Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2024, 13:34
Static task
static1
Behavioral task
behavioral1
Sample
344c9c0f72c535e334a4b605212c69d9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
344c9c0f72c535e334a4b605212c69d9.exe
Resource
win10v2004-20231215-en
General
-
Target
344c9c0f72c535e334a4b605212c69d9.exe
-
Size
1.7MB
-
MD5
344c9c0f72c535e334a4b605212c69d9
-
SHA1
952e1b506659a4113b2eb0857dbb86ee08e043a5
-
SHA256
5664820279aa20d408c82998bff07ab34c0986124b09e9ef2025c73686c77f4f
-
SHA512
a0e787755a38b2f3de72f17530b8ab6893db498c50a957df17ce16945b661e5daea648b3936267660a35478ac127a125a78c5f53099451e6950488198d204ba5
-
SSDEEP
24576:ABOzHk9lBOQdkm5UfwauFL3WlrpY7Gv1eeajEja3KgffHCx2GwVT6ltVIaH3+j:AwyBmm5VXL3WZ7vcVjEvGHaKV2FJ3+j
Malware Config
Extracted
asyncrat
0.5.8
Default
139.84.229.159:2017
jhT6lZT93vW5
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 29 IoCs
resource yara_rule behavioral2/memory/4896-62-0x00000000285F0000-0x000000002864E000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-65-0x0000000028C40000-0x0000000028C9C000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-67-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-68-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-70-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-72-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-74-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-76-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-78-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-80-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-82-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-84-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-86-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-88-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-90-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-92-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-94-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-96-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-98-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-100-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-102-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-104-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-106-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-108-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-110-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-112-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-114-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-116-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 behavioral2/memory/4896-118-0x0000000028C40000-0x0000000028C97000-memory.dmp family_zgrat_v1 -
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Async RAT payload 29 IoCs
resource yara_rule behavioral2/memory/4896-62-0x00000000285F0000-0x000000002864E000-memory.dmp asyncrat behavioral2/memory/4896-65-0x0000000028C40000-0x0000000028C9C000-memory.dmp asyncrat behavioral2/memory/4896-67-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-68-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-70-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-72-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-74-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-76-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-78-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-80-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-82-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-84-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-86-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-88-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-90-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-92-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-94-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-96-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-98-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-100-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-102-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-104-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-106-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-108-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-110-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-112-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-114-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-116-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat behavioral2/memory/4896-118-0x0000000028C40000-0x0000000028C97000-memory.dmp asyncrat -
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/4264-2-0x0000000003FF0000-0x0000000004FF0000-memory.dmp modiloader_stage2 -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 1596 easinvoker.exe 1076 easinvoker.exe 4896 vokleakA.pif -
Loads dropped DLL 2 IoCs
