Analysis
-
max time kernel
121s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
-
submitted
11-12-2023 08:08
General
-
Target
https://www.mediafire.com/file/vh3m0xwmcvye4gu/INQUIRY+PDF.tgz/file
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6613050989:AAFzqaU0JrKNv_WqHvgGwJ2x2m8dKJc8reM/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/vh3m0xwmcvye4gu/INQUIRY+PDF.tgz/file1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9449a46f8,0x7ff9449a4708,0x7ff9449a47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4064 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5755509032704806601,15206703796577785489,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1880 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\INQUIRY PDF.tgz"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe"C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe"C:\Users\Admin\AppData\Local\Temp\7zO09295ED8\JTIpTAyy1lSKDJd.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
Filesize
152B
MD57c89e9212e22e92acc3d335fe9a44fe6
SHA1c43c7e1b5fb58a40a01a6d8dd947c41a48e0b41f
SHA25618c46c863404b31fcce434662806fa34daff0f9af0a9379d898f772b5c398b44
SHA512c6961c171af63ddc7a72aaba4c9d910cc6a424794c416cd1ce51206f7c7f1100ca51c9e41d07d68489105dccded2294c1d761a8dc6be80d22c661014efd6a9ab
-
Filesize
185B
MD5b69adcfb75f2916b35c51474352bb803
SHA1c4646f34326f902dcdd824338e0e9d9ec98c1eca
SHA256ba460330a066edf83b12d01733f71ee2e5a1d9ff657473ce6a02c1d55635d971
SHA5126074e327f9c72839df92f70fc623773128abbe598a6af6ac65f57fdcc94b219a5718721676e5e7c982383861ae40b6cb8a9284f0fa2b0db1c05192ab89fbd36f
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD58a3e44d8e1a5e4bc4619716707429829
SHA147b97b1fd4e268ee5afb09d8b07687604a58448a
SHA2565a617d4ba719386c52c9c49436f4575741e485d5ea86d17086640799f5c1526d
SHA512268b135a1ba7822be335759011c2777ba088ed3a5ff8ebfc6d6f22ada1e96b3f30dd993ff29163b1149133b54b3449556df14ba26e8e462d88c5fa72c3bc12e7
-
Filesize
5KB
MD5a5b03e323d99fd76506eb24139d79611
SHA1af23e5e8d65b4fe9dbfec30d1365a941af10448c
SHA256491dd95f593810a6f5d76001e79e661e252a556a3cede2d79943a08046d48b16
SHA5120c594bbc87e724ee9116f8812b4dafea6a27df42a48359952c1bf79c373beb986f16c5abff818d2ced747bc775aebbcc605057ab120988e2c3276d047bf8b1f0
-
Filesize
24KB
MD5d7b2b29ef1d9a33e61e1167984c8ca3e
SHA19a0da1a3cf9003ecf6aba220a8a00ca34a7ebd34
SHA2567d4bbec0e8bf4e62f352750240a0bc0f7844d58fea590bc6a9fc972c3b752dc2
SHA5123cc40b7e35c0749e419b035a73768c8f76bace77ed44be6a59469a032b643da15162733e5aaa94064494b055858a24e4f79326a863f31f1c28eab44cec35cbec
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD550f5e8432e585da5f07887d6183f7e9f
SHA1db3f3de37807f4cb258cdc660dd58fa08205708e
SHA256a088b9886a95364742f9d7a9b17fa2ed1c87e2e9f04290e0c530aded55a68aa2
SHA5121aa8621e0f85f8dffb369ffdef19ffa7bd37e3347540d0728e561dcb3cda00cc2709d37d498b8987e2537bb6d9fbacc65974549fc901fce2cf8cd6b2581fe0f8
-
Filesize
10KB
MD567f64cc8d492e97286aa755abc16f821
SHA1f821a6cc7e8dfdb3ecd890a94f8f19ad8bc84122
SHA25647833cd46935647cea57ef76baaccc919572934fc351929decca78e0cb453d8e
SHA5120999f72a41ac68497b8b74a7151822723533b7f8a5420b89f8273dcd4ddaf0095e48aaa9f0358230fe3d1a4cfc463995f7bbc241f3d306f219f7130a0e3400ee
-
Filesize
9.3MB
MD597e57625791809040d7f1e752f521191
SHA1e69078dcaecf9ec690b9702e4efc72ef573640ef
SHA256bc3d8184164057c9af87626f5d060d5fb2ec4dde92600a8cb2e565796d46395b
SHA51209a523e0564da24eecffc87afd58a892f6c521b8758d75daaa752e996d62e84b15b7a4868027a0504f2bf8b8cbf4b450f3e5adf301c59fd89ab9e251a159537f
-
Filesize
5.6MB
MD5417e4525e33a7fd6b07e296aea9fed8c
SHA177081eaa2ca95cbc7f8b7afd6202e9da8a6e77d8
SHA256e308bd13c7093cc70139b9c31fd89ba897c7a0e87dd733a811716af30b19f58c
SHA51213b15b98db00d7b688ed4ec39eba1713e6b7d51c00224205b0a8736c10e381dc3a511fa57443f8c72d97d4cdaec469212d2a5fd32d9a35e8cd1f28fadfda450c
-
Filesize
4.9MB
MD57b2fee2a6d3804d5cf8a02c4ac210789
SHA179bf25b9a09a2b03ddde4d85d037f8d1a1c5a862
SHA25627da4daa8a3b1bd32c13a7b51a81598c1662d555b9ec9f2aa3d67f827fb641c2
SHA51252055631eabf7af554ee89aa7e78255170b943f78039ea1c0d73ff87e2b9ddea9cefcd351b5a332aa70c6209c006f5f1d8e27cbf58ac07d67f6c82d5ca22037e
-
Filesize
780KB
MD5f1764667eb1b43477e7fb566bf83c14d
SHA105215d5f67f3a35de73ce67da4c5366478c71345
SHA2568eeafa67555dc253c7c388466c07d157ef9ac21f72b9428091b76e6aff386591
SHA512f6caf09836b67efd7af19890dd1ffd5e31b5e363557d5bed5d859ac900da1260a8c7fce678fb82ef3890e0c68ad7d121534904b561c1dab0adf53f06fc8036c4
-
Filesize
1.5MB
MD588b93edb04dbfb83cfc33cb4f930e521
SHA19b8a4371622fc8ac62708846941c0e38bbd1b2b2
SHA2562d1518e380ad0097d9e3b182bba0d826ffb26000e4aac79000ce3d0df6a8e270
SHA512b5d27f0440ad26fa138c9364b99d1f8476cad450f95ec94e18d3d5e01617bdbb8fa3630392572edaf3d9b3a6a3824984c7334a922df32cede2c72f92140fd56e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
264KB
-
Filesize
320KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
496KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
96KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
720KB