Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 14:39
Static task
static1
Behavioral task
behavioral1
Sample
Balance payment.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Balance payment.exe
Resource
win10v2004-20231130-en
General
-
Target
Balance payment.exe
-
Size
614KB
-
MD5
c76751eb111c227d587f5aff012df2fc
-
SHA1
89069a18e42fc15da8d221893dbadef9715ce5c8
-
SHA256
3f479de77fd65ff82d89c44b941aedd81d9afe93093699e40ba82b02e058719a
-
SHA512
39b7642c99bace5f1a1577a58cdb702fb384dbabeff28e9044a373b4f1e4c8a05e672c52e4ac21d16503afec5ec2f6656506a73901d8233c620f3110be6d827e
-
SSDEEP
12288:z3IU8S6eUdSTThn7IDPAbXopeOBA2TiE20XpMaqzIH+YOL:DItSAduhI0bXoVwEIamDH
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.vrlogistic.com - Port:
587 - Username:
[email protected] - Password:
@dmin@123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2104-3-0x0000000000530000-0x0000000000548000-memory.dmp family_zgrat_v1 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Balance payment.exedescription pid process target process PID 2104 set thread context of 2576 2104 Balance payment.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Balance payment.exepowershell.exepowershell.exeRegSvcs.exepid process 2104 Balance payment.exe 2104 Balance payment.exe 2104 Balance payment.exe 2104 Balance payment.exe 2104 Balance payment.exe 2104 Balance payment.exe 2104 Balance payment.exe 1576 powershell.exe 2592 powershell.exe 2104 Balance payment.exe 2576 RegSvcs.exe 2576 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Balance payment.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2104 Balance payment.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 2592 powershell.exe Token: SeDebugPrivilege 2576 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Balance payment.exedescription pid process target process PID 2104 wrote to memory of 1576 2104 Balance payment.exe powershell.exe PID 2104 wrote to memory of 1576 2104 Balance payment.exe powershell.exe PID 2104 wrote to memory of 1576 2104 Balance payment.exe powershell.exe PID 2104 wrote to memory of 1576 2104 Balance payment.exe powershell.exe PID 2104 wrote to memory of 2592 2104 Balance payment.exe powershell.exe PID 2104 wrote to memory of 2592 2104 Balance payment.exe powershell.exe PID 2104 wrote to memory of 2592 2104 Balance payment.exe powershell.exe PID 2104 wrote to memory of 2592 2104 Balance payment.exe powershell.exe PID 2104 wrote to memory of 2680 2104 Balance payment.exe schtasks.exe PID 2104 wrote to memory of 2680 2104 Balance payment.exe schtasks.exe PID 2104 wrote to memory of 2680 2104 Balance payment.exe schtasks.exe PID 2104 wrote to memory of 2680 2104 Balance payment.exe schtasks.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe PID 2104 wrote to memory of 2576 2104 Balance payment.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Balance payment.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uCxRFk.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uCxRFk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B1F.tmp"2⤵
- Creates scheduled task(s)
PID:2680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5df1114081ebe12877d8588dea945b9f6
SHA141f958f951302844ab5ef0283b6cd70b3ae4580a
SHA256a8abb96920b7eae14ffb772848cb6c3a441755523b05f30f45da620b197289d3
SHA51204b07cbc8d1fe8ed6041017af9e7b67a212ebb1bdfa5c947a7b4537ad68ca4d546b805fa4395be8195dcd9075bfcad326e0827fc6f53d74071dc8b906c6f0450
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5ddd334698cc82acc135378a72df30393
SHA1e704c12a687f995f871627bb06111d2e28d410bb
SHA25646e99373cd892b2af70ee2ed7f1a7d4a32adb9adc42178b3ae5f91e5248ceb29
SHA5124b8f1c2daaad079db54c4a2bea3d59e95c9b442fc08b1f7210555527860ab9741dc536e46bc7f43ce7b199a8920b842b389313f02f414fbd14d051f2b7b23aaa