Analysis
-
max time kernel
107s -
max time network
105s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
25-03-2020 18:13
Static task
static1
Behavioral task
behavioral1
Sample
makeve.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
makeve.exe
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
makeve.exe
-
Size
136KB
-
MD5
9fed11cd0c0bc367b30b08650dfba78f
-
SHA1
48ef476625cdbc1f74b83841ffc89e4b46615d05
-
SHA256
c7c2e3e6dc40ec793635b6f18e44223d8cbf9fb621ee0d5b374b709510fe2d9a
-
SHA512
c884f73eb3481c129fdfa322f6d60452db98d3e9d88378a6f6b51cb88984d48e6a8d0611dbef7dc8de7d5e4cd3f142e7947f9de225590def19bb23c6836e4675
Score
10/10
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
makeve.exeRegAsm.exepid process 1856 makeve.exe 1872 RegAsm.exe 1872 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
makeve.exedescription pid process target process PID 1856 set thread context of 1872 1856 makeve.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 1872 RegAsm.exe 1872 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
makeve.exepid process 1856 makeve.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1872 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
makeve.exepid process 1856 makeve.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
makeve.exedescription pid process target process PID 1856 wrote to memory of 1872 1856 makeve.exe RegAsm.exe PID 1856 wrote to memory of 1872 1856 makeve.exe RegAsm.exe PID 1856 wrote to memory of 1872 1856 makeve.exe RegAsm.exe PID 1856 wrote to memory of 1872 1856 makeve.exe RegAsm.exe PID 1856 wrote to memory of 1872 1856 makeve.exe RegAsm.exe PID 1856 wrote to memory of 1872 1856 makeve.exe RegAsm.exe PID 1856 wrote to memory of 1872 1856 makeve.exe RegAsm.exe PID 1856 wrote to memory of 1872 1856 makeve.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\makeve.exe"C:\Users\Admin\AppData\Local\Temp\makeve.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\makeve.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken