Analysis
-
max time kernel
169s -
max time network
177s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2024 21:19
Static task
static1
Behavioral task
behavioral1
Sample
e01f1380aeb3502ac454470540ad53c5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e01f1380aeb3502ac454470540ad53c5.exe
Resource
win10v2004-20240226-en
General
-
Target
e01f1380aeb3502ac454470540ad53c5.exe
-
Size
1.3MB
-
MD5
e01f1380aeb3502ac454470540ad53c5
-
SHA1
6da056bd6c1c4b0f34f5d7ceff58398729eb9129
-
SHA256
bbd2977d69441d934917ec16e2adf08db3a5ba8a55d2800edff5715dbcb80a23
-
SHA512
dbc5ac80248b4cc81390bd9b07150156373925b608657c4db907658ad7190a80e629903ecb7f0949e557ac28321f84bd88421643b96d2a62fc3cfb5953cd4267
-
SSDEEP
24576:VCvxKFksKksqv7JvZI14dCp9fLSUNBOvx5y8jP8N6ZxHaE75/dZZ:VCvxKXJvZIJfLl7YEN6Zxb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
[email protected] - Password:
67968664JeBlachqwin
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1512-11-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e01f1380aeb3502ac454470540ad53c5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation e01f1380aeb3502ac454470540ad53c5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e01f1380aeb3502ac454470540ad53c5.exedescription pid process target process PID 2360 set thread context of 1512 2360 e01f1380aeb3502ac454470540ad53c5.exe e01f1380aeb3502ac454470540ad53c5.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e01f1380aeb3502ac454470540ad53c5.exepid process 2360 e01f1380aeb3502ac454470540ad53c5.exe 2360 e01f1380aeb3502ac454470540ad53c5.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
e01f1380aeb3502ac454470540ad53c5.exedw20.exedescription pid process Token: SeDebugPrivilege 2360 e01f1380aeb3502ac454470540ad53c5.exe Token: SeRestorePrivilege 2036 dw20.exe Token: SeBackupPrivilege 2036 dw20.exe Token: SeBackupPrivilege 2036 dw20.exe Token: SeBackupPrivilege 2036 dw20.exe Token: SeBackupPrivilege 2036 dw20.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e01f1380aeb3502ac454470540ad53c5.exee01f1380aeb3502ac454470540ad53c5.exedescription pid process target process PID 2360 wrote to memory of 2812 2360 e01f1380aeb3502ac454470540ad53c5.exe schtasks.exe PID 2360 wrote to memory of 2812 2360 e01f1380aeb3502ac454470540ad53c5.exe schtasks.exe PID 2360 wrote to memory of 2812 2360 e01f1380aeb3502ac454470540ad53c5.exe schtasks.exe PID 2360 wrote to memory of 1512 2360 e01f1380aeb3502ac454470540ad53c5.exe e01f1380aeb3502ac454470540ad53c5.exe PID 2360 wrote to memory of 1512 2360 e01f1380aeb3502ac454470540ad53c5.exe e01f1380aeb3502ac454470540ad53c5.exe PID 2360 wrote to memory of 1512 2360 e01f1380aeb3502ac454470540ad53c5.exe e01f1380aeb3502ac454470540ad53c5.exe PID 2360 wrote to memory of 1512 2360 e01f1380aeb3502ac454470540ad53c5.exe e01f1380aeb3502ac454470540ad53c5.exe PID 2360 wrote to memory of 1512 2360 e01f1380aeb3502ac454470540ad53c5.exe e01f1380aeb3502ac454470540ad53c5.exe PID 2360 wrote to memory of 1512 2360 e01f1380aeb3502ac454470540ad53c5.exe e01f1380aeb3502ac454470540ad53c5.exe PID 2360 wrote to memory of 1512 2360 e01f1380aeb3502ac454470540ad53c5.exe e01f1380aeb3502ac454470540ad53c5.exe PID 2360 wrote to memory of 1512 2360 e01f1380aeb3502ac454470540ad53c5.exe e01f1380aeb3502ac454470540ad53c5.exe PID 1512 wrote to memory of 2036 1512 e01f1380aeb3502ac454470540ad53c5.exe dw20.exe PID 1512 wrote to memory of 2036 1512 e01f1380aeb3502ac454470540ad53c5.exe dw20.exe PID 1512 wrote to memory of 2036 1512 e01f1380aeb3502ac454470540ad53c5.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe"C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bspspeOPHY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp95D2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe"C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7843⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\e01f1380aeb3502ac454470540ad53c5.exe.logFilesize
496B
MD5cb76b18ebed3a9f05a14aed43d35fba6
SHA1836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA2568d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA5127631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c
-
C:\Users\Admin\AppData\Local\Temp\tmp95D2.tmpFilesize
1KB
MD511a52aecf0370570fecf043fa46c1f59
SHA1683529109c633655a6c5c8e17919a1c5fb46ac59
SHA256f3ad69b15bd0bca12ceb1b0e25bffa4a24d0bc15ff501c5bc61fd711019770ee
SHA51250aef46a59d9a53980602003b9b8f5ea01d86432a3bd4fed06c671f7f50839d4c383b3a60d35585bb4bedba216ff092ff05638418593cbf0c25b4c5dbb511cff
-
memory/1512-14-0x0000000075390000-0x0000000075941000-memory.dmpFilesize
5.7MB
-
memory/1512-11-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1512-15-0x0000000001040000-0x0000000001050000-memory.dmpFilesize
64KB
-
memory/1512-17-0x0000000075390000-0x0000000075941000-memory.dmpFilesize
5.7MB
-
memory/1512-24-0x0000000075390000-0x0000000075941000-memory.dmpFilesize
5.7MB
-
memory/2360-3-0x0000000075390000-0x0000000075941000-memory.dmpFilesize
5.7MB
-
memory/2360-4-0x00000000018F0000-0x0000000001900000-memory.dmpFilesize
64KB
-
memory/2360-5-0x00000000018F0000-0x0000000001900000-memory.dmpFilesize
64KB
-
memory/2360-2-0x0000000075390000-0x0000000075941000-memory.dmpFilesize
5.7MB
-
memory/2360-1-0x00000000018F0000-0x0000000001900000-memory.dmpFilesize
64KB
-
memory/2360-0-0x0000000075390000-0x0000000075941000-memory.dmpFilesize
5.7MB
-
memory/2360-16-0x0000000075390000-0x0000000075941000-memory.dmpFilesize
5.7MB