Analysis Overview
SHA256
651f2668229b6d9e70b599c4321f219ee98a7b86e137c98f596bdd8aff092952
Threat Level: Known bad
The file Debug.rar was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Agenttesla family
AgentTesla payload
AgentTesla payload
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Enumerates system info in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:29
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:29
Reported
2024-04-07 19:34
Platform
win10-20240404-en
Max time kernel
191s
Max time network
265s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1904658062-880901768-3903781817-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Debug.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:29
Reported
2024-04-07 19:34
Platform
win10v2004-20240226-en
Max time kernel
250s
Max time network
302s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| N/A | N/A | C:\Windows\kdmapper.exe | N/A |
| N/A | N/A | C:\Windows\kdmapper.exe | N/A |
| N/A | N/A | C:\Windows\kdmapper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\kdmapper.exe | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| File created | C:\Windows\legacyud.sys | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| File opened for modification | C:\Windows\kdmapper.exe | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| File opened for modification | C:\Windows\randomisershit.sys | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| File created | C:\Windows\randomisershit.sys | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2872 wrote to memory of 1328 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2872 wrote to memory of 1328 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 3496 wrote to memory of 1220 | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | C:\Windows\kdmapper.exe |
| PID 3496 wrote to memory of 1220 | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | C:\Windows\kdmapper.exe |
| PID 3496 wrote to memory of 2752 | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | C:\Windows\kdmapper.exe |
| PID 3496 wrote to memory of 2752 | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | C:\Windows\kdmapper.exe |
| PID 3496 wrote to memory of 228 | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | C:\Windows\kdmapper.exe |
| PID 3496 wrote to memory of 228 | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | C:\Windows\kdmapper.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Debug.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Debug.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Debug\spoofer.exe
"C:\Users\Admin\Desktop\Debug\spoofer.exe"
C:\Windows\kdmapper.exe
"C:\Windows\kdmapper.exe" C:\Windows\randomisershit.sys
C:\Windows\kdmapper.exe
"C:\Windows\kdmapper.exe" C:\Windows\legacyud.sys
C:\Windows\kdmapper.exe
"C:\Windows\kdmapper.exe" C:\Windows\randomisershit.sys
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | legacyud.cdn.zerocdn.com | udp |
| RU | 176.58.48.48:80 | legacyud.cdn.zerocdn.com | tcp |
| US | 8.8.8.8:53 | legacyud.broadway.zerocdn.com | udp |
| US | 185.190.188.207:80 | legacyud.broadway.zerocdn.com | tcp |
| US | 8.8.8.8:53 | legacyud.coliseum.zerocdn.com | udp |
| US | 185.190.188.195:80 | legacyud.coliseum.zerocdn.com | tcp |
| US | 8.8.8.8:53 | 48.48.58.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.188.190.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.188.190.185.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\Debug\spoofer.exe
| MD5 | 21f19140a3b8776b727dd7694104f022 |
| SHA1 | 9da6d5697eb0c502087665b35b8584e56ad2f731 |
| SHA256 | 314e35c83f5f2189825aa4bc0eeaeb422e65ca10e9b72e9d0dc9388ddccaa9f8 |
| SHA512 | a6ca853197f61535bd3a76d3bb66bfdf9f36e1f7eb6bb55052eeb2a790bb49d965c8cd6bc0c6ab26b59defe4ddd7e7e2edf87cfece1a02b758ae3d9632c127aa |
C:\Users\Admin\Desktop\Debug\spoofer.exe.config
| MD5 | 9dbad5517b46f41dbb0d8780b20ab87e |
| SHA1 | ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e |
| SHA256 | 47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf |
| SHA512 | 43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8 |
memory/3496-12-0x0000000074990000-0x0000000075140000-memory.dmp
memory/3496-11-0x0000000000600000-0x000000000060C000-memory.dmp
memory/3496-13-0x00000000055B0000-0x0000000005B54000-memory.dmp
memory/3496-14-0x0000000005000000-0x0000000005092000-memory.dmp
memory/3496-15-0x0000000005270000-0x0000000005280000-memory.dmp
memory/3496-20-0x0000000005D80000-0x0000000005F94000-memory.dmp
C:\Users\Admin\Desktop\Debug\Guna.UI2.dll
| MD5 | c19e9e6a4bc1b668d19505a0437e7f7e |
| SHA1 | 73be712aef4baa6e9dabfc237b5c039f62a847fa |
| SHA256 | 9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82 |
| SHA512 | b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de |
memory/3496-16-0x00000000051A0000-0x00000000051AA000-memory.dmp
