Overview

overview

10

Static

static

1

6hDkZtFd2S.exe

windows7-x64

10

6hDkZtFd2S.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    20s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2023, 13:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6hDkZtFd2S.exe

  • Size

    1.1MB

  • MD5

    21377e758f4ee739965642b393f13fe8

  • SHA1

    edbfaed7cac6642cce909d18f8ee07aec722d874

  • SHA256

    1068cb29f89d81ad0348c72c63a90588f35b9a520e57764daeed44dc22192c1a

  • SHA512

    39f55734563fdbae2600f53bf07a68c450e76668517b25332d4f7672fc7e0409514cba19fe9fa2f01a140fb8973a95467b64e5e4b3d05400efdc8bf64a363d67

  • SSDEEP

    12288:3bq7bcal64fG2Ms7cfl9/C8JAP2f3wBt6UQEM7ef7OB8GFX0w2WbmjoaTRgkSlTF:+fKWM82faZ4gJSGCiNOyjgT7PVf

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6hDkZtFd2S.exe
    "C:\Users\Admin\AppData\Local\Temp\6hDkZtFd2S.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:1452
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5081.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:472
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:268
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: LoadsDriver
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
          4⤵
            PID:1436
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:644
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 168
              5⤵
              • Program crash
              PID:1584

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp5081.tmp.bat
      Filesize

      151B

      MD5

      501f14866b11190425b6dcc25e62153a

      SHA1

      1d6544aeb504456fad86bbb955bb5f79261885c4

      SHA256

      0f8a71584bd523131cbea06c85b8284c6c5bd936c852d2d22b9940152cdcd1d1

      SHA512

      3530a2cec192115c4f5cc26308d086604c14da19515680c56e11b7201aeacf49d25582f81f73a9d65163f93c3ec825d85d4d3408dba8821b6ba5f3c7548aa917

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp5081.tmp.bat
      Filesize

      151B

      MD5

      501f14866b11190425b6dcc25e62153a

      SHA1

      1d6544aeb504456fad86bbb955bb5f79261885c4

      SHA256

      0f8a71584bd523131cbea06c85b8284c6c5bd936c852d2d22b9940152cdcd1d1

      SHA512

      3530a2cec192115c4f5cc26308d086604c14da19515680c56e11b7201aeacf49d25582f81f73a9d65163f93c3ec825d85d4d3408dba8821b6ba5f3c7548aa917

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      1.1MB

      MD5

      21377e758f4ee739965642b393f13fe8

      SHA1

      edbfaed7cac6642cce909d18f8ee07aec722d874

      SHA256

      1068cb29f89d81ad0348c72c63a90588f35b9a520e57764daeed44dc22192c1a

      SHA512

      39f55734563fdbae2600f53bf07a68c450e76668517b25332d4f7672fc7e0409514cba19fe9fa2f01a140fb8973a95467b64e5e4b3d05400efdc8bf64a363d67

      Download Submit

    • C:\Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      1.1MB

      MD5

      21377e758f4ee739965642b393f13fe8

      SHA1

      edbfaed7cac6642cce909d18f8ee07aec722d874

      SHA256

      1068cb29f89d81ad0348c72c63a90588f35b9a520e57764daeed44dc22192c1a

      SHA512

      39f55734563fdbae2600f53bf07a68c450e76668517b25332d4f7672fc7e0409514cba19fe9fa2f01a140fb8973a95467b64e5e4b3d05400efdc8bf64a363d67

      Download Submit

    • \Users\Admin\AppData\Roaming\svchost.exe
      Filesize

      1.1MB

      MD5

      21377e758f4ee739965642b393f13fe8

      SHA1

      edbfaed7cac6642cce909d18f8ee07aec722d874

      SHA256

      1068cb29f89d81ad0348c72c63a90588f35b9a520e57764daeed44dc22192c1a

      SHA512

      39f55734563fdbae2600f53bf07a68c450e76668517b25332d4f7672fc7e0409514cba19fe9fa2f01a140fb8973a95467b64e5e4b3d05400efdc8bf64a363d67

      Download Submit

    • memory/644-72-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1952-69-0x00000000011E0000-0x0000000001306000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1952-70-0x000000001AC30000-0x000000001ACB0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2012-54-0x0000000000BD0000-0x0000000000CF6000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2012-55-0x0000000000700000-0x000000000076E000-memory.dmp

      Filesize

      440KB

      Download