Analysis
-
max time kernel
250s -
max time network
302s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:29
Behavioral task
behavioral1
Sample
Debug.rar
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Debug.rar
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Debug.rar
Resource
win11-20240221-en
General
-
Target
Debug.rar
-
Size
703KB
-
MD5
5d00873f5d1dfe75027ec6deb35bb518
-
SHA1
b4d448bb0e10be9f5926a567934d8c42e6124afb
-
SHA256
651f2668229b6d9e70b599c4321f219ee98a7b86e137c98f596bdd8aff092952
-
SHA512
80c0a895adb1e33991e173b51f34e8c38e09a5eb9852a66cfbc3871b8ed8df61e3bdb8bfc42727f577a2c441b0c5952e68a6a2905b38f577b8b4fe81d128b453
-
SSDEEP
12288:3aFVmOAhdHxdPLn931grPRhzkZJXNQTIWGk9HzA1ulSg5rpFk2vLTC:qrATxdDgfzEJXGTGkW1kSg7LTu
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3496-20-0x0000000005D80000-0x0000000005F94000-memory.dmp family_agenttesla C:\Users\Admin\Desktop\Debug\Guna.UI2.dll family_agenttesla -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exespoofer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation spoofer.exe -
Executes dropped EXE 4 IoCs
Processes:
spoofer.exekdmapper.exekdmapper.exekdmapper.exepid process 3496 spoofer.exe 1220 kdmapper.exe 2752 kdmapper.exe 228 kdmapper.exe -
Loads dropped DLL 2 IoCs
Processes:
spoofer.exepid process 3496 spoofer.exe 3496 spoofer.exe -
Drops file in Windows directory 5 IoCs
Processes:
spoofer.exedescription ioc process File created C:\Windows\kdmapper.exe spoofer.exe File created C:\Windows\legacyud.sys spoofer.exe File opened for modification C:\Windows\kdmapper.exe spoofer.exe File opened for modification C:\Windows\randomisershit.sys spoofer.exe File created C:\Windows\randomisershit.sys spoofer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
spoofer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS spoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer spoofer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion spoofer.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zFM.exespoofer.exedescription pid process Token: SeRestorePrivilege 1328 7zFM.exe Token: 35 1328 7zFM.exe Token: SeSecurityPrivilege 1328 7zFM.exe Token: SeDebugPrivilege 3496 spoofer.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 1328 7zFM.exe 1328 7zFM.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exespoofer.exedescription pid process target process PID 2872 wrote to memory of 1328 2872 cmd.exe 7zFM.exe PID 2872 wrote to memory of 1328 2872 cmd.exe 7zFM.exe PID 3496 wrote to memory of 1220 3496 spoofer.exe kdmapper.exe PID 3496 wrote to memory of 1220 3496 spoofer.exe kdmapper.exe PID 3496 wrote to memory of 2752 3496 spoofer.exe kdmapper.exe PID 3496 wrote to memory of 2752 3496 spoofer.exe kdmapper.exe PID 3496 wrote to memory of 228 3496 spoofer.exe kdmapper.exe PID 3496 wrote to memory of 228 3496 spoofer.exe kdmapper.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Debug.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Debug.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1328
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4484
-
C:\Users\Admin\Desktop\Debug\spoofer.exe"C:\Users\Admin\Desktop\Debug\spoofer.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\kdmapper.exe"C:\Windows\kdmapper.exe" C:\Windows\randomisershit.sys2⤵
- Executes dropped EXE
PID:1220
-
-
C:\Windows\kdmapper.exe"C:\Windows\kdmapper.exe" C:\Windows\legacyud.sys2⤵
- Executes dropped EXE
PID:2752
-
-
C:\Windows\kdmapper.exe"C:\Windows\kdmapper.exe" C:\Windows\randomisershit.sys2⤵
- Executes dropped EXE
PID:228
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5c19e9e6a4bc1b668d19505a0437e7f7e
SHA173be712aef4baa6e9dabfc237b5c039f62a847fa
SHA2569ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
SHA512b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
-
Filesize
21KB
MD521f19140a3b8776b727dd7694104f022
SHA19da6d5697eb0c502087665b35b8584e56ad2f731
SHA256314e35c83f5f2189825aa4bc0eeaeb422e65ca10e9b72e9d0dc9388ddccaa9f8
SHA512a6ca853197f61535bd3a76d3bb66bfdf9f36e1f7eb6bb55052eeb2a790bb49d965c8cd6bc0c6ab26b59defe4ddd7e7e2edf87cfece1a02b758ae3d9632c127aa
-
Filesize
189B
MD59dbad5517b46f41dbb0d8780b20ab87e
SHA1ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e
SHA25647e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf
SHA51243825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8
-
Filesize
534KB
MD5e712f7853f09f263df3c012e4e9fad57
SHA10cee125bc2f87d9808fd09ddb291f029a6c43dba
SHA256990ebe210d7459c86374c5619291981062176930e857312974f89df1f72395a9
SHA512886bb345269f2cb3d97caee8b64e39328fd3bbe35766cfe9e63874bcd69e752b8e15ef54f33c201b4ad32160f954bb9cc096a28134c1b2ad2b10ef0b030dd379