C:\Windows\kdmapper.exe
| MD5 | e712f7853f09f263df3c012e4e9fad57 |
| SHA1 | 0cee125bc2f87d9808fd09ddb291f029a6c43dba |
| SHA256 | 990ebe210d7459c86374c5619291981062176930e857312974f89df1f72395a9 |
| SHA512 | 886bb345269f2cb3d97caee8b64e39328fd3bbe35766cfe9e63874bcd69e752b8e15ef54f33c201b4ad32160f954bb9cc096a28134c1b2ad2b10ef0b030dd379 |
memory/1220-29-0x00007FF7C7EA0000-0x00007FF7C7F53000-memory.dmp
memory/3496-31-0x0000000074990000-0x0000000075140000-memory.dmp
memory/3496-32-0x0000000005270000-0x0000000005280000-memory.dmp
memory/3496-33-0x0000000005270000-0x0000000005280000-memory.dmp
memory/2752-42-0x00007FF6B2A40000-0x00007FF6B2AF3000-memory.dmp
memory/228-52-0x00007FF638DD0000-0x00007FF638E83000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-07 19:29
Reported
2024-04-07 19:33
Platform
win11-20240221-en
Max time kernel
215s
Max time network
204s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| N/A | N/A | C:\Windows\kdmapper.exe | N/A |
| N/A | N/A | C:\Windows\kdmapper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\kdmapper.exe | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| File created | C:\Windows\randomisershit.sys | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| File created | C:\Windows\kdmapper.exe | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| File opened for modification | C:\Windows\randomisershit.sys | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1340 wrote to memory of 2420 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 1340 wrote to memory of 2420 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 4008 wrote to memory of 1696 | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | C:\Windows\kdmapper.exe |
| PID 4008 wrote to memory of 1696 | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | C:\Windows\kdmapper.exe |
| PID 4008 wrote to memory of 3916 | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | C:\Windows\kdmapper.exe |
| PID 4008 wrote to memory of 3916 | N/A | C:\Users\Admin\Desktop\Debug\spoofer.exe | C:\Windows\kdmapper.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Debug.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Debug.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\Debug\spoofer.exe
"C:\Users\Admin\Desktop\Debug\spoofer.exe"
C:\Windows\kdmapper.exe
"C:\Windows\kdmapper.exe" C:\Windows\randomisershit.sys
C:\Windows\kdmapper.exe
"C:\Windows\kdmapper.exe" C:\Windows\randomisershit.sys
Network
| Country | Destination | Domain | Proto |
| RU | 176.58.48.48:80 | legacyud.cdn.zerocdn.com | tcp |
| US | 185.190.188.207:80 | legacyud.broadway.zerocdn.com | tcp |
| US | 185.190.188.195:80 | legacyud.coliseum.zerocdn.com | tcp |
| US | 8.8.8.8:53 | 207.188.190.185.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\Debug\spoofer.exe
| MD5 | 21f19140a3b8776b727dd7694104f022 |
| SHA1 | 9da6d5697eb0c502087665b35b8584e56ad2f731 |
| SHA256 | 314e35c83f5f2189825aa4bc0eeaeb422e65ca10e9b72e9d0dc9388ddccaa9f8 |
| SHA512 | a6ca853197f61535bd3a76d3bb66bfdf9f36e1f7eb6bb55052eeb2a790bb49d965c8cd6bc0c6ab26b59defe4ddd7e7e2edf87cfece1a02b758ae3d9632c127aa |
C:\Users\Admin\Desktop\Debug\spoofer.exe.config
| MD5 | 9dbad5517b46f41dbb0d8780b20ab87e |
| SHA1 | ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e |
| SHA256 | 47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf |
| SHA512 | 43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8 |
memory/4008-11-0x0000000000550000-0x000000000055C000-memory.dmp
memory/4008-12-0x0000000074800000-0x0000000074FB1000-memory.dmp
memory/4008-13-0x00000000055F0000-0x0000000005B96000-memory.dmp
memory/4008-14-0x0000000005040000-0x00000000050D2000-memory.dmp
memory/4008-15-0x0000000005230000-0x0000000005240000-memory.dmp
memory/4008-16-0x0000000005000000-0x000000000500A000-memory.dmp
C:\Users\Admin\Desktop\Debug\Guna.UI2.dll
| MD5 | c19e9e6a4bc1b668d19505a0437e7f7e |
| SHA1 | 73be712aef4baa6e9dabfc237b5c039f62a847fa |
| SHA256 | 9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82 |
| SHA512 | b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de |
memory/4008-20-0x0000000005BA0000-0x0000000005DB4000-memory.dmp
memory/4008-21-0x0000000005230000-0x0000000005240000-memory.dmp
C:\Windows\kdmapper.exe
| MD5 | e712f7853f09f263df3c012e4e9fad57 |
| SHA1 | 0cee125bc2f87d9808fd09ddb291f029a6c43dba |
| SHA256 | 990ebe210d7459c86374c5619291981062176930e857312974f89df1f72395a9 |
| SHA512 | 886bb345269f2cb3d97caee8b64e39328fd3bbe35766cfe9e63874bcd69e752b8e15ef54f33c201b4ad32160f954bb9cc096a28134c1b2ad2b10ef0b030dd379 |
memory/1696-30-0x00007FF7ACF90000-0x00007FF7AD043000-memory.dmp
memory/4008-32-0x0000000074800000-0x0000000074FB1000-memory.dmp
memory/4008-33-0x0000000005230000-0x0000000005240000-memory.dmp
memory/4008-34-0x0000000005230000-0x0000000005240000-memory.dmp
memory/3916-43-0x00007FF6A68D0000-0x00007FF6A6983000-memory.dmp