Analysis
-
max time kernel
34s -
max time network
86s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2023 14:02
Static task
static1
Behavioral task
behavioral1
Sample
1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
Resource
win10v2004-20230915-en
General
-
Target
1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe
-
Size
1.3MB
-
MD5
5d86018377d9cf83e6e2c08fd9fd60d3
-
SHA1
3ae1897f221aa5893f8aff0bfd79666f8ba2236f
-
SHA256
1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3
-
SHA512
d2ea45f5f6aa1561468ff5657d6b9cfc1fe3168621dde2706423cf26c12a8c5a0fa920275bc2a7294d341e39da71493975b0c4632701d4629966b1a058b52fb7
-
SSDEEP
24576:YkzJBUqX3qbkN6s2P2VElQJyNmXy76p7ZUgSb2H8KZ/L2zZnJf+MCFL3:YkNBH16sVOy0NmXIgSudT2teL
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5008-7-0x0000000000400000-0x0000000000466000-memory.dmp family_snakekeylogger -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe -
Executes dropped EXE 2 IoCs
Processes:
frankdan.exesvchost.exepid process 3052 frankdan.exe 2124 svchost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 104 api.ipify.org 105 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exedescription pid process target process PID 4344 set thread context of 5008 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
frankdan.exepid process 3052 frankdan.exe 3052 frankdan.exe 3052 frankdan.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
frankdan.exedescription pid process Token: SeDebugPrivilege 3052 frankdan.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exedescription pid process target process PID 4344 wrote to memory of 5008 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe PID 4344 wrote to memory of 5008 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe PID 4344 wrote to memory of 5008 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe PID 4344 wrote to memory of 5008 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe PID 4344 wrote to memory of 5008 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe PID 4344 wrote to memory of 5008 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe PID 4344 wrote to memory of 5008 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe PID 4344 wrote to memory of 5008 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe PID 5008 wrote to memory of 3052 5008 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe frankdan.exe PID 5008 wrote to memory of 3052 5008 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe frankdan.exe PID 5008 wrote to memory of 3052 5008 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe frankdan.exe PID 4344 wrote to memory of 2124 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe svchost.exe PID 4344 wrote to memory of 2124 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe svchost.exe PID 4344 wrote to memory of 2124 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe svchost.exe PID 4344 wrote to memory of 3352 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe cmd.exe PID 4344 wrote to memory of 3352 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe cmd.exe PID 4344 wrote to memory of 3352 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe cmd.exe PID 4344 wrote to memory of 4552 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe cmd.exe PID 4344 wrote to memory of 4552 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe cmd.exe PID 4344 wrote to memory of 4552 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe cmd.exe PID 4344 wrote to memory of 4548 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe cmd.exe PID 4344 wrote to memory of 4548 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe cmd.exe PID 4344 wrote to memory of 4548 4344 1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe"C:\Users\Admin\AppData\Local\Temp\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Users\Admin\AppData\Local\Temp\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe"C:\Users\Admin\AppData\Local\Temp\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Admin\AppData\Roaming\frankdan.exe"C:\Users\Admin\AppData\Roaming\frankdan.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"2⤵PID:3352
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"2⤵PID:4548
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f2⤵PID:4552
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f3⤵
- Creates scheduled task(s)
PID:4056
-
C:\Users\Admin\AppData\Roaming\svchost\svchost.exeC:\Users\Admin\AppData\Roaming\svchost\svchost.exe1⤵PID:4816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1c1a28fdaac92ef8a7f6032dd94cdc56a690fc78c99910a5b78709435ea992f3.exe.log
Filesize226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
621KB
MD5ed9d91fe584d5109d4067734ac452753
SHA1c277e57866833509d94787fc6f4d634a2714825d
SHA2563629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030
SHA512a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a
-
Filesize
621KB
MD5ed9d91fe584d5109d4067734ac452753
SHA1c277e57866833509d94787fc6f4d634a2714825d
SHA2563629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030
SHA512a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a
-
Filesize
621KB
MD5ed9d91fe584d5109d4067734ac452753
SHA1c277e57866833509d94787fc6f4d634a2714825d
SHA2563629ed9b94ae5d0f2659d02dcb7ce258cb5c2497d5bf18f3c4fed78878fba030
SHA512a6603acb550b897ec91b5c57b3034b8fd44ad9d675662aade0a078771b533b28e320c12c063c4ae48bfb23e8dfc85f304679458ea111db2e737043af0261bb1a
-
Filesize
247KB
MD5e254aed552568e13df13e204adcb8011
SHA118deaf67ac2a3ae2be3d3e620f650cb6edcba92a
SHA25623b22ca7ca4272afba9114cc3da4316c38c2407574cb1649aa549c9a7e792ae5
SHA512f89aa1487f6c1c2e9a3b76de8137b56da65c1d2df6f40439c0da4726478a11fbea83f7c3ad0530e12a1fb0cd808062d8f2a915879c0d5e210f3340138ace8c3f
-
Filesize
247KB
MD5e254aed552568e13df13e204adcb8011
SHA118deaf67ac2a3ae2be3d3e620f650cb6edcba92a
SHA25623b22ca7ca4272afba9114cc3da4316c38c2407574cb1649aa549c9a7e792ae5
SHA512f89aa1487f6c1c2e9a3b76de8137b56da65c1d2df6f40439c0da4726478a11fbea83f7c3ad0530e12a1fb0cd808062d8f2a915879c0d5e210f3340138ace8c3f
-
Filesize
247KB
MD5e254aed552568e13df13e204adcb8011
SHA118deaf67ac2a3ae2be3d3e620f650cb6edcba92a
SHA25623b22ca7ca4272afba9114cc3da4316c38c2407574cb1649aa549c9a7e792ae5
SHA512f89aa1487f6c1c2e9a3b76de8137b56da65c1d2df6f40439c0da4726478a11fbea83f7c3ad0530e12a1fb0cd808062d8f2a915879c0d5e210f3340138ace8c3f
-
Filesize
512KB
MD5759c682fca9861c8d5d19115246a2058
SHA1310ffb4e173f48bbab63eeb2b2a4dc035a635b76
SHA256337c6bac94edd2e6e287f904ed5ca916a99b6a9536d061577da3f5d241973fae
SHA5129539b6bfa9231bcf68c939d2b21384c6310500844a651546eec4009cf552c4219ab83bb1c88b32438d656081a357cfb2a1eedc36ad14b01b53b128f88f289b08
-
Filesize
19KB
MD5dcb319fdf88cb59fde6b7eaed942f0a1
SHA16f74cf3a87a099a8c6520ccf9895c4e63d5dae01
SHA256da06cdad222df54d7011531f61b46f7006756a33dd52205ec8a788b0e376372c
SHA51245e2e55c6ff8e780667056d3e0acd187dfc606493a9cbef2b288ac479fe8d30902ad6f85e2bf0c8fc2cd6305614abff0c01ab76c9305cce529a54e28c071cc54