Overview

overview

10

Static

static

10

INV#NO.12KF61.exe

windows7_x64

10

INV#NO.12KF61.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    205s
  • max time network
    213s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INV#NO.12KF61.exe

  • Size

    621KB

  • MD5

    9d2482666eb2b88666a0d8ef8f103b7d

  • SHA1

    7c2a5b3606803049eedf92bdd184c601b22a46cb

  • SHA256

    3c165962ade84ada408c62730f36f4885ceede2f15aaa3de5e0f2d20fa204eb8

  • SHA512

    13f7e932db8725d0c9eb6b634a52f87fe10d2ea534e8499e902d82ea5382118df4b37de40578c73782a95ba0488d044425e011a29535aab2bdde8f2eae17588a

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INV#NO.12KF61.exe
    "C:\Users\Admin\AppData\Local\Temp\INV#NO.12KF61.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v hpplictthjk /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\taplitf.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v hpplictthjk /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\taplitf.exe"
        3⤵
        • Adds Run key to start application
        PID:4340
    • C:\Users\Admin\AppData\Roaming\taplitf.exe
      "C:\Users\Admin\AppData\Roaming\taplitf.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit
  • C:\Users\Admin\AppData\Roaming\taplitf.exe
    Filesize

    621KB

    MD5

    9d2482666eb2b88666a0d8ef8f103b7d

    SHA1

    7c2a5b3606803049eedf92bdd184c601b22a46cb

    SHA256

    3c165962ade84ada408c62730f36f4885ceede2f15aaa3de5e0f2d20fa204eb8

    SHA512

    13f7e932db8725d0c9eb6b634a52f87fe10d2ea534e8499e902d82ea5382118df4b37de40578c73782a95ba0488d044425e011a29535aab2bdde8f2eae17588a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\taplitf.exe
    Filesize

    621KB

    MD5

    9d2482666eb2b88666a0d8ef8f103b7d

    SHA1

    7c2a5b3606803049eedf92bdd184c601b22a46cb

    SHA256

    3c165962ade84ada408c62730f36f4885ceede2f15aaa3de5e0f2d20fa204eb8

    SHA512

    13f7e932db8725d0c9eb6b634a52f87fe10d2ea534e8499e902d82ea5382118df4b37de40578c73782a95ba0488d044425e011a29535aab2bdde8f2eae17588a

    Download Submit
  • memory/988-133-0x0000000005A40000-0x0000000005A84000-memory.dmp
    Filesize

    272KB

    Download
  • memory/988-130-0x0000000000D30000-0x0000000000DD0000-memory.dmp
    Filesize

    640KB

    Download
  • memory/988-132-0x0000000005770000-0x0000000005802000-memory.dmp
    Filesize

    584KB

    Download
  • memory/988-131-0x0000000005C40000-0x00000000061E4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1032-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1032-139-0x0000000006950000-0x0000000006972000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1776-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-141-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1776-144-0x00000000054A0000-0x000000000553C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1776-145-0x00000000059E0000-0x0000000005A46000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4340-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4448-134-0x0000000000000000-mapping.dmp
    Download