Analysis
-
max time kernel
33s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 21:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Vize.exe
Resource
win7-20240704-en
windows7-x64
11 signatures
150 seconds
General
-
Target
Vize.exe
-
Size
2.4MB
-
MD5
124d0a6d9cd29ac76c55215bbf685d8a
-
SHA1
0243a41fc2573449e0dbdf625d07dc7bfb6e9b64
-
SHA256
80469ed52a80dda4a08a82c8d55ade470581ee8add6b592fc71a3ad72f96f906
-
SHA512
f878b9d2cbdad8bfea3e48e04cda45712db2785be87d843cea70b9884be3c2741de088c3c460a74271d2b19cb5df0d6b636d9fdc9cbaa7544da383b9b494beb8
-
SSDEEP
49152:5tUTMOCEm3CsYtIz36oHNC0buj7x9fRrVwATtY4nUdgn2Q:gJt436oHU5RrtIk2Q
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral2/memory/820-7-0x0000000006E70000-0x0000000007084000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Vize.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Vize.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Vize.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Vize.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Vize.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Vize.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\mstask\SystemStabilityReports\serials.txt Vize.exe -
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vize.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Vize.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Vize.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Vize.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe 820 Vize.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 820 Vize.exe Token: SeIncreaseQuotaPrivilege 552 wmic.exe Token: SeSecurityPrivilege 552 wmic.exe Token: SeTakeOwnershipPrivilege 552 wmic.exe Token: SeLoadDriverPrivilege 552 wmic.exe Token: SeSystemProfilePrivilege 552 wmic.exe Token: SeSystemtimePrivilege 552 wmic.exe Token: SeProfSingleProcessPrivilege 552 wmic.exe Token: SeIncBasePriorityPrivilege 552 wmic.exe Token: SeCreatePagefilePrivilege 552 wmic.exe Token: SeBackupPrivilege 552 wmic.exe Token: SeRestorePrivilege 552 wmic.exe Token: SeShutdownPrivilege 552 wmic.exe Token: SeDebugPrivilege 552 wmic.exe Token: SeSystemEnvironmentPrivilege 552 wmic.exe Token: SeRemoteShutdownPrivilege 552 wmic.exe Token: SeUndockPrivilege 552 wmic.exe Token: SeManageVolumePrivilege 552 wmic.exe Token: 33 552 wmic.exe Token: 34 552 wmic.exe Token: 35 552 wmic.exe Token: 36 552 wmic.exe Token: SeIncreaseQuotaPrivilege 552 wmic.exe Token: SeSecurityPrivilege 552 wmic.exe Token: SeTakeOwnershipPrivilege 552 wmic.exe Token: SeLoadDriverPrivilege 552 wmic.exe Token: SeSystemProfilePrivilege 552 wmic.exe Token: SeSystemtimePrivilege 552 wmic.exe Token: SeProfSingleProcessPrivilege 552 wmic.exe Token: SeIncBasePriorityPrivilege 552 wmic.exe Token: SeCreatePagefilePrivilege 552 wmic.exe Token: SeBackupPrivilege 552 wmic.exe Token: SeRestorePrivilege 552 wmic.exe Token: SeShutdownPrivilege 552 wmic.exe Token: SeDebugPrivilege 552 wmic.exe Token: SeSystemEnvironmentPrivilege 552 wmic.exe Token: SeRemoteShutdownPrivilege 552 wmic.exe Token: SeUndockPrivilege 552 wmic.exe Token: SeManageVolumePrivilege 552 wmic.exe Token: 33 552 wmic.exe Token: 34 552 wmic.exe Token: 35 552 wmic.exe Token: 36 552 wmic.exe Token: SeIncreaseQuotaPrivilege 4200 wmic.exe Token: SeSecurityPrivilege 4200 wmic.exe Token: SeTakeOwnershipPrivilege 4200 wmic.exe Token: SeLoadDriverPrivilege 4200 wmic.exe Token: SeSystemProfilePrivilege 4200 wmic.exe Token: SeSystemtimePrivilege 4200 wmic.exe Token: SeProfSingleProcessPrivilege 4200 wmic.exe Token: SeIncBasePriorityPrivilege 4200 wmic.exe Token: SeCreatePagefilePrivilege 4200 wmic.exe Token: SeBackupPrivilege 4200 wmic.exe Token: SeRestorePrivilege 4200 wmic.exe Token: SeShutdownPrivilege 4200 wmic.exe Token: SeDebugPrivilege 4200 wmic.exe Token: SeSystemEnvironmentPrivilege 4200 wmic.exe Token: SeRemoteShutdownPrivilege 4200 wmic.exe Token: SeUndockPrivilege 4200 wmic.exe Token: SeManageVolumePrivilege 4200 wmic.exe Token: 33 4200 wmic.exe Token: 34 4200 wmic.exe Token: 35 4200 wmic.exe Token: 36 4200 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 820 wrote to memory of 552 820 Vize.exe 87 PID 820 wrote to memory of 552 820 Vize.exe 87 PID 820 wrote to memory of 552 820 Vize.exe 87 PID 820 wrote to memory of 4200 820 Vize.exe 89 PID 820 wrote to memory of 4200 820 Vize.exe 89 PID 820 wrote to memory of 4200 820 Vize.exe 89 PID 820 wrote to memory of 4196 820 Vize.exe 91 PID 820 wrote to memory of 4196 820 Vize.exe 91 PID 820 wrote to memory of 4196 820 Vize.exe 91 PID 820 wrote to memory of 1116 820 Vize.exe 93 PID 820 wrote to memory of 1116 820 Vize.exe 93 PID 820 wrote to memory of 1116 820 Vize.exe 93 PID 820 wrote to memory of 4256 820 Vize.exe 95 PID 820 wrote to memory of 4256 820 Vize.exe 95 PID 820 wrote to memory of 4256 820 Vize.exe 95 PID 820 wrote to memory of 928 820 Vize.exe 97 PID 820 wrote to memory of 928 820 Vize.exe 97 PID 820 wrote to memory of 928 820 Vize.exe 97 PID 820 wrote to memory of 5080 820 Vize.exe 99 PID 820 wrote to memory of 5080 820 Vize.exe 99 PID 820 wrote to memory of 5080 820 Vize.exe 99 PID 820 wrote to memory of 2432 820 Vize.exe 101 PID 820 wrote to memory of 2432 820 Vize.exe 101 PID 820 wrote to memory of 2432 820 Vize.exe 101 PID 820 wrote to memory of 3276 820 Vize.exe 103 PID 820 wrote to memory of 3276 820 Vize.exe 103 PID 820 wrote to memory of 3276 820 Vize.exe 103 PID 820 wrote to memory of 