Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 16:50
Static task
static1
Behavioral task
behavioral1
Sample
7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
Resource
win10v2004-20231130-en
General
-
Target
7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe
-
Size
407KB
-
MD5
ac1bf5c38abb09be737d7b48ebc5d553
-
SHA1
6bc0a3dde35d3be636cb2f9d783318956e0fcc4a
-
SHA256
7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5
-
SHA512
5ef7998b0545b14e8a291339c312c756273896ee11d736252abefb2103facad2fcc53d98a8769645119e9d875a422a1df5ca54236a9e92c0a2fce6a757da31d9
-
SSDEEP
12288:xE2N3AHQg6mTb5wm7kRSu3kI6SAx9Uj+antxFQ:xtNQHQgxbkRL7w1Kt3Q
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
scgdttsl.exescgdttsl.exepid process 3044 scgdttsl.exe 3068 scgdttsl.exe -
Loads dropped DLL 2 IoCs
Processes:
7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exescgdttsl.exepid process 2928 7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe 3044 scgdttsl.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
scgdttsl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LHdEfz = "C:\\Users\\Admin\\AppData\\Roaming\\LHdEfz\\LHdEfz.exe" scgdttsl.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
scgdttsl.exedescription pid process target process PID 3044 set thread context of 3068 3044 scgdttsl.exe scgdttsl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
scgdttsl.exepid process 3068 scgdttsl.exe 3068 scgdttsl.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
scgdttsl.exepid process 3044 scgdttsl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
scgdttsl.exedescription pid process Token: SeDebugPrivilege 3068 scgdttsl.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
scgdttsl.exepid process 3068 scgdttsl.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exescgdttsl.exedescription pid process target process PID 2928 wrote to memory of 3044 2928 7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe scgdttsl.exe PID 2928 wrote to memory of 3044 2928 7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe scgdttsl.exe PID 2928 wrote to memory of 3044 2928 7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe scgdttsl.exe PID 2928 wrote to memory of 3044 2928 7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe scgdttsl.exe PID 3044 wrote to memory of 3068 3044 scgdttsl.exe scgdttsl.exe PID 3044 wrote to memory of 3068 3044 scgdttsl.exe scgdttsl.exe PID 3044 wrote to memory of 3068 3044 scgdttsl.exe scgdttsl.exe PID 3044 wrote to memory of 3068 3044 scgdttsl.exe scgdttsl.exe PID 3044 wrote to memory of 3068 3044 scgdttsl.exe scgdttsl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe"C:\Users\Admin\AppData\Local\Temp\7b6926c5ba35844040af07756fa9159cdaa053ccab13249f7d1adc4da2b752b5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe"C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3044
-
C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe"C:\Users\Admin\AppData\Local\Temp\scgdttsl.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
173KB
MD56f8cb7bcb4ea8b900e00b3557231aed6
SHA1ec424177535362f8e3d699b0875740a9272cd844
SHA25649917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd
SHA51263c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d
-
Filesize
173KB
MD56f8cb7bcb4ea8b900e00b3557231aed6
SHA1ec424177535362f8e3d699b0875740a9272cd844
SHA25649917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd
SHA51263c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d
-
Filesize
173KB
MD56f8cb7bcb4ea8b900e00b3557231aed6
SHA1ec424177535362f8e3d699b0875740a9272cd844
SHA25649917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd
SHA51263c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d
-
Filesize
334KB
MD57d3d03e5e9ce95b6a39a83fb2347e250
SHA1652f4c084a92cfca3292ada7653ea20283f849bd
SHA256420e91d0e3befadbb1e09faea8dab8e6502d3d3172b074512b61b64d812478cd
SHA5125ecd7043f16bd80b3933403e1d473032054e38c767efa09b47c822be4c90cd432d63036b78335f1c67b7d8243c0ac064ab0cc0bdaa70067e140ec62a0b602df9
-
Filesize
173KB
MD56f8cb7bcb4ea8b900e00b3557231aed6
SHA1ec424177535362f8e3d699b0875740a9272cd844
SHA25649917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd
SHA51263c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d
-
Filesize
173KB
MD56f8cb7bcb4ea8b900e00b3557231aed6
SHA1ec424177535362f8e3d699b0875740a9272cd844
SHA25649917d5fb319af63f79dc95f188e00649047914d6ebdf4f141a7afb41c3ee5fd
SHA51263c132635673fbd27a17347cf0b8e582774204564304cbd47cb8318c82acc370e607cd72d440982012c724570e47518db6e95ecd37411bb60e8fecaf7a30727d