Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
27/06/2023, 03:38
Behavioral task
behavioral1
Sample
Guna.UI2.dll
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
Guna.UI2.dll
Resource
win10v2004-20230621-en
Behavioral task
behavioral3
Sample
Spoofer exe.exe
Resource
win7-20230621-en
General
-
Target
Spoofer exe.exe
-
Size
2.7MB
-
MD5
1422cc9625a8a92835b62855bb48c24c
-
SHA1
cb1981c4c50329373231b3c5974db5cd007d35d2
-
SHA256
c8495f16af5d29a4e6be8c233621197ddeb143f9c928bfc9a7a1acdad9382f0d
-
SHA512
2f0e3a0af7f90dfa35ba47a0d7bf02983cb585b5d8ed99c94014fcba9dc17dc0bf00bb81f196746c6d80a0f7d88e502f24ab3044823c7b3e91a2904ec6ed23c6
-
SSDEEP
49152:31gUzwwAJHxSA9VbaJJCDpCvPmsSkItQj4B/lj0KK5tWprM:gwApEtB3vItQQ/+KIKrM
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
resource yara_rule behavioral3/memory/1240-60-0x000000001F250000-0x000000001F446000-memory.dmp family_agenttesla behavioral3/memory/1240-83-0x000000001BB80000-0x000000001BC00000-memory.dmp family_agenttesla -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Spoofer exe.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Spoofer exe.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Spoofer exe.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Spoofer exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Spoofer exe.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral3/memory/1240-56-0x000000013F220000-0x000000013FAA4000-memory.dmp agile_net -
resource yara_rule behavioral3/memory/1240-56-0x000000013F220000-0x000000013FAA4000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Spoofer exe.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Spoofer exe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Spoofer exe.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1240 Spoofer exe.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Spoofer exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Spoofer exe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Spoofer exe.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1240 Spoofer exe.exe 1240 Spoofer exe.exe 1240 Spoofer exe.exe 1240 Spoofer exe.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 1240 Spoofer exe.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 644 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1240 Spoofer exe.exe Token: SeDebugPrivilege 644 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe 644 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe"C:\Users\Admin\AppData\Local\Temp\Spoofer exe.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:644