4912 820 Vize.exe 105 PID 820 wrote to memory of 4912 820 Vize.exe 105 PID 820 wrote to memory of 4912 820 Vize.exe 105 PID 820 wrote to memory of 4512 820 Vize.exe 107 PID 820 wrote to memory of 4512 820 Vize.exe 107 PID 820 wrote to memory of 4512 820 Vize.exe 107 PID 820 wrote to memory of 3756 820 Vize.exe 109 PID 820 wrote to memory of 3756 820 Vize.exe 109 PID 820 wrote to memory of 3756 820 Vize.exe 109 PID 820 wrote to memory of 2084 820 Vize.exe 111 PID 820 wrote to memory of 2084 820 Vize.exe 111 PID 820 wrote to memory of 2084 820 Vize.exe 111 PID 820 wrote to memory of 3052 820 Vize.exe 113 PID 820 wrote to memory of 3052 820 Vize.exe 113 PID 820 wrote to memory of 3052 820 Vize.exe 113 PID 820 wrote to memory of 4448 820 Vize.exe 115 PID 820 wrote to memory of 4448 820 Vize.exe 115 PID 820 wrote to memory of 4448 820 Vize.exe 115 PID 820 wrote to memory of 2684 820 Vize.exe 117 PID 820 wrote to memory of 2684 820 Vize.exe 117 PID 820 wrote to memory of 2684 820 Vize.exe 117 PID 820 wrote to memory of 4640 820 Vize.exe 119 PID 820 wrote to memory of 4640 820 Vize.exe 119 PID 820 wrote to memory of 4640 820 Vize.exe 119 PID 820 wrote to memory of 4316 820 Vize.exe 121 PID 820 wrote to memory of 4316 820 Vize.exe 121 PID 820 wrote to memory of 4316 820 Vize.exe 121 PID 820 wrote to memory of 3476 820 Vize.exe 123 PID 820 wrote to memory of 3476 820 Vize.exe 123 PID 820 wrote to memory of 3476 820 Vize.exe 123 PID 820 wrote to memory of 3908 820 Vize.exe 125 PID 820 wrote to memory of 3908 820 Vize.exe 125 PID 820 wrote to memory of 3908 820 Vize.exe 125 PID 820 wrote to memory of 4716 820 Vize.exe 127 PID 820 wrote to memory of 4716 820 Vize.exe 127 PID 820 wrote to memory of 4716 820 Vize.exe 127 PID 820 wrote to memory of 2952 820 Vize.exe 129
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vize.exe"C:\Users\Admin\AppData\Local\Temp\Vize.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" cpu get serialnumber2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" bios get serialnumber2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" baseboard get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:4196
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_computersystemproduct get uuid2⤵
- System Location Discovery: System Language Discovery
PID:1116
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" cpu get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:4256
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" cpu get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:928
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" bios get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:5080
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" baseboard get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:2432
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_computersystemproduct get uuid2⤵
- System Location Discovery: System Language Discovery
PID:3276
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" bios get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:4912
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" cpu get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:4512
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" bios get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:3756
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" baseboard get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:2084
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_computersystemproduct get uuid2⤵
- System Location Discovery: System Language Discovery
PID:3052
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" baseboard get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:4448
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" cpu get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:2684
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" bios get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:4640
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" baseboard get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:4316
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_computersystemproduct get uuid2⤵
- System Location Discovery: System Language Discovery
PID:3476
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_computersystemproduct get uuid2⤵
- System Location Discovery: System Language Discovery
PID:3908
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" cpu get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:4716
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" bios get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" baseboard get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:4612
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_computersystemproduct get uuid2⤵
- System Location Discovery: System Language Discovery
PID:4436
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" cpu get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:1348
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" bios get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:1096
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" baseboard get serialnumber2⤵
- System Location Discovery: System Language Discovery
PID:3468
-
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" path win32_computersystemproduct get uuid2⤵
- System Location Discovery: System Language Discovery
PID:1116
-