
SHA18ce75f5f8343dc6e856db9863b51a68748e24eac
SHA2569aa07b9c396860611cd24d4a2f55fa5dcd6b4bbfc49e1ff9660431d678f8f4e5
SHA51238663afef027477443dc62e17d15ba1115391f495bc9c7a2031b7cb6278166754c8a5cbe21e8421b5072611353797b60775d6063cb0e97e7cec4fd77a0602335
-
Filesize
191KB
MD5afe66b2e3f1dc414b17661629280925b
SHA18ce75f5f8343dc6e856db9863b51a68748e24eac
SHA2569aa07b9c396860611cd24d4a2f55fa5dcd6b4bbfc49e1ff9660431d678f8f4e5
SHA51238663afef027477443dc62e17d15ba1115391f495bc9c7a2031b7cb6278166754c8a5cbe21e8421b5072611353797b60775d6063cb0e97e7cec4fd77a0602335
-
Filesize
191KB
MD5afe66b2e3f1dc414b17661629280925b
SHA18ce75f5f8343dc6e856db9863b51a68748e24eac
SHA2569aa07b9c396860611cd24d4a2f55fa5dcd6b4bbfc49e1ff9660431d678f8f4e5
SHA51238663afef027477443dc62e17d15ba1115391f495bc9c7a2031b7cb6278166754c8a5cbe21e8421b5072611353797b60775d6063cb0e97e7cec4fd77a0602335
-
Filesize
191KB
MD5afe66b2e3f1dc414b17661629280925b
SHA18ce75f5f8343dc6e856db9863b51a68748e24eac
SHA2569aa07b9c396860611cd24d4a2f55fa5dcd6b4bbfc49e1ff9660431d678f8f4e5
SHA51238663afef027477443dc62e17d15ba1115391f495bc9c7a2031b7cb6278166754c8a5cbe21e8421b5072611353797b60775d6063cb0e97e7cec4fd77a0602335
-
Filesize
191KB
MD5afe66b2e3f1dc414b17661629280925b
SHA18ce75f5f8343dc6e856db9863b51a68748e24eac
SHA2569aa07b9c396860611cd24d4a2f55fa5dcd6b4bbfc49e1ff9660431d678f8f4e5
SHA51238663afef027477443dc62e17d15ba1115391f495bc9c7a2031b7cb6278166754c8a5cbe21e8421b5072611353797b60775d6063cb0e97e7cec4fd77a0602335
-
Filesize
191KB
MD5afe66b2e3f1dc414b17661629280925b
SHA18ce75f5f8343dc6e856db9863b51a68748e24eac
SHA2569aa07b9c396860611cd24d4a2f55fa5dcd6b4bbfc49e1ff9660431d678f8f4e5
SHA51238663afef027477443dc62e17d15ba1115391f495bc9c7a2031b7cb6278166754c8a5cbe21e8421b5072611353797b60775d6063cb0e97e7cec4fd77a0602335
-
Filesize
191KB
MD5afe66b2e3f1dc414b17661629280925b
SHA18ce75f5f8343dc6e856db9863b51a68748e24eac
SHA2569aa07b9c396860611cd24d4a2f55fa5dcd6b4bbfc49e1ff9660431d678f8f4e5
SHA51238663afef027477443dc62e17d15ba1115391f495bc9c7a2031b7cb6278166754c8a5cbe21e8421b5072611353797b60775d6063cb0e97e7cec4fd77a0602335