Analysis
-
max time kernel
134s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2023 01:29
Static task
static1
Behavioral task
behavioral1
Sample
9cb79b17afa63f9f42d91be5d69f6fdb9f44277211f26cb765cdf95bfc595c0a.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
9cb79b17afa63f9f42d91be5d69f6fdb9f44277211f26cb765cdf95bfc595c0a.exe
Resource
win10v2004-20231127-en
General
-
Target
9cb79b17afa63f9f42d91be5d69f6fdb9f44277211f26cb765cdf95bfc595c0a.exe
-
Size
364KB
-
MD5
f48d374d35a179552f42893bc46ce802
-
SHA1
be8fe7a96c876ca6f14e9f40cc0840e91955b452
-
SHA256
9cb79b17afa63f9f42d91be5d69f6fdb9f44277211f26cb765cdf95bfc595c0a
-
SHA512
5d7e44c266f0bcff7b504455d2a45dbe9d618a5ea55a9fcb457219ca024251694ab1d591268f9408d33e39c98954892a045ec944c4b9b7f463b650309e580644
-
SSDEEP
6144:XBlL/o1wRzFrBwq83dODx+Av8HRJoaKsaqJYNbpVFd3H72us:RG1EwEwAv8HTooHgpVT2d
Malware Config
Extracted
Protocol: smtp- Host:
mail.activegroup.com.sg - Port:
587 - Username:
[email protected] - Password:
active7244
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
enqzqflo.exeenqzqflo.exepid process 3452 enqzqflo.exe 4992 enqzqflo.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
enqzqflo.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FdnCz = "C:\\Users\\Admin\\AppData\\Roaming\\FdnCz\\FdnCz.exe" enqzqflo.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 api.ipify.org 38 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
enqzqflo.exedescription pid process target process PID 3452 set thread context of 4992 3452 enqzqflo.exe enqzqflo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
enqzqflo.exepid process 4992 enqzqflo.exe 4992 enqzqflo.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
enqzqflo.exepid process 3452 enqzqflo.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
enqzqflo.exedescription pid process Token: SeDebugPrivilege 4992 enqzqflo.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
enqzqflo.exepid process 4992 enqzqflo.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
9cb79b17afa63f9f42d91be5d69f6fdb9f44277211f26cb765cdf95bfc595c0a.exeenqzqflo.exedescription pid process target process PID 3044 wrote to memory of 3452 3044 9cb79b17afa63f9f42d91be5d69f6fdb9f44277211f26cb765cdf95bfc595c0a.exe enqzqflo.exe PID 3044 wrote to memory of 3452 3044 9cb79b17afa63f9f42d91be5d69f6fdb9f44277211f26cb765cdf95bfc595c0a.exe enqzqflo.exe PID 3044 wrote to memory of 3452 3044 9cb79b17afa63f9f42d91be5d69f6fdb9f44277211f26cb765cdf95bfc595c0a.exe enqzqflo.exe PID 3452 wrote to memory of 4992 3452 enqzqflo.exe enqzqflo.exe PID 3452 wrote to memory of 4992 3452 enqzqflo.exe enqzqflo.exe PID 3452 wrote to memory of 4992 3452 enqzqflo.exe enqzqflo.exe PID 3452 wrote to memory of 4992 3452 enqzqflo.exe enqzqflo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cb79b17afa63f9f42d91be5d69f6fdb9f44277211f26cb765cdf95bfc595c0a.exe"C:\Users\Admin\AppData\Local\Temp\9cb79b17afa63f9f42d91be5d69f6fdb9f44277211f26cb765cdf95bfc595c0a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Users\Admin\AppData\Local\Temp\enqzqflo.exe"C:\Users\Admin\AppData\Local\Temp\enqzqflo.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\enqzqflo.exe"C:\Users\Admin\AppData\Local\Temp\enqzqflo.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
170KB
MD572f70218054153e552a39740a4947415
SHA19cd5f6d1a6e59dfad27cc513d1120018978a3f19
SHA256674b937a7792d830a8b5283cd44f39caf15451e990cfc2bdd4bac99bab6a3fac
SHA51276e9db31252916ca97a562de4a750e69ac05dba09ce6cb687626ddc362a83088bd6a68c2b7a57592423144fa500d7d2f0f04ffd304bd22ea2ad9f9b2fc6d7c78
-
Filesize
170KB
MD572f70218054153e552a39740a4947415
SHA19cd5f6d1a6e59dfad27cc513d1120018978a3f19
SHA256674b937a7792d830a8b5283cd44f39caf15451e990cfc2bdd4bac99bab6a3fac
SHA51276e9db31252916ca97a562de4a750e69ac05dba09ce6cb687626ddc362a83088bd6a68c2b7a57592423144fa500d7d2f0f04ffd304bd22ea2ad9f9b2fc6d7c78
-
Filesize
170KB
MD572f70218054153e552a39740a4947415
SHA19cd5f6d1a6e59dfad27cc513d1120018978a3f19
SHA256674b937a7792d830a8b5283cd44f39caf15451e990cfc2bdd4bac99bab6a3fac
SHA51276e9db31252916ca97a562de4a750e69ac05dba09ce6cb687626ddc362a83088bd6a68c2b7a57592423144fa500d7d2f0f04ffd304bd22ea2ad9f9b2fc6d7c78
-
Filesize
334KB
MD53fde99d6127607e81130b0ec06c93bf3
SHA163a53a267d98ac6dcf3e7deb5c6719ffc6babbe9
SHA256a222a2bccea94f34548ae351f12cd9b3d0929cd871b9bc42adef21ee8c2a6c9c
SHA512a20c7f31423d9a4a31f1f861f210ac46958a8e72bd08060b33124cf5eb1b8977b58b799f58639b7a32a884dbaad176fdfd52f8cd9deb6fefda129f12f610f875