Analysis
-
max time kernel
98s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
-
submitted
13-12-2023 01:02
General
-
Target
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe
-
Size
360KB
-
MD5
4760ccd52b3d0f486834938d0be51a78
-
SHA1
422f708a521f00066e71395f7199a79bd3e67545
-
SHA256
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d
-
SHA512
ec16d3d9f853dc17af51fa43eade62bb4b049abaaf655469753a6154637f4444024bf4bfca5d1ddddf68b06dd95c786931a03f5431f1eba2e2fd01263a83718a
-
SSDEEP
6144:3BlL/Mno3TZ8nhgOQlxVlpM2Boq0zG/T0Gi0lfJ7YSdGPQeQipT3PSClvjRQr:xankEgtxVFBXgGi0VbdD0LPLlVW
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 3 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe"C:\Users\Admin\AppData\Local\Temp\8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334KB
MD55132ab69217c06deff5c15ecfe0d7e57
SHA116ff0bdae572afd2a45d5494b556ffd7e94ac0b8
SHA2560e3c985361412bd1fe339f855228548a7935d40faf0c545db19bf5fbd2495b77
SHA5124abad45a36eec7671390df19fb2b2d6eb6c55eb3c3c678045032d6a105c09af5918806a9c0b42c5f792fd1bf0434e8e21306a26fbaf0c125dce6a678fb9bd02c
-
Filesize
166KB
MD518585444e82e3722075689622104abde
SHA11d245ca02e85d519a5e4313b5e8181c8f5efd0f7
SHA25635e7d65232e9e71b84663082b4b509f710dc56f7c16c9a1c0a5168d43d8c83ab
SHA512e0fb8d601d138a73f34bdff3d7a4cb598e24bc1f1f96aa3688df4adf5d4b82d2cc4b624e8d5b3df1e6b79e507ab3a6452bd6beb166cc1b1ccfa98f52fc44b139
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
332KB
-
Filesize
264KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
332KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
8KB