pid Process 1596 easinvoker.exe 1076 easinvoker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Akaelkov = "C:\\Users\\Public\\Akaelkov.url" 344c9c0f72c535e334a4b605212c69d9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4264 set thread context of 4896 4264 344c9c0f72c535e334a4b605212c69d9.exe 119 -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3904 sc.exe 2460 sc.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe 1596 easinvoker.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 664 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 4896 vokleakA.pif -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 4264 wrote to memory of 5108 4264 344c9c0f72c535e334a4b605212c69d9.exe 96 PID 4264 wrote to memory of 5108 4264 344c9c0f72c535e334a4b605212c69d9.exe 96 PID 4264 wrote to memory of 5108 4264 344c9c0f72c535e334a4b605212c69d9.exe 96 PID 5108 wrote to memory of 3272 5108 cmd.exe 98 PID 5108 wrote to memory of 3272 5108 cmd.exe 98 PID 5108 wrote to memory of 3272 5108 cmd.exe 98 PID 5108 wrote to memory of 1032 5108 cmd.exe 99 PID 5108 wrote to memory of 1032 5108 cmd.exe 99 PID 5108 wrote to memory of 1032 5108 cmd.exe 99 PID 5108 wrote to memory of 5024 5108 cmd.exe 101 PID 5108 wrote to memory of 5024 5108 cmd.exe 101 PID 5108 wrote to memory of 5024 5108 cmd.exe 101 PID 5108 wrote to memory of 3316 5108 cmd.exe 102 PID 5108 wrote to memory of 3316 5108 cmd.exe 102 PID 5108 wrote to memory of 3316 5108 cmd.exe 102 PID 5108 wrote to memory of 4500 5108 cmd.exe 103 PID 5108 wrote to memory of 4500 5108 cmd.exe 103 PID 5108 wrote to memory of 4500 5108 cmd.exe 103 PID 5108 wrote to memory of 1764 5108 cmd.exe 104 PID 5108 wrote to memory of 1764 5108 cmd.exe 104 PID 5108 wrote to memory of 1764 5108 cmd.exe 104 PID 5108 wrote to memory of 4064 5108 cmd.exe 105 PID 5108 wrote to memory of 4064 5108 cmd.exe 105 PID 5108 wrote to memory of 4064 5108 cmd.exe 105 PID 5108 wrote to memory of 3112 5108 cmd.exe 106 PID 5108 wrote to memory of 3112 5108 cmd.exe 106 PID 5108 wrote to memory of 3112 5108 cmd.exe 106 PID 5108 wrote to memory of 4180 5108 cmd.exe 107 PID 5108 wrote to memory of 4180 5108 cmd.exe 107 PID 5108 wrote to memory of 4180 5108 cmd.exe 107 PID 5108 wrote to memory of 1596 5108 cmd.exe 108 PID 5108 wrote to memory of 1596 5108 cmd.exe 108 PID 1596 wrote to memory of 2496 1596 easinvoker.exe 109 PID 1596 wrote to memory of 2496 1596 easinvoker.exe 109 PID 2496 wrote to memory of 1256 2496 cmd.exe 111 PID 2496 wrote to memory of 1256 2496 cmd.exe 111 PID 2496 wrote to memory of 3904 2496 cmd.exe 113 PID 2496 wrote to memory of 3904 2496 cmd.exe 113 PID 2496 wrote to memory of 2460 2496 cmd.exe 114 PID 2496 wrote to memory of 2460 2496 cmd.exe 114 PID 1256 wrote to memory of 2228 1256 cmd.exe 115 PID 1256 wrote to memory of 2228 1256 cmd.exe 115 PID 4264 wrote to memory of 2524 4264 344c9c0f72c535e334a4b605212c69d9.exe 117 PID 4264 wrote to memory of 2524 4264 344c9c0f72c535e334a4b605212c69d9.exe 117 PID 4264 wrote to memory of 2524 4264 344c9c0f72c535e334a4b605212c69d9.exe 117 PID 4264 wrote to memory of 4896 4264 344c9c0f72c535e334a4b605212c69d9.exe 119 PID 4264 wrote to memory of 4896 4264 344c9c0f72c535e334a4b605212c69d9.exe 119 PID 4264 wrote to memory of 4896 4264 344c9c0f72c535e334a4b605212c69d9.exe 119 PID 2524 wrote to memory of 1076 2524 cmd.exe 120 PID 2524 wrote to memory of 1076 2524 cmd.exe 120 PID 4264 wrote to memory of 4896 4264 344c9c0f72c535e334a4b605212c69d9.exe 119 PID 4264 wrote to memory of 4896 4264 344c9c0f72c535e334a4b605212c69d9.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\344c9c0f72c535e334a4b605212c69d9.exe"C:\Users\Admin\AppData\Local\Temp\344c9c0f72c535e334a4b605212c69d9.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\AkaelkovO.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵PID:3272
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:1032
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:5024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:3316
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:4500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:1764
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:4064
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵PID:3112
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:4180
-
-
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\cmd.execmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"5⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
-
C:\Windows\system32\sc.exesc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel5⤵
- Launches sc.exe
PID:3904
-
-
C:\Windows\system32\sc.exesc.exe start truesight5⤵
- Launches sc.exe
PID:2460
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\easinvoker.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076
-
-
-
C:\Users\Public\Libraries\vokleakA.pifC:\Users\Public\Libraries\vokleakA.pif2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
404B
MD56880148d6cd8fabdce94b7e91dbd8d17
SHA1870e9ad13355a8452746e0904d004ee8c8ec66e5
SHA2560bfe311ffb1de96cbb2616c2a59c2a1a4942ec03073cc2ddfdfc43f79c74d18a
SHA512810ee2896597cbcf813b9285bb2d7f9127360a4d8a872c47460d32710fe114c27ed58f840dc8bcfdaf7b826e7e46c78c0e814e4fa3d380d10737673a1febf38e
-
Filesize
271B
MD5d62b11dc4dc821ef23260e5b0e74a835
SHA1cdff2004cb9ef149f75fae296f50f4fbfefb2e84
SHA256d1b19b878a3ae98f650843314cc3ef8d681013f6e18e0201cb47a0afa45fc349
SHA51227b8292eb318413b965e1c7552165e65f9003d03b15ddc0c5c142420a1a174303f983c268942d7b60c74ac4e8e79e01f83510807fc0c492cabdf4948bc69c625
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
Filesize
114KB
MD596b99e2a886d816c1b98b018adfe6311
SHA141f2f29bd8f366781ed1387068150eb2789dbbf8
SHA256c300a049564eef6d8baa136858f1f6f0779003bd1b566d95689883c6935e2ba6
SHA5126768632b586123b4b7c452c05b871a2474214a5d7db4a048f7b67bc2cda9dbf87c2efaf18bed86666dc145f948a2edbe3b01949fb75e6a68d813cd18a62ba45a
-
Filesize
171KB
MD522331abcc9472cc9dc6f37faf333aa2c
SHA12a001c30ba79a19ceaf6a09c3567c70311760aa4
SHA256bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c
SHA512c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c