Analysis
-
max time kernel
24s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:33
Static task
static1
Behavioral task
behavioral1
Sample
LBDXZOJZ.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
LBDXZOJZ.exe
Resource
win10v2004-20231201-en
General
-
Target
LBDXZOJZ.exe
-
Size
679KB
-
MD5
143bcd7eedd7bba4d27a270b7e3710f0
-
SHA1
0ca36b8a46dbaa099d75e2a9ff5aadffd7924f07
-
SHA256
7f2bd5ae74aa8c987865c6e8e2ba9f92b6cd157cf285c6f545755bc7158b2cef
-
SHA512
b6ab3b6105b9d35d8b12dcb7a392b7b8334f66535fa288faaec16ccf772f0d68da1ffb9bd69eec36d6c4ef3176eadc03529e5072a4263e779a20ef0fcfc80458
-
SSDEEP
12288:+645+po2MHuPxYXmY7yAkwzY4B7haW2z7WEKGxtja9I:+Z+pJHRoB7haWJxUkI
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.babynation.store - Port:
587 - Username:
[email protected] - Password:
Jesus@12 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
LBDXZOJZ.exepid process 1392 LBDXZOJZ.exe 1392 LBDXZOJZ.exe 1392 LBDXZOJZ.exe 1392 LBDXZOJZ.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
LBDXZOJZ.exedescription pid process Token: SeDebugPrivilege 1392 LBDXZOJZ.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
LBDXZOJZ.exedescription pid process target process PID 1392 wrote to memory of 1868 1392 LBDXZOJZ.exe powershell.exe PID 1392 wrote to memory of 1868 1392 LBDXZOJZ.exe powershell.exe PID 1392 wrote to memory of 1868 1392 LBDXZOJZ.exe powershell.exe PID 1392 wrote to memory of 1868 1392 LBDXZOJZ.exe powershell.exe PID 1392 wrote to memory of 2204 1392 LBDXZOJZ.exe schtasks.exe PID 1392 wrote to memory of 2204 1392 LBDXZOJZ.exe schtasks.exe PID 1392 wrote to memory of 2204 1392 LBDXZOJZ.exe schtasks.exe PID 1392 wrote to memory of 2204 1392 LBDXZOJZ.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LBDXZOJZ.exe"C:\Users\Admin\AppData\Local\Temp\LBDXZOJZ.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\LBDXZOJZ.exe"C:\Users\Admin\AppData\Local\Temp\LBDXZOJZ.exe"2⤵PID:2712
-
C:\Users\Admin\AppData\Local\Temp\LBDXZOJZ.exe"C:\Users\Admin\AppData\Local\Temp\LBDXZOJZ.exe"2⤵PID:2564
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zxuvCjJtE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6B41.tmp"2⤵
- Creates scheduled task(s)
PID:2204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zxuvCjJtE.exe"2⤵PID:1868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ad14c1d9a0e8c9db7f5ef3f68acd9cd2
SHA1e012cdd9de38c3a7be0f456bb5a3e69eaf9390c0
SHA2560d1b98b331136aa3646a4fb01de48cc65b9163f11cc5c6a336b56ea50fcce4d6
SHA512eae2c50996a8d19774bb2fe6a5fa281d854d491cbc130a359f7c7111c088f615aa748520a262b74143d3fe137dd453abdb5959c1f77823d41cbd627953d0cf1f