Analysis
-
max time kernel
63s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 17:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ErxziChanger.exe
Resource
win10v2004-20231130-en
windows10-2004-x64
6 signatures
120 seconds
General
-
Target
ErxziChanger.exe
-
Size
1.2MB
-
MD5
a091a0d7b0ee7f997438d68d93d2366e
-
SHA1
b720654bdc8e414cc5d5e05f9d9e4c2416af19c4
-
SHA256
de0b13129c4f3e3a7bfc973d4be6284514b3098776ea970fb3a09743ef247c97
-
SHA512
848a0e84f201c41a4ee0f7d1fa285c7e00452a9b77402993a2e399786f55eec32555ad53d5dce4d2b808f7272296108e3a8a5a179c4e813ec8762a33860e9577
-
SSDEEP
24576:ifWjg4xVGitOcfYmzwGXvlBeDWH89eosLliGnIuN1Kmk:ifWjgYEitVwmzwGXvlBNH89kLZnTamk
Score
10/10
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3336-5-0x00000183D7DF0000-0x00000183D8004000-memory.dmp family_agenttesla -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ErxziChanger.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS ErxziChanger.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer ErxziChanger.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion ErxziChanger.exe -
Processes:
ErxziChanger.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Internet Explorer\TypedURLs ErxziChanger.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ErxziChanger.exepid process 3336 ErxziChanger.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ErxziChanger.exedescription pid process Token: SeDebugPrivilege 3336 ErxziChanger.exe