Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13-12-2023 01:02
Static task
static1
Behavioral task
behavioral1
Sample
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe
Resource
win10v2004-20231130-en
General
-
Target
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe
-
Size
360KB
-
MD5
4760ccd52b3d0f486834938d0be51a78
-
SHA1
422f708a521f00066e71395f7199a79bd3e67545
-
SHA256
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d
-
SHA512
ec16d3d9f853dc17af51fa43eade62bb4b049abaaf655469753a6154637f4444024bf4bfca5d1ddddf68b06dd95c786931a03f5431f1eba2e2fd01263a83718a
-
SSDEEP
6144:3BlL/Mno3TZ8nhgOQlxVlpM2Boq0zG/T0Gi0lfJ7YSdGPQeQipT3PSClvjRQr:xankEgtxVFBXgGi0VbdD0LPLlVW
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 3 IoCs
Processes:
sjzdorqqtm.exesjzdorqqtm.exesjzdorqqtm.exepid process 2176 sjzdorqqtm.exe 2932 sjzdorqqtm.exe 960 sjzdorqqtm.exe -
Loads dropped DLL 4 IoCs
Processes:
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exesjzdorqqtm.exepid process 2900 8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe 2900 8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe 2176 sjzdorqqtm.exe 2176 sjzdorqqtm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sjzdorqqtm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\FdnCz = "C:\\Users\\Admin\\AppData\\Roaming\\FdnCz\\FdnCz.exe" sjzdorqqtm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sjzdorqqtm.exedescription pid process target process PID 2176 set thread context of 960 2176 sjzdorqqtm.exe sjzdorqqtm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sjzdorqqtm.exepid process 960 sjzdorqqtm.exe 960 sjzdorqqtm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
sjzdorqqtm.exepid process 2176 sjzdorqqtm.exe 2176 sjzdorqqtm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sjzdorqqtm.exedescription pid process Token: SeDebugPrivilege 960 sjzdorqqtm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sjzdorqqtm.exepid process 960 sjzdorqqtm.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exesjzdorqqtm.exedescription pid process target process PID 2900 wrote to memory of 2176 2900 8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe sjzdorqqtm.exe PID 2900 wrote to memory of 2176 2900 8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe sjzdorqqtm.exe PID 2900 wrote to memory of 2176 2900 8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe sjzdorqqtm.exe PID 2900 wrote to memory of 2176 2900 8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe sjzdorqqtm.exe PID 2176 wrote to memory of 2932 2176 sjzdorqqtm.exe sjzdorqqtm.exe PID 2176 wrote to memory of 2932 2176 sjzdorqqtm.exe sjzdorqqtm.exe PID 2176 wrote to memory of 2932 2176 sjzdorqqtm.exe sjzdorqqtm.exe PID 2176 wrote to memory of 2932 2176 sjzdorqqtm.exe sjzdorqqtm.exe PID 2176 wrote to memory of 960 2176 sjzdorqqtm.exe sjzdorqqtm.exe PID 2176 wrote to memory of 960 2176 sjzdorqqtm.exe sjzdorqqtm.exe PID 2176 wrote to memory of 960 2176 sjzdorqqtm.exe sjzdorqqtm.exe PID 2176 wrote to memory of 960 2176 sjzdorqqtm.exe sjzdorqqtm.exe PID 2176 wrote to memory of 960 2176 sjzdorqqtm.exe sjzdorqqtm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe"C:\Users\Admin\AppData\Local\Temp\8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"3⤵
- Executes dropped EXE
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334KB
MD55132ab69217c06deff5c15ecfe0d7e57
SHA116ff0bdae572afd2a45d5494b556ffd7e94ac0b8
SHA2560e3c985361412bd1fe339f855228548a7935d40faf0c545db19bf5fbd2495b77
SHA5124abad45a36eec7671390df19fb2b2d6eb6c55eb3c3c678045032d6a105c09af5918806a9c0b42c5f792fd1bf0434e8e21306a26fbaf0c125dce6a678fb9bd02c
-
Filesize
166KB
MD518585444e82e3722075689622104abde
SHA11d245ca02e85d519a5e4313b5e8181c8f5efd0f7
SHA25635e7d65232e9e71b84663082b4b509f710dc56f7c16c9a1c0a5168d43d8c83ab
SHA512e0fb8d601d138a73f34bdff3d7a4cb598e24bc1f1f96aa3688df4adf5d4b82d2cc4b624e8d5b3df1e6b79e507ab3a6452bd6beb166cc1b1ccfa98f52fc44b139