Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 14:30
Static task
static1
Behavioral task
behavioral1
Sample
peak.exe
Resource
win7-20240221-en
General
-
Target
peak.exe
-
Size
3.7MB
-
MD5
eebe3fd6720cabdc477076f054829907
-
SHA1
f6056e84297b63c4cdaa5646697492d5705c9080
-
SHA256
7156621a3971908023b30ff150f96f72e9cd757dd0be4b514721c0e688c845cb
-
SHA512
00572e876baa9884e11875e3ef1e4d39a793c1165ffa5c98d8a753c1257f38791fda178483e0693826eff02cba7e8e0ae4b8a979bc505ab33ba763b002c72261
-
SSDEEP
98304:6wyZ0Cj88wMfPwozf3xdhdFUkGETCyukykgV8ja:699bftT3vhA4CyakgV8O
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2152-9-0x00000000054C0000-0x00000000056D2000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
peak.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions peak.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
peak.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools peak.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
peak.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion peak.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion peak.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
peak.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum peak.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 peak.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
peak.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS peak.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer peak.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion peak.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
peak.exepid process 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe 2152 peak.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
peak.exedescription pid process Token: SeDebugPrivilege 2152 peak.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\peak.exe"C:\Users\Admin\AppData\Local\Temp\peak.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2152-0-0x0000000075200000-0x00000000759B0000-memory.dmpFilesize
7.7MB
-
memory/2152-1-0x00000000003F0000-0x00000000007B6000-memory.dmpFilesize
3.8MB
-
memory/2152-2-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/2152-3-0x00000000063B0000-0x0000000006736000-memory.dmpFilesize
3.5MB
-
memory/2152-4-0x0000000006CF0000-0x0000000007294000-memory.dmpFilesize
5.6MB
-
memory/2152-5-0x0000000006740000-0x00000000067D2000-memory.dmpFilesize
584KB
-
memory/2152-6-0x00000000067E0000-0x0000000006846000-memory.dmpFilesize
408KB
-
memory/2152-8-0x0000000005430000-0x000000000543A000-memory.dmpFilesize
40KB
-
memory/2152-7-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/2152-9-0x00000000054C0000-0x00000000056D2000-memory.dmpFilesize
2.1MB
-
memory/2152-11-0x0000000007C20000-0x0000000007C3A000-memory.dmpFilesize
104KB
-
memory/2152-10-0x00000000079D0000-0x00000000079DA000-memory.dmpFilesize
40KB
-
memory/2152-12-0x0000000007D50000-0x0000000007E02000-memory.dmpFilesize
712KB
-
memory/2152-13-0x0000000007E80000-0x0000000007EA2000-memory.dmpFilesize
136KB
-
memory/2152-14-0x0000000009240000-0x0000000009594000-memory.dmpFilesize
3.3MB
-
memory/2152-15-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/2152-16-0x0000000075200000-0x00000000759B0000-memory.dmpFilesize
7.7MB
-
memory/2152-17-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/2152-18-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB
-
memory/2152-19-0x00000000052A0000-0x00000000052B0000-memory.dmpFilesize
64KB