Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
04-07-2023 16:20
General
-
Target
https://mega.nz/folder/4700hDQD#-8-I9xQWq7XrFu_osffZpg
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Umbral payload 2 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
AgentTesla payload 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://mega.nz/folder/4700hDQD#-8-I9xQWq7XrFu_osffZpg1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3640 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="212.0.842559002\1703018605" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1800 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ac48f63-718e-43d8-bae7-e682bc6ca595} 212 "\\.\pipe\gecko-crash-server-pipe.212" 1900 1b0cdaf4558 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="212.1.884579576\1163507410" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fed041bb-d015-41e7-ae37-b46ed7209e0a} 212 "\\.\pipe\gecko-crash-server-pipe.212" 2300 1b0cda0b458 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="212.2.1810772232\286779361" -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 2980 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {473f68a2-fca9-4f6c-9197-42683e0f8fa6} 212 "\\.\pipe\gecko-crash-server-pipe.212" 3104 1b0d17a7d58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="212.3.1650812506\76410033" -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4db7fdd-fbee-42d9-960d-6bbadbfd4b88} 212 "\\.\pipe\gecko-crash-server-pipe.212" 3700 1b0d0452a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="212.4.2120475824\1685212589" -childID 3 -isForBrowser -prefsHandle 4468 -prefMapHandle 4464 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b132ed6-9e3a-477f-8d04-af2b8e151e0c} 212 "\\.\pipe\gecko-crash-server-pipe.212" 4476 1b0d2d07758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="212.6.1718943073\1074568465" -childID 5 -isForBrowser -prefsHandle 5100 -prefMapHandle 4952 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de3cb696-2535-45f8-bc78-9518dd61e36a} 212 "\\.\pipe\gecko-crash-server-pipe.212" 5000 1b0d3bb6858 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="212.7.1408186357\302628950" -childID 6 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {414cd8f5-487d-46ed-a4e3-1d7f5d0a0a60} 212 "\\.\pipe\gecko-crash-server-pipe.212" 5292 1b0d3bb8358 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="212.5.1546661381\1631986360" -childID 4 -isForBrowser -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49d3b737-3d65-4725-a7e4-163afcdc2984} 212 "\\.\pipe\gecko-crash-server-pipe.212" 4980 1b0d3bb7458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="212.8.238061769\637613216" -childID 7 -isForBrowser -prefsHandle 4508 -prefMapHandle 4444 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {deb082ba-9579-4e73-9a72-e44d52270975} 212 "\\.\pipe\gecko-crash-server-pipe.212" 4592 1b0d2d06258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="212.9.1291397388\319821219" -childID 8 -isForBrowser -prefsHandle 5824 -prefMapHandle 3304 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa95a469-6313-415e-b4ef-e1452295cb4a} 212 "\\.\pipe\gecko-crash-server-pipe.212" 5828 1b0d1ce2658 tab3⤵
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f4 0x3fc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Sapphire_Clicker\Sapphire_Clicker\Sapphire Clicker.exe"C:\Users\Admin\Downloads\Sapphire_Clicker\Sapphire_Clicker\Sapphire Clicker.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5d00ea8fb453cdb158972504d3f0adc02
SHA1fa8505ca759b2c409ad64a0a6adc818dcaa4cdb2
SHA2560b71ecb855df3dd7b382a0a7cce4378997a155eb985f9918765ec09365e7451b
SHA512a673877f9d323bee6cb8595c8cc3ab487ee6c08c988a269ba47845457b21eabc5ebf49f5d234a508dc731fef6d7ae870753ae353c263d694cc466bd2c39ad035
-
Filesize
6KB
MD572f13fa5f987ea923a68a818d38fb540
SHA1f014620d35787fcfdef193c20bb383f5655b9e1e
SHA25637127c1a29c164cdaa75ec72ae685094c2468fe0577f743cb1f307d23dd35ec1
SHA512b66af0b6b95560c20584ed033547235d5188981a092131a7c1749926ba1ac208266193bd7fa8a3403a39eee23fcdd53580e9533803d7f52df5fb01d508e292b3
-
Filesize
133KB
MD5fadb7ba3060d655e4452e614d81e1962
