Overview

overview

10

Static

static

10

bbcrypted.exe

windows7_x64

10

bbcrypted.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    179s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbcrypted.exe

  • Size

    724KB

  • MD5

    0bdce81070764a570057b6381f91c225

  • SHA1

    258b9e1189aa620632803aa1ede6cec3c0d7490b

  • SHA256

    fda9cdc6d189a4f40199d09a2cd49522189e9494d6a7a3dc0d5bdd5faddb355a

  • SHA512

    3dc23b61bc6044b99c0438d80aec8697073198731c59762b6e640b9283bd3c21ce9b25e356c4cf263f497ecca573f3d78bac3d56ff6402fb3640212474659866

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbcrypted.exe
    "C:\Users\Admin\AppData\Local\Temp\bbcrypted.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:844
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v appLaunch /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\appLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3564
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v appLaunch /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\appLaunch.exe"
        3⤵
        • Adds Run key to start application
        PID:1480
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Users\Admin\AppData\Roaming\appLaunch.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Roaming\appLaunch.exe
        "C:\Users\Admin\AppData\Roaming\appLaunch.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          4⤵
          • Drops file in Drivers directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1464
          • C:\Windows\SysWOW64\REG.exe
            REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
            5⤵
            • Modifies registry key
            PID:3364

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\appLaunch.exe
    Filesize

    724KB

    MD5

    0bdce81070764a570057b6381f91c225

    SHA1

    258b9e1189aa620632803aa1ede6cec3c0d7490b

    SHA256

    fda9cdc6d189a4f40199d09a2cd49522189e9494d6a7a3dc0d5bdd5faddb355a

    SHA512

    3dc23b61bc6044b99c0438d80aec8697073198731c59762b6e640b9283bd3c21ce9b25e356c4cf263f497ecca573f3d78bac3d56ff6402fb3640212474659866

    Download Submit

  • C:\Users\Admin\AppData\Roaming\appLaunch.exe
    Filesize

    724KB

    MD5

    0bdce81070764a570057b6381f91c225

    SHA1

    258b9e1189aa620632803aa1ede6cec3c0d7490b

    SHA256

    fda9cdc6d189a4f40199d09a2cd49522189e9494d6a7a3dc0d5bdd5faddb355a

    SHA512

    3dc23b61bc6044b99c0438d80aec8697073198731c59762b6e640b9283bd3c21ce9b25e356c4cf263f497ecca573f3d78bac3d56ff6402fb3640212474659866

    Download Submit

  • memory/764-145-0x0000000006DC0000-0x0000000006DE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/764-143-0x0000000007860000-0x00000000078F6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/764-144-0x0000000006D70000-0x0000000006D8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/764-142-0x0000000006890000-0x00000000068AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/764-136-0x0000000000000000-mapping.dmp

    Download

  • memory/764-137-0x0000000002EF0000-0x0000000002F26000-memory.dmp

    Filesize

    216KB

    Download

  • memory/764-138-0x0000000005AA0000-0x00000000060C8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/764-139-0x0000000005870000-0x0000000005892000-memory.dmp

    Filesize

    136KB

    Download

  • memory/764-140-0x0000000006140000-0x00000000061A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/764-141-0x00000000061B0000-0x0000000006216000-memory.dmp

    Filesize

    408KB

    Download

  • memory/844-133-0x0000000006200000-0x0000000006244000-memory.dmp

    Filesize

    272KB

    Download

  • memory/844-130-0x0000000000A20000-0x0000000000ADC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/844-132-0x0000000005DE0000-0x0000000005E72000-memory.dmp

    Filesize

    584KB

    Download

  • memory/844-131-0x00000000062B0000-0x0000000006854000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1224-147-0x0000000000000000-mapping.dmp

    Download

  • memory/1464-149-0x0000000000000000-mapping.dmp

    Download

  • memory/1464-150-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1464-151-0x0000000005950000-0x00000000059EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1480-135-0x0000000000000000-mapping.dmp

    Download

  • memory/3364-152-0x0000000000000000-mapping.dmp

    Download

  • memory/3564-134-0x0000000000000000-mapping.dmp

    Download