Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
03-12-2023 01:02
Static task
static1
Behavioral task
behavioral1
Sample
326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe
Resource
win10v2004-20231130-en
General
-
Target
326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe
-
Size
532KB
-
MD5
2c334fd4c8aca0cb889f3fb764b55c5b
-
SHA1
205d9c7f0da4488123ba70432454ee77f58a7a88
-
SHA256
326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb
-
SHA512
c58528f5dd0c33477c69719803757054edb70844ce68c0c4df184ce63d8fb5b6ee807a087f0592ad6c1b7c1b221c5144ce9dcc38c0cedac6a65c99dedfe590f3
-
SSDEEP
12288:vcxPgUrbekrZzSuYf63NjHTC9mXyGRqiMgQ/qf:095tz463x2mXynilQyf
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
btcmxkv.exebtcmxkv.exepid process 2652 btcmxkv.exe 2708 btcmxkv.exe -
Loads dropped DLL 3 IoCs
Processes:
326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exebtcmxkv.exepid process 2784 326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe 2784 326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe 2652 btcmxkv.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
btcmxkv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Windows\CurrentVersion\Run\SzvWIzD = "C:\\Users\\Admin\\AppData\\Roaming\\SzvWIzD\\SzvWIzD.exe" btcmxkv.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
btcmxkv.exedescription pid process target process PID 2652 set thread context of 2708 2652 btcmxkv.exe btcmxkv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
btcmxkv.exepid process 2708 btcmxkv.exe 2708 btcmxkv.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
btcmxkv.exepid process 2652 btcmxkv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
btcmxkv.exedescription pid process Token: SeDebugPrivilege 2708 btcmxkv.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exebtcmxkv.exedescription pid process target process PID 2784 wrote to memory of 2652 2784 326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe btcmxkv.exe PID 2784 wrote to memory of 2652 2784 326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe btcmxkv.exe PID 2784 wrote to memory of 2652 2784 326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe btcmxkv.exe PID 2784 wrote to memory of 2652 2784 326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe btcmxkv.exe PID 2652 wrote to memory of 2708 2652 btcmxkv.exe btcmxkv.exe PID 2652 wrote to memory of 2708 2652 btcmxkv.exe btcmxkv.exe PID 2652 wrote to memory of 2708 2652 btcmxkv.exe btcmxkv.exe PID 2652 wrote to memory of 2708 2652 btcmxkv.exe btcmxkv.exe PID 2652 wrote to memory of 2708 2652 btcmxkv.exe btcmxkv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe"C:\Users\Admin\AppData\Local\Temp\326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\btcmxkv.exe"C:\Users\Admin\AppData\Local\Temp\btcmxkv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\btcmxkv.exe"C:\Users\Admin\AppData\Local\Temp\btcmxkv.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5cb957d078b13b564ec68e02c89d517f1
SHA1db71f04bf2db0fd65661a5444255565417490fbc
SHA256d6a31960fa7479d31ff0fdd549a4d8fdd136cd7be1d7f1c8ead0c4bbe4fd45ab
SHA5127b371a0c0cd6e5b3a9edd11257197c489230bd64f6d37558467958b88b4acf09a46e66ebb36cfe16cef09124c55bfdaba362988e8465dc866cdd92d82b894f91
-
Filesize
170KB
MD5cb957d078b13b564ec68e02c89d517f1
SHA1db71f04bf2db0fd65661a5444255565417490fbc
SHA256d6a31960fa7479d31ff0fdd549a4d8fdd136cd7be1d7f1c8ead0c4bbe4fd45ab
SHA5127b371a0c0cd6e5b3a9edd11257197c489230bd64f6d37558467958b88b4acf09a46e66ebb36cfe16cef09124c55bfdaba362988e8465dc866cdd92d82b894f91
-
Filesize
170KB
MD5cb957d078b13b564ec68e02c89d517f1
SHA1db71f04bf2db0fd65661a5444255565417490fbc
SHA256d6a31960fa7479d31ff0fdd549a4d8fdd136cd7be1d7f1c8ead0c4bbe4fd45ab
SHA5127b371a0c0cd6e5b3a9edd11257197c489230bd64f6d37558467958b88b4acf09a46e66ebb36cfe16cef09124c55bfdaba362988e8465dc866cdd92d82b894f91
-
Filesize
170KB
MD5cb957d078b13b564ec68e02c89d517f1
SHA1db71f04bf2db0fd65661a5444255565417490fbc
SHA256d6a31960fa7479d31ff0fdd549a4d8fdd136cd7be1d7f1c8ead0c4bbe4fd45ab
SHA5127b371a0c0cd6e5b3a9edd11257197c489230bd64f6d37558467958b88b4acf09a46e66ebb36cfe16cef09124c55bfdaba362988e8465dc866cdd92d82b894f91
-
Filesize
333KB
MD5437feb27bf47e822e20fe5c616c36e13
SHA1c8b99bf51dc6baa96f3dcc21789962f4a0b3de55
SHA2560df8f1ce24bac50ec8419b5cbd912d90ff69778be78249b67480b2eab2bf1ca3
SHA512d65c9283d2a48704e0b469088bb2a362a457bfaf74866350d6d26ff4e86f8961b3cf8ad56323e9e7efa0e1231a7d6e3ab496f0ee2c7543f22617c78bbe511431
-
Filesize
170KB
MD5cb957d078b13b564ec68e02c89d517f1
SHA1db71f04bf2db0fd65661a5444255565417490fbc
SHA256d6a31960fa7479d31ff0fdd549a4d8fdd136cd7be1d7f1c8ead0c4bbe4fd45ab
SHA5127b371a0c0cd6e5b3a9edd11257197c489230bd64f6d37558467958b88b4acf09a46e66ebb36cfe16cef09124c55bfdaba362988e8465dc866cdd92d82b894f91
-
Filesize
170KB
MD5cb957d078b13b564ec68e02c89d517f1
SHA1db71f04bf2db0fd65661a5444255565417490fbc
SHA256d6a31960fa7479d31ff0fdd549a4d8fdd136cd7be1d7f1c8ead0c4bbe4fd45ab
SHA5127b371a0c0cd6e5b3a9edd11257197c489230bd64f6d37558467958b88b4acf09a46e66ebb36cfe16cef09124c55bfdaba362988e8465dc866cdd92d82b894f91
-
Filesize
170KB
MD5cb957d078b13b564ec68e02c89d517f1
SHA1db71f04bf2db0fd65661a5444255565417490fbc
SHA256d6a31960fa7479d31ff0fdd549a4d8fdd136cd7be1d7f1c8ead0c4bbe4fd45ab
SHA5127b371a0c0cd6e5b3a9edd11257197c489230bd64f6d37558467958b88b4acf09a46e66ebb36cfe16cef09124c55bfdaba362988e8465dc866cdd92d82b894f91