SHA1320348a9d21a0e9087f5114152e0e800f49c0df5
SHA256e9fcda292265a74ac66f900fef7d63df134aac7585c9dd56e98f6820e4c75031
SHA51222d49e029e5947734406cdf2d90438804b24d065fc75a53c14f4f7c8739496a411017ec53510633bc9b28999ebb5a72bd57b8f58a8039a20a22c3643d3a5a40b
-
Filesize
9KB
MD54ff31e17e39037adb8112bf00d1f64bf
SHA1d7ab9a1b6dfd5336abe85c483d20f8f8418b6edd
SHA256f0d5ca2dce9dad5e549f080272c2b6402e4fd7f5cb9a5ab7c92fee3f95732682
SHA512f16425f6f1e6035478fd2dddaeedd31b352fd1d0a91f7181a685cd2af216ac2e32af52f02659a7ff9dc1653fb281107f688bb71ebe6e0ddc35feb0effa748e4b
-
Filesize
9KB
MD59967717fcd2d934199b40005ff7c0ad0
SHA16db833f2b5cabe3bc1ad214006e17d6c2cbdfe15
SHA256e7809249e55f1177c469702f9cacbce4f6e66fae997f54c5c40e5c7068f6ca39
SHA512a0c2f577a07589ebf90ee5ca0e8ea1cd9e48d5b6ccc9404a9181a48cd346e30cf6843a3b2a9d2fd4d59e61f862259d8f956028fbbfc0aaaebd4aaf391c23d4e9
-
Filesize
44KB
MD5c862ba1d7d09441f3a24052442260877
SHA1c43add7a7f2cb477177f6026c31568ba2d8b59f0
SHA2562e4788a2a8245c570ccc92c4e7559576644ccd103dd4382700c85691e0b54f47
SHA512427c82c6e49c65de741f1075a7727d05a528324fbc9f99c4297a76c96f9c2f7723a1c75472fb10622d3ea1e02c919d793f2eca1bd61c8a1ab93fcd3b3934bfee
-
Filesize
29KB
MD5051214c502e8477263e96946f9add4e6
SHA1c3333c02cc5fe6e1b578d14a5e8883be05cb8e1f
SHA256dba6ef62304febff2cfadff895e1ca3a5cc2be0431eeb6f01e41dad8872bbe64
SHA512d79a5a7980a9b6f994f978623f99d11ae22204f011ffd157fd54417f22d2de7c4b1ae3a131407905140debc594d54b1eedff962ad5deffddbea1bf45165eb523
-
Filesize
7KB
MD5f1939e4125cb250c7e900f896e4acf4f
SHA1ef1af824e0faa42ff3b46668f37de30b07b29046
SHA256cf0b056d255d6ccbc6a1426ca99738968ce2848559b11e0e0d721806a65bd688
SHA51283be4473e399646543f42b657b80d4f5cbdf1e3b53707dc31c788ae142c8ea0792ba40bdbdc67e9a1040afde040f46a0a363dd2c219cc25e19393e488fcfb84c
-
Filesize
6KB
MD59beb86bb7b45941a2daf7b3e2d86ddca
SHA138807b47ec3be436e9819c239c43e12978c2e724
SHA256a3258253f696743c3103c761a6606c1192500c7174b7d8e6f6fb4c1fb701342b
SHA512e944b0ae50a48f7e822fe2dca82448a869c6d234cd34adc7c4e55fb364172e9a136c336d3aadcd368189a0d4e94a4c4549eaeba47a6f0c6037351a38eb81d89d
-
Filesize
6KB
MD5b05b8ccc612e02ed252f887eb9d88208
SHA1b3c5e06445fa3f119fb8d820dc84f728dbcc9bd8
SHA256be8c1d87e0bfb4a45f0335759b3820aa2980258c26f59e63f661bf324f91a2b1
SHA5122f3f58ca80ce3c3ca1299e699f717f4346d627f51f32a0050e7e5b77f5bd2fda9c8cfa9447f42fcac0fcfe46689a81854509edc1e6532433b99a7ae5c8979705
-
Filesize
4KB
MD5984bc6d4af88af338e45c0427ec144a1
SHA107e59c8b70ebb24de557bd588e5e654ba3c466ff
SHA2562ac8c469dbcba0eea329132a1063de52b10126cb8e7de16a8389c55eb5336fa3
SHA5126e9c3f2232185926cfa606d2683fb20d6601289429077c1779f0b1ae4579b0a3e951bdc076738c1bff1244a106bac73da1a86f11c418dd641fa21a0e20763833
-
Filesize
6KB
MD59f51faf9ea2bc4b172fbdf42463a5196
SHA18077027906656113dd80feead026975a3b4e41cd
SHA2566d5cb154c4a4e9e9c7cac694e6834ab68f48e7daa0e15b7291a5c684d2a88431
SHA51287f7f6912d521e3ff9ca5671055ec721c39c3d8c1055741863803a0702616a4d98425f5b8a309576d689466129ed2754cf0b22a0d081b7cb6d11d6b9e41a4e76
-
Filesize
6KB
MD5a4bfa3aa178f23c7f754bff84d6cb18e
SHA1def39b566f7de5ced80c9fd5bbd23cf8058a80f9
SHA2567800515b5c1780685845d08f7a87eecf20a2ee39656640e818447615a0c11dbc
SHA512d3d68756a647b020ffe00a095574db1fe13404e03aa96f6497f346e32dd494173013fa97a44572a866750b91e3c064dce4c40da0cbcf911afd9336b9a4a48eaa
-
Filesize
1KB
MD53efa9abd92666265dd81c4f4311a96f9
SHA141b6b716d67b93555e444cd453f3c6e3f8c9522c
SHA2565066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7
SHA5125961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c
-
Filesize
48KB
MD54e6fc5ae022209213189891e021c7db6
SHA18afe4dac4a15668d4c448a9dceb97c5100f7fc95
SHA2560a13b865338f1f89e5c376465f0bfebdc80a350738f4d393e62fc31e42ac24ff
SHA51202a132e689c573560d9ff4a32e4cd717521dfe3105b0abaec139d34c00ce51cf7ca65c5a2235a3deaa755f157923cdd6d30d02371ae4d07bdb3ce08157d71419
-
Filesize
3.8MB
MD57d27ec5f0c753d6968efcbb9d90e60e7
SHA10b934d310fb9bf7ef04addd2a135b8441b8ca241
SHA256b5e5be2e891c665402f992457b06743f6f6b6eb64650da6a56e3d2d971b95173
SHA5120510f81353fffd041510574d0fb184cae067b3aa459115e64e68e597b4ede511fe4c35125f0a85eb99bd8a32fffd49f4c56725cb26dd77d44a5941a4a5249910
-
Filesize
256KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB