Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2023 09:13
Static task
static1
Behavioral task
behavioral1
Sample
5041673918XXXXX.BAT.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
5041673918XXXXX.BAT.exe
Resource
win10v2004-20231130-en
General
-
Target
5041673918XXXXX.BAT.exe
-
Size
330KB
-
MD5
936f0aaff53261396d764a5429c6a05e
-
SHA1
c9b23f881ef506918a8b90a6789878e130fc2d55
-
SHA256
6c7a86fab40be3fa9a95bbeb52f9c790d239646d0ff8504cfa5629f4fd9a1f42
-
SHA512
84fa483869c5307f31496cc66847f777e8ddfe677b2694ec83385dddd34a0a571f36aa50edb39d4da5961346a62e161097c5e62e710795fd8569cfc2f76af967
-
SSDEEP
6144:P8LxBs9bI62/EJuzNsHyAOhJsiBQqu7mycVtXBpve5CzmTc/bfq6PfqpctSbT9k7:B1Ip85yAKJsienHqtuCzJTfPSYSbY
Malware Config
Extracted
Protocol: smtp- Host:
mail.asiaparadisehotel.com - Port:
587 - Username:
[email protected] - Password:
^b2ycDldex$@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
hffhzbqjsu.exehffhzbqjsu.exepid process 1696 hffhzbqjsu.exe 316 hffhzbqjsu.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/316-13-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/316-12-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/316-11-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/316-8-0x0000000000400000-0x0000000000456000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
hffhzbqjsu.exehffhzbqjsu.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wgcktpyienjsc = "C:\\Users\\Admin\\AppData\\Roaming\\ejsoxt\\dmirb.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\hffhzbqjsu.exe\" " hffhzbqjsu.exe Set value (str) \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\M yApp = "C:\\Users\\Admin\\AppData\\Roaming\\M yApp\\M yApp.exe" hffhzbqjsu.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 api.ipify.org 27 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
hffhzbqjsu.exedescription pid process target process PID 1696 set thread context of 316 1696 hffhzbqjsu.exe hffhzbqjsu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
hffhzbqjsu.exepid process 316 hffhzbqjsu.exe 316 hffhzbqjsu.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
hffhzbqjsu.exepid process 1696 hffhzbqjsu.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hffhzbqjsu.exedescription pid process Token: SeDebugPrivilege 316 hffhzbqjsu.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
5041673918XXXXX.BAT.exehffhzbqjsu.exedescription pid process target process PID 3672 wrote to memory of 1696 3672 5041673918XXXXX.BAT.exe hffhzbqjsu.exe PID 3672 wrote to memory of 1696 3672 5041673918XXXXX.BAT.exe hffhzbqjsu.exe PID 3672 wrote to memory of 1696 3672 5041673918XXXXX.BAT.exe hffhzbqjsu.exe PID 1696 wrote to memory of 316 1696 hffhzbqjsu.exe hffhzbqjsu.exe PID 1696 wrote to memory of 316 1696 hffhzbqjsu.exe hffhzbqjsu.exe PID 1696 wrote to memory of 316 1696 hffhzbqjsu.exe hffhzbqjsu.exe PID 1696 wrote to memory of 316 1696 hffhzbqjsu.exe hffhzbqjsu.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5041673918XXXXX.BAT.exe"C:\Users\Admin\AppData\Local\Temp\5041673918XXXXX.BAT.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe"C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe"C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193KB
MD5329714258936d5d850f267ed14ddf624
SHA1198a7e8e17e199444ffdec075c87481d20e8c68c
SHA256f91316f363cd9853faa36dccdec6f409ca659491a06fa43fe4a779262688cae2
SHA512deae281d7021bfa270c6ff7a7abbdf8d8816d2b84fa9761bf69535e938f6cfa3344014042eb39b4cbcc4c87a8bcf40322dec94b9b8a4f1923fbb28761754a410
-
Filesize
143KB
MD5cb822fa06cf740a06a434779546e4e28
SHA181fb89ad3d832e371940c507892ab8834e5d358f
SHA256465445d9028073e7cb9d58c3ae8973912b1793c1372797a01d275395cd2275e0
SHA5124e61ba0239694fd83601348764173d1591d888119b346993b6decd6761b0de55d8e57d1d8073bb71e115a5b942fd7cea612b489ebe3de74fee152c1fd1746084
-
Filesize
64KB
MD50598dc77b5f3166e26e1455f11fc34ae
SHA1141d075d76d86c01da9a0cf5ba51ad5890d7dd85
SHA25658f44ecdc157251a33c21ed998612310eb1ae4253191a78e3e1f1dec44bed6d4
SHA512a83d7dd187745ff7f34fcbe3e825e7f514047781287882c0f74e52a61c52c7810b86cff411239ed458b1404cedf39a91f8c46874dcec9ad577999850ed3c5c38
-
Filesize
43KB
MD5b0588fa5a68051fbfb11761b2274a796
SHA15d2e20bc9ebce93025555cb1d9283ca0a47d5a40
SHA2564b5abb4e919e96985afa633b2f207a940165f68e156173c081db97a7d6492753
SHA512aa62bf43463641ce62f6db37c65afb145ed88c2f4944776b2e142b03254cc007d894ee4e11ef719aa769e00269f8a370142d137718a51cbb36af30e675150ff1