Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 17:32
Static task
static1
Behavioral task
behavioral1
Sample
peak.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
peak.exe
Resource
win10v2004-20240226-en
General
-
Target
peak.exe
-
Size
8.1MB
-
MD5
6216754d616e11771cc50fff0191e270
-
SHA1
7d9d187690845a8bbc9a300fdc6e7a51d411b08b
-
SHA256
72c8c3dd1f471377a5e1f7bd7fc0345b7c90a2b4f2b95b31532161c269dcc0fd
-
SHA512
471fb4068fa6fdd20e1dc88a24bb9c22cf12d5422dbecc29b174070af0be6f5195800ad597e398ffe179604a4aa2518f0ec27bd2cf7dc8a395ef00dcd3a6c803
-
SSDEEP
196608:jTQs1gi/7DMLibCjMAhT7oarL1VnnvbWFTbPfiXr:jT+i/7DM+byHwSZTC/X
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4648-19-0x0000000006E30000-0x0000000007042000-memory.dmp family_agenttesla -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
peak.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ peak.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
peak.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion peak.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion peak.exe -
Processes:
peak.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA peak.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
peak.exedescription ioc process File opened for modification \??\PhysicalDrive0 peak.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
peak.exepid process 4648 peak.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
peak.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS peak.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer peak.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion peak.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
peak.exepid process 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe 4648 peak.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
peak.exedescription pid process Token: SeDebugPrivilege 4648 peak.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\peak.exe"C:\Users\Admin\AppData\Local\Temp\peak.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4648-0-0x0000000000860000-0x0000000001704000-memory.dmpFilesize
14.6MB
-
memory/4648-1-0x0000000077850000-0x0000000077940000-memory.dmpFilesize
960KB
-
memory/4648-2-0x0000000077850000-0x0000000077940000-memory.dmpFilesize
960KB
-
memory/4648-4-0x0000000077850000-0x0000000077940000-memory.dmpFilesize
960KB
-
memory/4648-3-0x0000000077850000-0x0000000077940000-memory.dmpFilesize
960KB
-
memory/4648-6-0x00000000779C4000-0x00000000779C6000-memory.dmpFilesize
8KB
-
memory/4648-5-0x0000000077850000-0x0000000077940000-memory.dmpFilesize
960KB
-
memory/4648-11-0x0000000000860000-0x0000000001704000-memory.dmpFilesize
14.6MB
-
memory/4648-14-0x0000000000860000-0x0000000001704000-memory.dmpFilesize
14.6MB
-
memory/4648-13-0x0000000000860000-0x0000000001704000-memory.dmpFilesize
14.6MB
-
memory/4648-15-0x0000000006880000-0x0000000006E24000-memory.dmpFilesize
5.6MB
-
memory/4648-16-0x0000000006220000-0x00000000062B2000-memory.dmpFilesize
584KB
-
memory/4648-17-0x0000000006170000-0x0000000006180000-memory.dmpFilesize
64KB
-
memory/4648-18-0x0000000006510000-0x000000000651A000-memory.dmpFilesize
40KB
-
memory/4648-19-0x0000000006E30000-0x0000000007042000-memory.dmpFilesize
2.1MB
-
memory/4648-20-0x0000000077850000-0x0000000077940000-memory.dmpFilesize
960KB
-
memory/4648-21-0x00000000099C0000-0x00000000099CA000-memory.dmpFilesize
40KB
-
memory/4648-22-0x00000000099F0000-0x0000000009A0A000-memory.dmpFilesize
104KB
-
memory/4648-23-0x0000000009A10000-0x0000000009AC2000-memory.dmpFilesize
712KB
-
memory/4648-24-0x0000000009B30000-0x0000000009B52000-memory.dmpFilesize
136KB
-
memory/4648-25-0x0000000009B60000-0x0000000009EB4000-memory.dmpFilesize
3.3MB
-
memory/4648-26-0x0000000077850000-0x0000000077940000-memory.dmpFilesize
960KB
-
memory/4648-28-0x0000000077850000-0x0000000077940000-memory.dmpFilesize
960KB
-
memory/4648-29-0x0000000077850000-0x0000000077940000-memory.dmpFilesize
960KB
-
memory/4648-30-0x0000000006170000-0x0000000006180000-memory.dmpFilesize
64KB
-
memory/4648-32-0x0000000006170000-0x0000000006180000-memory.dmpFilesize
64KB
-
memory/4648-35-0x0000000006170000-0x0000000006180000-memory.dmpFilesize
64KB
-
memory/4648-41-0x0000000001C00000-0x0000000001C22000-memory.dmpFilesize
136KB
-
memory/4648-42-0x0000000009650000-0x00000000096B6000-memory.dmpFilesize
408KB