Analysis
-
max time kernel
125s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2023 01:02
Static task
static1
Behavioral task
behavioral1
Sample
326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe
Resource
win10v2004-20231130-en
General
-
Target
326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe
-
Size
532KB
-
MD5
2c334fd4c8aca0cb889f3fb764b55c5b
-
SHA1
205d9c7f0da4488123ba70432454ee77f58a7a88
-
SHA256
326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb
-
SHA512
c58528f5dd0c33477c69719803757054edb70844ce68c0c4df184ce63d8fb5b6ee807a087f0592ad6c1b7c1b221c5144ce9dcc38c0cedac6a65c99dedfe590f3
-
SSDEEP
12288:vcxPgUrbekrZzSuYf63NjHTC9mXyGRqiMgQ/qf:095tz463x2mXynilQyf
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 3 IoCs
Processes:
btcmxkv.exebtcmxkv.exebtcmxkv.exepid process 3516 btcmxkv.exe 1000 btcmxkv.exe 4396 btcmxkv.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
btcmxkv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SzvWIzD = "C:\\Users\\Admin\\AppData\\Roaming\\SzvWIzD\\SzvWIzD.exe" btcmxkv.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
btcmxkv.exedescription pid process target process PID 3516 set thread context of 4396 3516 btcmxkv.exe btcmxkv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
btcmxkv.exepid process 4396 btcmxkv.exe 4396 btcmxkv.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
btcmxkv.exepid process 3516 btcmxkv.exe 3516 btcmxkv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
btcmxkv.exedescription pid process Token: SeDebugPrivilege 4396 btcmxkv.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exebtcmxkv.exedescription pid process target process PID 3340 wrote to memory of 3516 3340 326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe btcmxkv.exe PID 3340 wrote to memory of 3516 3340 326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe btcmxkv.exe PID 3340 wrote to memory of 3516 3340 326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe btcmxkv.exe PID 3516 wrote to memory of 1000 3516 btcmxkv.exe btcmxkv.exe PID 3516 wrote to memory of 1000 3516 btcmxkv.exe btcmxkv.exe PID 3516 wrote to memory of 1000 3516 btcmxkv.exe btcmxkv.exe PID 3516 wrote to memory of 4396 3516 btcmxkv.exe btcmxkv.exe PID 3516 wrote to memory of 4396 3516 btcmxkv.exe btcmxkv.exe PID 3516 wrote to memory of 4396 3516 btcmxkv.exe btcmxkv.exe PID 3516 wrote to memory of 4396 3516 btcmxkv.exe btcmxkv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe"C:\Users\Admin\AppData\Local\Temp\326ca233e9e93b07a4ce7232bf7191a95cfa11e2d69c1b1a79fc69f1980722fb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\btcmxkv.exe"C:\Users\Admin\AppData\Local\Temp\btcmxkv.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\btcmxkv.exe"C:\Users\Admin\AppData\Local\Temp\btcmxkv.exe"3⤵
- Executes dropped EXE
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\btcmxkv.exe"C:\Users\Admin\AppData\Local\Temp\btcmxkv.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD5cb957d078b13b564ec68e02c89d517f1
SHA1db71f04bf2db0fd65661a5444255565417490fbc
SHA256d6a31960fa7479d31ff0fdd549a4d8fdd136cd7be1d7f1c8ead0c4bbe4fd45ab
SHA5127b371a0c0cd6e5b3a9edd11257197c489230bd64f6d37558467958b88b4acf09a46e66ebb36cfe16cef09124c55bfdaba362988e8465dc866cdd92d82b894f91
-
Filesize
170KB
MD5cb957d078b13b564ec68e02c89d517f1
SHA1db71f04bf2db0fd65661a5444255565417490fbc
SHA256d6a31960fa7479d31ff0fdd549a4d8fdd136cd7be1d7f1c8ead0c4bbe4fd45ab
SHA5127b371a0c0cd6e5b3a9edd11257197c489230bd64f6d37558467958b88b4acf09a46e66ebb36cfe16cef09124c55bfdaba362988e8465dc866cdd92d82b894f91
-
Filesize
170KB
MD5cb957d078b13b564ec68e02c89d517f1
SHA1db71f04bf2db0fd65661a5444255565417490fbc
SHA256d6a31960fa7479d31ff0fdd549a4d8fdd136cd7be1d7f1c8ead0c4bbe4fd45ab
SHA5127b371a0c0cd6e5b3a9edd11257197c489230bd64f6d37558467958b88b4acf09a46e66ebb36cfe16cef09124c55bfdaba362988e8465dc866cdd92d82b894f91
-
Filesize
170KB
MD5cb957d078b13b564ec68e02c89d517f1
SHA1db71f04bf2db0fd65661a5444255565417490fbc
SHA256d6a31960fa7479d31ff0fdd549a4d8fdd136cd7be1d7f1c8ead0c4bbe4fd45ab
SHA5127b371a0c0cd6e5b3a9edd11257197c489230bd64f6d37558467958b88b4acf09a46e66ebb36cfe16cef09124c55bfdaba362988e8465dc866cdd92d82b894f91
-
Filesize
333KB
MD5437feb27bf47e822e20fe5c616c36e13
SHA1c8b99bf51dc6baa96f3dcc21789962f4a0b3de55
SHA2560df8f1ce24bac50ec8419b5cbd912d90ff69778be78249b67480b2eab2bf1ca3
SHA512d65c9283d2a48704e0b469088bb2a362a457bfaf74866350d6d26ff4e86f8961b3cf8ad56323e9e7efa0e1231a7d6e3ab496f0ee2c7543f22617c78bbe511431