Analysis
-
max time kernel
268s -
max time network
271s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 15:28
Static task
static1
Behavioral task
behavioral1
Sample
Statement of Account.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Statement of Account.exe
Resource
win10v2004-20231127-en
General
-
Target
Statement of Account.exe
-
Size
665KB
-
MD5
8cde3c38aba1d12314914ef9f392f249
-
SHA1
41bf1c60d192446b192bf8de0906af8e4e35c38f
-
SHA256
662d11eea0dab34f36fa8f01e49c9ddea9d111e71d0509fa25993525e486d837
-
SHA512
7e2f1256a404438566da00fbecb33ce6e186a363b8043d7f9a9f7cda39cc2e2afcc05b35d25ac10c6415c576824e5c6ab7ca4132dcb282eca7b87721cf3eccf7
-
SSDEEP
12288:QjHbc+4WpAEAy7sE3vSQq32CqHUjEWl4kFx2T9DcLEOyylTQK+p3c+z+:6pAEoAtqmCYkFx25aFuK+G+
Malware Config
Extracted
Protocol: smtp- Host:
mail.asiaparadisehotel.com - Port:
587 - Username:
[email protected] - Password:
KTNL)LqQaA(8
Extracted
agenttesla
Protocol: smtp- Host:
mail.asiaparadisehotel.com - Port:
587 - Username:
[email protected] - Password:
KTNL)LqQaA(8 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2056-3-0x00000000004B0000-0x00000000004C8000-memory.dmp family_zgrat_v1 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZVOHvI = "C:\\Users\\Admin\\AppData\\Roaming\\ZVOHvI\\ZVOHvI.exe" RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Statement of Account.exedescription pid process target process PID 2056 set thread context of 2568 2056 Statement of Account.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Statement of Account.exeRegSvcs.exepowershell.exepid process 2056 Statement of Account.exe 2056 Statement of Account.exe 2056 Statement of Account.exe 2056 Statement of Account.exe 2056 Statement of Account.exe 2056 Statement of Account.exe 2568 RegSvcs.exe 2568 RegSvcs.exe 2836 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Statement of Account.exeRegSvcs.exepowershell.exedescription pid process Token: SeDebugPrivilege 2056 Statement of Account.exe Token: SeDebugPrivilege 2568 RegSvcs.exe Token: SeDebugPrivilege 2836 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2568 RegSvcs.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
Statement of Account.exedescription pid process target process PID 2056 wrote to memory of 2836 2056 Statement of Account.exe powershell.exe PID 2056 wrote to memory of 2836 2056 Statement of Account.exe powershell.exe PID 2056 wrote to memory of 2836 2056 Statement of Account.exe powershell.exe PID 2056 wrote to memory of 2836 2056 Statement of Account.exe powershell.exe PID 2056 wrote to memory of 2764 2056 Statement of Account.exe schtasks.exe PID 2056 wrote to memory of 2764 2056 Statement of Account.exe schtasks.exe PID 2056 wrote to memory of 2764 2056 Statement of Account.exe schtasks.exe PID 2056 wrote to memory of 2764 2056 Statement of Account.exe schtasks.exe PID 2056 wrote to memory of 2428 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2428 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2428 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2428 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2428 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2428 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2428 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2844 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2844 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2844 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2844 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2844 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2844 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2844 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe PID 2056 wrote to memory of 2568 2056 Statement of Account.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Statement of Account.exe"C:\Users\Admin\AppData\Local\Temp\Statement of Account.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\leKTJR.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\leKTJR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB442.tmp"2⤵
- Creates scheduled task(s)
PID:2764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2428
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2844
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50097d2124d7a0c37f2b87fbfd44aeab0
SHA188da3a1cfda92729be46f4ed5298c913d305fb2b
SHA2563b06c9e9389c77b0eb2a863df3f1cf743b643fcc3471131ccfe9f05582a65968
SHA512f5e439a150551b7aad2f8fa5d500cf25a047ac9212feed7e8b65e84c661309f7691b9fdd2a880a803198903c0752aca9bba934b2a0e1deabf3bd72190ae7cc38