Analysis
-
max time kernel
24s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 22:39
Static task
static1
Behavioral task
behavioral1
Sample
837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe
Resource
win10v2004-20240226-en
General
-
Target
837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe
-
Size
1.2MB
-
MD5
3c785d4ebfb66ee2896e9794529159bc
-
SHA1
ad3d49245fe44b35d6f8004e36bff0c4e4781e62
-
SHA256
837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2
-
SHA512
04625cc9db6b6ea26fe313b86c29f2717ce531ec66dbd0c61e90403f2c78f4513959758af2bd571a524cf73c2a9f9a1405cf3a44039ab8e790c467b1930018c3
-
SSDEEP
24576:YqDEvCTbMWu7rQYlBQcBiT6rprG8aOntHSiIs2LLLpJG+aL:YTvC/MTQYxsWR7aOtHDMzG+
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Drops startup file 1 IoCs
Processes:
DADDY 026.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DADDY 026.vbs DADDY 026.exe -
Executes dropped EXE 1 IoCs
Processes:
DADDY 026.exepid process 1804 DADDY 026.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\directory\DADDY 026.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DADDY 026.exedescription pid process target process PID 1804 set thread context of 2016 1804 DADDY 026.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
svchost.exepid process 2016 svchost.exe 2016 svchost.exe 2016 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
DADDY 026.exepid process 1804 DADDY 026.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2016 svchost.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exeDADDY 026.exepid process 1380 837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe 1380 837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe 1804 DADDY 026.exe 1804 DADDY 026.exe 1804 DADDY 026.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exeDADDY 026.exepid process 1380 837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe 1380 837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe 1804 DADDY 026.exe 1804 DADDY 026.exe 1804 DADDY 026.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exeDADDY 026.exedescription pid process target process PID 1380 wrote to memory of 1804 1380 837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe DADDY 026.exe PID 1380 wrote to memory of 1804 1380 837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe DADDY 026.exe PID 1380 wrote to memory of 1804 1380 837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe DADDY 026.exe PID 1804 wrote to memory of 2016 1804 DADDY 026.exe svchost.exe PID 1804 wrote to memory of 2016 1804 DADDY 026.exe svchost.exe PID 1804 wrote to memory of 2016 1804 DADDY 026.exe svchost.exe PID 1804 wrote to memory of 2016 1804 DADDY 026.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe"C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\directory\DADDY 026.exe"C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lecheriesFilesize
321KB
MD5a742ccbd6f702405534512db8ee8f682
SHA1076c47cec5ecec6f95af65fe968fa5e3bf89ce96
SHA256620c66203a39c19edf4fb2622b09acc8bb0a35008d76878c6f826c93902c0a8a
SHA5123f06e350def31fa5d07a490a15cfb21eddf529d107e08f304d59db86b7d05240fb54ecf6505a98b2f3b968f375faeacaf4cfff290ea9758e36e65b397ee6d568
-
C:\Users\Admin\AppData\Local\Temp\meshummadFilesize
29KB
MD51ff2550622f09eb6ccb75d9bb6b84cb9
SHA1390af6c9fa2e296501f9e55dbbc5988d9f15e371
SHA256858baf51b3d786c2a565fe5e8a8bfdd10ef1ef4b40a9415e43c8658f8fcb49fb
SHA512089e72c17aa59cbbfef53e7e6598cb7cddf0d446ef130e3cfdc5064d0740c1a98d694bcbb02442eb87c03426e1ec74a5c68c90ae0f4b263d521b21ee514f9c8c
-
C:\Users\Admin\AppData\Local\directory\DADDY 026.exeFilesize
109.2MB
MD5b27a1f17ec81cc4138e33e69c0e4592d
SHA17e15c775c627c039efe343cc318109d87e3f1f79
SHA256db1dd43ff41c8986d18ab4857f71779677fe348e2302aa533f36753d6f684c9f
SHA5126f846dd78f90e7e50fd17e37f332659bac14341ebda57444f1a3423b89f98263e7b521af1a915d2424c0044d6d17b6884d39b7db572f71aa7e2cc0322d6f92a8
-
memory/1380-10-0x0000000001100000-0x0000000001104000-memory.dmpFilesize
16KB
-
memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmpFilesize
264KB
-
memory/2016-33-0x0000000074750000-0x0000000074F00000-memory.dmpFilesize
7.7MB
-
memory/2016-34-0x0000000005DB0000-0x0000000006354000-memory.dmpFilesize
5.6MB