Analysis
-
max time kernel
98s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2023 01:02
Static task
static1
Behavioral task
behavioral1
Sample
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe
Resource
win10v2004-20231130-en
General
-
Target
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe
-
Size
360KB
-
MD5
4760ccd52b3d0f486834938d0be51a78
-
SHA1
422f708a521f00066e71395f7199a79bd3e67545
-
SHA256
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d
-
SHA512
ec16d3d9f853dc17af51fa43eade62bb4b049abaaf655469753a6154637f4444024bf4bfca5d1ddddf68b06dd95c786931a03f5431f1eba2e2fd01263a83718a
-
SSDEEP
6144:3BlL/Mno3TZ8nhgOQlxVlpM2Boq0zG/T0Gi0lfJ7YSdGPQeQipT3PSClvjRQr:xankEgtxVFBXgGi0VbdD0LPLlVW
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 3 IoCs
Processes:
sjzdorqqtm.exesjzdorqqtm.exesjzdorqqtm.exepid process 3952 sjzdorqqtm.exe 3380 sjzdorqqtm.exe 2980 sjzdorqqtm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sjzdorqqtm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FdnCz = "C:\\Users\\Admin\\AppData\\Roaming\\FdnCz\\FdnCz.exe" sjzdorqqtm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sjzdorqqtm.exedescription pid process target process PID 3952 set thread context of 2980 3952 sjzdorqqtm.exe sjzdorqqtm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
sjzdorqqtm.exepid process 2980 sjzdorqqtm.exe 2980 sjzdorqqtm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
sjzdorqqtm.exepid process 3952 sjzdorqqtm.exe 3952 sjzdorqqtm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
sjzdorqqtm.exedescription pid process Token: SeDebugPrivilege 2980 sjzdorqqtm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sjzdorqqtm.exepid process 2980 sjzdorqqtm.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exesjzdorqqtm.exedescription pid process target process PID 436 wrote to memory of 3952 436 8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe sjzdorqqtm.exe PID 436 wrote to memory of 3952 436 8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe sjzdorqqtm.exe PID 436 wrote to memory of 3952 436 8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe sjzdorqqtm.exe PID 3952 wrote to memory of 3380 3952 sjzdorqqtm.exe sjzdorqqtm.exe PID 3952 wrote to memory of 3380 3952 sjzdorqqtm.exe sjzdorqqtm.exe PID 3952 wrote to memory of 3380 3952 sjzdorqqtm.exe sjzdorqqtm.exe PID 3952 wrote to memory of 2980 3952 sjzdorqqtm.exe sjzdorqqtm.exe PID 3952 wrote to memory of 2980 3952 sjzdorqqtm.exe sjzdorqqtm.exe PID 3952 wrote to memory of 2980 3952 sjzdorqqtm.exe sjzdorqqtm.exe PID 3952 wrote to memory of 2980 3952 sjzdorqqtm.exe sjzdorqqtm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe"C:\Users\Admin\AppData\Local\Temp\8060d4f5d5cea3fa91215f6c763b7d0aecc246c0e4a792deaf0a90aad904055d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"3⤵
- Executes dropped EXE
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"C:\Users\Admin\AppData\Local\Temp\sjzdorqqtm.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334KB
MD55132ab69217c06deff5c15ecfe0d7e57
SHA116ff0bdae572afd2a45d5494b556ffd7e94ac0b8
SHA2560e3c985361412bd1fe339f855228548a7935d40faf0c545db19bf5fbd2495b77
SHA5124abad45a36eec7671390df19fb2b2d6eb6c55eb3c3c678045032d6a105c09af5918806a9c0b42c5f792fd1bf0434e8e21306a26fbaf0c125dce6a678fb9bd02c
-
Filesize
166KB
MD518585444e82e3722075689622104abde
SHA11d245ca02e85d519a5e4313b5e8181c8f5efd0f7
SHA25635e7d65232e9e71b84663082b4b509f710dc56f7c16c9a1c0a5168d43d8c83ab
SHA512e0fb8d601d138a73f34bdff3d7a4cb598e24bc1f1f96aa3688df4adf5d4b82d2cc4b624e8d5b3df1e6b79e507ab3a6452bd6beb166cc1b1ccfa98f52fc44b139