Overview

overview

10

Static

static

1

Bank Copy.exe

windows7-x64

10

Bank Copy.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    29s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    03-04-2023 05:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bank Copy.exe

  • Size

    455KB

  • MD5

    2d1b7ae625fc27c4a7dd90333be85783

  • SHA1

    bd3a4984c6f9c8d692bed48ca504057fc06e1f31

  • SHA256

    89b26887cf47af7365dfd7fb75252fb86badd55bdc8d87829efd7f63803d1029

  • SHA512

    e96a2a40d84b04cc9c327694ee4e27bf06937a44737cf928ffdb6b63614f50c5cb9f3b2a8c75e691cb4ecd06420a96b7dc77ed0925278dd0deb9fb9cc45315f6

  • SSDEEP

    12288:OuVozphT+QcwZgDRVsq5Luy3izuxwbuEoTrT9Fo:OuVoFhT+TwZRYLueizu33RFo

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bank Copy.exe
    "C:\Users\Admin\AppData\Local\Temp\Bank Copy.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:760
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1D42.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:1316
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • UAC bypass
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1368
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1944
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 304
            5⤵
            • Program crash
            PID:1632

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1D42.tmp.bat
    Filesize

    151B

    MD5

    bc62d5106ac3bce6e7dfaf49fc02a8c0

    SHA1

    e777bb4b904ffe7892f9cd98c31652b5cba6e702

    SHA256

    7dff43305cb3ae9478bb41e71a8c491cba712c95a78ec581ba0d5cc52a85852b

    SHA512

    249368ca124bd0ee9e2f8ce31ac3af4c257af0927f85f28d14c4a9cecdd9f2489706e6b7c07a605068a5e761df49bc397e3308f0ba3c1c77a30a93a88469a383

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp1D42.tmp.bat
    Filesize

    151B

    MD5

    bc62d5106ac3bce6e7dfaf49fc02a8c0

    SHA1

    e777bb4b904ffe7892f9cd98c31652b5cba6e702

    SHA256

    7dff43305cb3ae9478bb41e71a8c491cba712c95a78ec581ba0d5cc52a85852b

    SHA512

    249368ca124bd0ee9e2f8ce31ac3af4c257af0927f85f28d14c4a9cecdd9f2489706e6b7c07a605068a5e761df49bc397e3308f0ba3c1c77a30a93a88469a383

    Download Submit
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    455KB

    MD5

    2d1b7ae625fc27c4a7dd90333be85783

    SHA1

    bd3a4984c6f9c8d692bed48ca504057fc06e1f31

    SHA256

    89b26887cf47af7365dfd7fb75252fb86badd55bdc8d87829efd7f63803d1029

    SHA512

    e96a2a40d84b04cc9c327694ee4e27bf06937a44737cf928ffdb6b63614f50c5cb9f3b2a8c75e691cb4ecd06420a96b7dc77ed0925278dd0deb9fb9cc45315f6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    455KB

    MD5

    2d1b7ae625fc27c4a7dd90333be85783

    SHA1

    bd3a4984c6f9c8d692bed48ca504057fc06e1f31

    SHA256

    89b26887cf47af7365dfd7fb75252fb86badd55bdc8d87829efd7f63803d1029

    SHA512

    e96a2a40d84b04cc9c327694ee4e27bf06937a44737cf928ffdb6b63614f50c5cb9f3b2a8c75e691cb4ecd06420a96b7dc77ed0925278dd0deb9fb9cc45315f6

    Download Submit
  • \Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    455KB

    MD5

    2d1b7ae625fc27c4a7dd90333be85783

    SHA1

    bd3a4984c6f9c8d692bed48ca504057fc06e1f31

    SHA256

    89b26887cf47af7365dfd7fb75252fb86badd55bdc8d87829efd7f63803d1029

    SHA512

    e96a2a40d84b04cc9c327694ee4e27bf06937a44737cf928ffdb6b63614f50c5cb9f3b2a8c75e691cb4ecd06420a96b7dc77ed0925278dd0deb9fb9cc45315f6

    Download Submit
  • \Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    455KB

    MD5

    2d1b7ae625fc27c4a7dd90333be85783

    SHA1

    bd3a4984c6f9c8d692bed48ca504057fc06e1f31

    SHA256

    89b26887cf47af7365dfd7fb75252fb86badd55bdc8d87829efd7f63803d1029

    SHA512

    e96a2a40d84b04cc9c327694ee4e27bf06937a44737cf928ffdb6b63614f50c5cb9f3b2a8c75e691cb4ecd06420a96b7dc77ed0925278dd0deb9fb9cc45315f6

    Download Submit
  • memory/1060-56-0x0000000000590000-0x00000000005FE000-memory.dmp
    Filesize

    440KB

    Download
  • memory/1060-55-0x000000001A830000-0x000000001A8B0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1060-54-0x0000000000C70000-0x0000000000CE6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1368-71-0x000000001A980000-0x000000001AA00000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1368-70-0x00000000009C0000-0x0000000000A36000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1400-80-0x0000000000400000-0x0000000000430000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1944-77-0x000000001B390000-0x000000001B672000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/1944-76-0x0000000002A50000-0x0000000002AD0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1944-79-0x0000000002A50000-0x0000000002AD0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1944-78-0x0000000002310000-0x0000000002318000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1944-81-0x0000000002A54000-0x0000000002A57000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1944-82-0x0000000002A5B000-0x0000000002A92000-memory.dmp
    Filesize

    220KB

    Download