Overview

overview

10

Static

static

3

6646c4e3ca...36.exe

windows7-x64

10

6646c4e3ca...36.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2023 02:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6646c4e3ca0575d05ec45ef1c36b241ff5f0fa8f16583a8f2ee7cd71135ea036.exe

  • Size

    946KB

  • MD5

    722b9c0b2401170906e72f7970890b18

  • SHA1

    cffc47eb0b7bfd9c8837496d65138646e55b2b30

  • SHA256

    6646c4e3ca0575d05ec45ef1c36b241ff5f0fa8f16583a8f2ee7cd71135ea036

  • SHA512

    0d38924a00c708e680655997c1f3323b57c2e0859e56de0a7ae1a9e2687be670e2a9085eb0b546caa52730fb4339a4c2c4ce40389af04fe29b388ba73b90e37c

  • SSDEEP

    24576:A4/uG2q8YKjmeMa55PuVyjcxYKJrasaBSJ1q:A4/uG2gKjmzCRugj2YKksaBj

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6646c4e3ca0575d05ec45ef1c36b241ff5f0fa8f16583a8f2ee7cd71135ea036.exe
    "C:\Users\Admin\AppData\Local\Temp\6646c4e3ca0575d05ec45ef1c36b241ff5f0fa8f16583a8f2ee7cd71135ea036.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6646c4e3ca0575d05ec45ef1c36b241ff5f0fa8f16583a8f2ee7cd71135ea036.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RfIuSAknkPDA.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2584
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RfIuSAknkPDA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7011.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2680
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7011.tmp
    Filesize

    1KB

    MD5

    f44693096c112b6253eaafa10cc9bc92

    SHA1

    0f126d7fbf63f932eebea25ae4103308df1c02b1

    SHA256

    c26df5c55dfc296e60f91d542972ec7ec2127017147e9f067190b5b3a103a63d

    SHA512

    e4d90b8cb282adb0bdd0e35f50c4ac7e2ffed1b19da2a0dc9fc0a3d701400e0dddea374e0ce2ac996bc196afca49ec73de18adbaebaec9894224f45a54770342

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BDNPXVG686IS7UUQCYE0.temp
    Filesize

    7KB

    MD5

    86415660d048da19526729cfd076990e

    SHA1

    cfba74b69b7fdc203472af7c34777a4823b115e8

    SHA256

    a9e7785d079851e3ad918aba14dfb7ffd7f418be10fdb19e26828771a21dca98

    SHA512

    23a7a0800eab813380ed85cf4157e5b3f8eaa227248065c01ebb0343c7f514e3e6cf52db4bbc033913f87dfb7dbb722b5511738cba9f8fefdae3b0413bcf6665

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    86415660d048da19526729cfd076990e

    SHA1

    cfba74b69b7fdc203472af7c34777a4823b115e8

    SHA256

    a9e7785d079851e3ad918aba14dfb7ffd7f418be10fdb19e26828771a21dca98

    SHA512

    23a7a0800eab813380ed85cf4157e5b3f8eaa227248065c01ebb0343c7f514e3e6cf52db4bbc033913f87dfb7dbb722b5511738cba9f8fefdae3b0413bcf6665

    Download Submit

  • memory/2204-3-0x00000000005B0000-0x00000000005CA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2204-4-0x00000000005E0000-0x00000000005E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2204-5-0x00000000005F0000-0x00000000005FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2204-6-0x00000000056B0000-0x000000000572A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2204-7-0x0000000074E00000-0x00000000754EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2204-8-0x0000000004980000-0x00000000049C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2204-0-0x0000000001210000-0x0000000001302000-memory.dmp

    Filesize

    968KB

    Download

  • memory/2204-2-0x0000000004980000-0x00000000049C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2204-1-0x0000000074E00000-0x00000000754EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2204-41-0x0000000074E00000-0x00000000754EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2504-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-36-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-46-0x0000000074E00000-0x00000000754EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2504-42-0x0000000074E00000-0x00000000754EE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2504-43-0x00000000047D0000-0x0000000004810000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2504-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2504-32-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-40-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-38-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2584-22-0x000000006F940000-0x000000006FEEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2584-45-0x000000006F940000-0x000000006FEEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2584-24-0x000000006F940000-0x000000006FEEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3028-21-0x000000006F940000-0x000000006FEEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3028-28-0x0000000002A00000-0x0000000002A40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3028-26-0x000000006F940000-0x000000006FEEB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3028-44-0x000000006F940000-0x000000006FEEB000-memory.dmp

    Filesize

    5.7MB

    Download