Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 16:49
Static task
static1
Behavioral task
behavioral1
Sample
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe
Resource
win10v2004-20231130-en
General
-
Target
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe
-
Size
590KB
-
MD5
9a46443adb0790a183a57bbbb4364319
-
SHA1
7b0fec8e74a85227590b8db215bda895c7df081e
-
SHA256
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7
-
SHA512
c6ff22639f8c5b43c3798f14c22b32da1441829434b18a4f7755c14ec35c3a186a89314e94dfac6ed714abc8221673bf2614c74c7949e93006e13ac92291debd
-
SSDEEP
6144:e8LxBDQx8ayrbor7Bh/YbFE+jawvkqEMtTXw/4fBvBcY6pZB6liIvMXhi7LlnbDE:qxPgUr7B2hiZqXjcY6gvMXhE5bZw1Hh
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
kqwfsmdy.exekqwfsmdy.exepid process 3012 kqwfsmdy.exe 2012 kqwfsmdy.exe -
Loads dropped DLL 2 IoCs
Processes:
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exekqwfsmdy.exepid process 880 4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe 3012 kqwfsmdy.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kqwfsmdy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SzvWIzD = "C:\\Users\\Admin\\AppData\\Roaming\\SzvWIzD\\SzvWIzD.exe" kqwfsmdy.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kqwfsmdy.exedescription pid process target process PID 3012 set thread context of 2012 3012 kqwfsmdy.exe kqwfsmdy.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
kqwfsmdy.exepid process 2012 kqwfsmdy.exe 2012 kqwfsmdy.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
kqwfsmdy.exepid process 3012 kqwfsmdy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kqwfsmdy.exedescription pid process Token: SeDebugPrivilege 2012 kqwfsmdy.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exekqwfsmdy.exedescription pid process target process PID 880 wrote to memory of 3012 880 4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe kqwfsmdy.exe PID 880 wrote to memory of 3012 880 4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe kqwfsmdy.exe PID 880 wrote to memory of 3012 880 4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe kqwfsmdy.exe PID 880 wrote to memory of 3012 880 4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe kqwfsmdy.exe PID 3012 wrote to memory of 2012 3012 kqwfsmdy.exe kqwfsmdy.exe PID 3012 wrote to memory of 2012 3012 kqwfsmdy.exe kqwfsmdy.exe PID 3012 wrote to memory of 2012 3012 kqwfsmdy.exe kqwfsmdy.exe PID 3012 wrote to memory of 2012 3012 kqwfsmdy.exe kqwfsmdy.exe PID 3012 wrote to memory of 2012 3012 kqwfsmdy.exe kqwfsmdy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe"C:\Users\Admin\AppData\Local\Temp\4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650
-
Filesize
333KB
MD52e445696a8ae2ff850c0fdbe917937cb
SHA1ce4e54cb29fd04a20efb19b5607d6aa3b2a81a9b
SHA25610773af14402f5ec0c538bb6816afac711b2be71b356cb66ea625113261dd88b
SHA512a4142c10b0854506fee49533198b9a7a5a90bc52e26acc3d5c3cb16d848397d53097c9cc1b415a05a4269248daf571473f1566eab92c6f41a85ad48e4b6f9dc7
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650