Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
04-12-2023 17:34
Static task
static1
Behavioral task
behavioral1
Sample
Blast E&I Supplies & Services, LLC Statement of Account PDF.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Blast E&I Supplies & Services, LLC Statement of Account PDF.exe
Resource
win10v2004-20231201-en
General
-
Target
Blast E&I Supplies & Services, LLC Statement of Account PDF.exe
-
Size
476KB
-
MD5
80c8442c33ad9f34b8c1fea06d0e3b97
-
SHA1
29120925c1e77739043c967c28d8b527ceca89de
-
SHA256
32e78542acc7b2bf144e1643c857b42f26275f78ac8411dea741159467d47573
-
SHA512
d362d2a1a57d30a8d7f8610256e448c187c56808da6411d7cd73d2925a16dadf75293ffae4abadec1da5ca8f0d180b4f0956809feb8cde6b7287f215a78550d8
-
SSDEEP
12288:xeLlxymPaHjAIFF3/IW9bQ8XjwbICmhNKk/f:xe/ymPTIFqWTx/hNKkf
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
ceigouxy.execeigouxy.exepid process 1560 ceigouxy.exe 2700 ceigouxy.exe -
Loads dropped DLL 3 IoCs
Processes:
Blast E&I Supplies & Services, LLC Statement of Account PDF.execeigouxy.exepid process 2968 Blast E&I Supplies & Services, LLC Statement of Account PDF.exe 2968 Blast E&I Supplies & Services, LLC Statement of Account PDF.exe 1560 ceigouxy.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ceigouxy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\FdnCz = "C:\\Users\\Admin\\AppData\\Roaming\\FdnCz\\FdnCz.exe" ceigouxy.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ceigouxy.exedescription pid process target process PID 1560 set thread context of 2700 1560 ceigouxy.exe ceigouxy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ceigouxy.exepid process 2700 ceigouxy.exe 2700 ceigouxy.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ceigouxy.exepid process 1560 ceigouxy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ceigouxy.exedescription pid process Token: SeDebugPrivilege 2700 ceigouxy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ceigouxy.exepid process 2700 ceigouxy.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Blast E&I Supplies & Services, LLC Statement of Account PDF.execeigouxy.exedescription pid process target process PID 2968 wrote to memory of 1560 2968 Blast E&I Supplies & Services, LLC Statement of Account PDF.exe ceigouxy.exe PID 2968 wrote to memory of 1560 2968 Blast E&I Supplies & Services, LLC Statement of Account PDF.exe ceigouxy.exe PID 2968 wrote to memory of 1560 2968 Blast E&I Supplies & Services, LLC Statement of Account PDF.exe ceigouxy.exe PID 2968 wrote to memory of 1560 2968 Blast E&I Supplies & Services, LLC Statement of Account PDF.exe ceigouxy.exe PID 1560 wrote to memory of 2700 1560 ceigouxy.exe ceigouxy.exe PID 1560 wrote to memory of 2700 1560 ceigouxy.exe ceigouxy.exe PID 1560 wrote to memory of 2700 1560 ceigouxy.exe ceigouxy.exe PID 1560 wrote to memory of 2700 1560 ceigouxy.exe ceigouxy.exe PID 1560 wrote to memory of 2700 1560 ceigouxy.exe ceigouxy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Blast E&I Supplies & Services, LLC Statement of Account PDF.exe"C:\Users\Admin\AppData\Local\Temp\Blast E&I Supplies & Services, LLC Statement of Account PDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\ceigouxy.exe"C:\Users\Admin\AppData\Local\Temp\ceigouxy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\ceigouxy.exe"C:\Users\Admin\AppData\Local\Temp\ceigouxy.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD582e1425ae5e9c114a07a30ac26cc0ed7
SHA1e12b591d529346ea748b235f207d405682c3a8b0
SHA256418badf9bf9751c14139c966d1447ff28d82938bc52dbbb299cbccb299717862
SHA5125ce89b30a07d5927d885621743c7526bc9af1bd10a964b273a9091e79e30dbbc36fb719048dc6e6005fc3d4e6ea60a74dbae4610518bb212fd29020c51be833a
-
Filesize
287KB
MD582e1425ae5e9c114a07a30ac26cc0ed7
SHA1e12b591d529346ea748b235f207d405682c3a8b0
SHA256418badf9bf9751c14139c966d1447ff28d82938bc52dbbb299cbccb299717862
SHA5125ce89b30a07d5927d885621743c7526bc9af1bd10a964b273a9091e79e30dbbc36fb719048dc6e6005fc3d4e6ea60a74dbae4610518bb212fd29020c51be833a
-
Filesize
287KB
MD582e1425ae5e9c114a07a30ac26cc0ed7
SHA1e12b591d529346ea748b235f207d405682c3a8b0
SHA256418badf9bf9751c14139c966d1447ff28d82938bc52dbbb299cbccb299717862
SHA5125ce89b30a07d5927d885621743c7526bc9af1bd10a964b273a9091e79e30dbbc36fb719048dc6e6005fc3d4e6ea60a74dbae4610518bb212fd29020c51be833a
-
Filesize
287KB
MD582e1425ae5e9c114a07a30ac26cc0ed7
SHA1e12b591d529346ea748b235f207d405682c3a8b0
SHA256418badf9bf9751c14139c966d1447ff28d82938bc52dbbb299cbccb299717862
SHA5125ce89b30a07d5927d885621743c7526bc9af1bd10a964b273a9091e79e30dbbc36fb719048dc6e6005fc3d4e6ea60a74dbae4610518bb212fd29020c51be833a
-
Filesize
334KB
MD591ff50eb9fcdce2f5012d7600e74812a
SHA15d382db6089dcf0770ad140bc45ef4ca249a1f5d
SHA256922450b2e7adcca958aaff7677f1ff821ed6b99ce707a37c34c6e3b682614385
SHA512c7b8e018268dc24d7e7e4ee9ab9d90f478c1c2f660e18b97d2577cb4fbc8d7b593b63ba6977e96f50bb2fad65bb24abceac83e83804d26f74eed1ae4de00caaa
-
Filesize
287KB
MD582e1425ae5e9c114a07a30ac26cc0ed7
SHA1e12b591d529346ea748b235f207d405682c3a8b0
SHA256418badf9bf9751c14139c966d1447ff28d82938bc52dbbb299cbccb299717862
SHA5125ce89b30a07d5927d885621743c7526bc9af1bd10a964b273a9091e79e30dbbc36fb719048dc6e6005fc3d4e6ea60a74dbae4610518bb212fd29020c51be833a
-
Filesize
287KB
MD582e1425ae5e9c114a07a30ac26cc0ed7
SHA1e12b591d529346ea748b235f207d405682c3a8b0
SHA256418badf9bf9751c14139c966d1447ff28d82938bc52dbbb299cbccb299717862
SHA5125ce89b30a07d5927d885621743c7526bc9af1bd10a964b273a9091e79e30dbbc36fb719048dc6e6005fc3d4e6ea60a74dbae4610518bb212fd29020c51be833a
-
Filesize
287KB
MD582e1425ae5e9c114a07a30ac26cc0ed7
SHA1e12b591d529346ea748b235f207d405682c3a8b0
SHA256418badf9bf9751c14139c966d1447ff28d82938bc52dbbb299cbccb299717862
SHA5125ce89b30a07d5927d885621743c7526bc9af1bd10a964b273a9091e79e30dbbc36fb719048dc6e6005fc3d4e6ea60a74dbae4610518bb212fd29020c51be833a