Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
03-12-2023 02:27
Static task
static1
Behavioral task
behavioral1
Sample
71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exe
Resource
win10v2004-20231130-en
General
-
Target
71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exe
-
Size
350KB
-
MD5
f8072b8740d7ec0f694d3628e78d5a5a
-
SHA1
a6620334c67dddcc6dfef55f202a4848416b4f5c
-
SHA256
71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d
-
SHA512
7bf3d20ae87139fef75524211e21cd6a28b1f6f0dc3d10dd36fe2bf90574f3ccbbc3b4bb1d05b7bf7997a16ecede9506be4111fe98a513f3c4d5efda2ae8b47d
-
SSDEEP
6144:2BlL/DWicNIlgOw0nueLkxVtEM9AjhtADy6aia4Htw0vdlRSvdWpC6nmd6:UBWNIlgOw4uZTtPGhtKyz4Nw01lo+fmI
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
ldzbtntv.exeldzbtntv.exepid process 2228 ldzbtntv.exe 2408 ldzbtntv.exe -
Loads dropped DLL 3 IoCs
Processes:
71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exeldzbtntv.exepid process 2980 71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exe 2980 71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exe 2228 ldzbtntv.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ldzbtntv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1502336823-1680518048-858510903-1000\Software\Microsoft\Windows\CurrentVersion\Run\xbUuw = "C:\\Users\\Admin\\AppData\\Roaming\\xbUuw\\xbUuw.exe" ldzbtntv.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ldzbtntv.exedescription pid process target process PID 2228 set thread context of 2408 2228 ldzbtntv.exe ldzbtntv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ldzbtntv.exepid process 2408 ldzbtntv.exe 2408 ldzbtntv.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ldzbtntv.exepid process 2228 ldzbtntv.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ldzbtntv.exedescription pid process Token: SeDebugPrivilege 2408 ldzbtntv.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ldzbtntv.exepid process 2408 ldzbtntv.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exeldzbtntv.exedescription pid process target process PID 2980 wrote to memory of 2228 2980 71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exe ldzbtntv.exe PID 2980 wrote to memory of 2228 2980 71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exe ldzbtntv.exe PID 2980 wrote to memory of 2228 2980 71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exe ldzbtntv.exe PID 2980 wrote to memory of 2228 2980 71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exe ldzbtntv.exe PID 2228 wrote to memory of 2408 2228 ldzbtntv.exe ldzbtntv.exe PID 2228 wrote to memory of 2408 2228 ldzbtntv.exe ldzbtntv.exe PID 2228 wrote to memory of 2408 2228 ldzbtntv.exe ldzbtntv.exe PID 2228 wrote to memory of 2408 2228 ldzbtntv.exe ldzbtntv.exe PID 2228 wrote to memory of 2408 2228 ldzbtntv.exe ldzbtntv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exe"C:\Users\Admin\AppData\Local\Temp\71b3391b6e2ec091dc7d56960d3b8f543b6011b5c3d68fe7e86f33a02605e21d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\ldzbtntv.exe"C:\Users\Admin\AppData\Local\Temp\ldzbtntv.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\ldzbtntv.exe"C:\Users\Admin\AppData\Local\Temp\ldzbtntv.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD5bd9a4b98da605f85eab05cf49cb91b05
SHA1af956d58f683e8c9c3ece1c4bffe3a980d627151
SHA2562ae7ffc957ce2115eb58a5a0a3dee7aea2e76f4d770a705f348a04ca844b173f
SHA512da2bfb043a1205f91da80abbedfd1700e736000c4a08deb3386bb92018f72c90aab51d9950a6ffa1cac571df12d743019fc383489f44554e08a878f9d02d8fe9
-
Filesize
178KB
MD5fa0fbedc16c6871bf81f17269e61eb10
SHA1f69519160e26e01b32b7dc12e785360e0cb56e5a
SHA2560aa0abf2dcacbf6d05529e1987cd340775f04c63571eb0d41843eec4bf32cf9f
SHA512135d544c577f8a0e84946151eb75ac39a10177ec26d7fbd8bdfd7249aaa44a33603f4f00018aea8e69e96b6cb9d542eb96b55fa701593483a2bbc7c387e99e1d
-
Filesize
178KB
MD5fa0fbedc16c6871bf81f17269e61eb10
SHA1f69519160e26e01b32b7dc12e785360e0cb56e5a
SHA2560aa0abf2dcacbf6d05529e1987cd340775f04c63571eb0d41843eec4bf32cf9f
SHA512135d544c577f8a0e84946151eb75ac39a10177ec26d7fbd8bdfd7249aaa44a33603f4f00018aea8e69e96b6cb9d542eb96b55fa701593483a2bbc7c387e99e1d
-
Filesize
178KB
MD5fa0fbedc16c6871bf81f17269e61eb10
SHA1f69519160e26e01b32b7dc12e785360e0cb56e5a
SHA2560aa0abf2dcacbf6d05529e1987cd340775f04c63571eb0d41843eec4bf32cf9f
SHA512135d544c577f8a0e84946151eb75ac39a10177ec26d7fbd8bdfd7249aaa44a33603f4f00018aea8e69e96b6cb9d542eb96b55fa701593483a2bbc7c387e99e1d
-
Filesize
178KB
MD5fa0fbedc16c6871bf81f17269e61eb10
SHA1f69519160e26e01b32b7dc12e785360e0cb56e5a
SHA2560aa0abf2dcacbf6d05529e1987cd340775f04c63571eb0d41843eec4bf32cf9f
SHA512135d544c577f8a0e84946151eb75ac39a10177ec26d7fbd8bdfd7249aaa44a33603f4f00018aea8e69e96b6cb9d542eb96b55fa701593483a2bbc7c387e99e1d
-
Filesize
178KB
MD5fa0fbedc16c6871bf81f17269e61eb10
SHA1f69519160e26e01b32b7dc12e785360e0cb56e5a
SHA2560aa0abf2dcacbf6d05529e1987cd340775f04c63571eb0d41843eec4bf32cf9f
SHA512135d544c577f8a0e84946151eb75ac39a10177ec26d7fbd8bdfd7249aaa44a33603f4f00018aea8e69e96b6cb9d542eb96b55fa701593483a2bbc7c387e99e1d
-
Filesize
178KB
MD5fa0fbedc16c6871bf81f17269e61eb10
SHA1f69519160e26e01b32b7dc12e785360e0cb56e5a
SHA2560aa0abf2dcacbf6d05529e1987cd340775f04c63571eb0d41843eec4bf32cf9f
SHA512135d544c577f8a0e84946151eb75ac39a10177ec26d7fbd8bdfd7249aaa44a33603f4f00018aea8e69e96b6cb9d542eb96b55fa701593483a2bbc7c387e99e1d
-
Filesize
178KB
MD5fa0fbedc16c6871bf81f17269e61eb10
SHA1f69519160e26e01b32b7dc12e785360e0cb56e5a
SHA2560aa0abf2dcacbf6d05529e1987cd340775f04c63571eb0d41843eec4bf32cf9f
SHA512135d544c577f8a0e84946151eb75ac39a10177ec26d7fbd8bdfd7249aaa44a33603f4f00018aea8e69e96b6cb9d542eb96b55fa701593483a2bbc7c387e99e1d