Analysis
-
max time kernel
217s -
max time network
229s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-04-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
wiru.exe
Resource
win11-20240412-en
General
-
Target
wiru.exe
-
Size
987KB
-
MD5
a6455a248e43686bfda50622f2bd82d2
-
SHA1
de8544085d7969af9c9eda6cc418f26f9b144786
-
SHA256
a2b803974fcfb65e21fa1a7690eb2a4822f091a8bdf45786e2085c833871d5a0
-
SHA512
2820d87ffb9b1088dd61da458e4891d8247a3185099fe195e8fb5d2f8a135607eaf013b43718e347c30f0095bfe581a9e6d0b160ccba86d35dec168ea638aa2e
-
SSDEEP
12288:00QxgjNKY/6sBjn+lkNp6MARWch8k6SFkJkgskKA0kZPiDsRyNX5UrLB/ccOTOKw:00Qxgj8Y3n+lQkg6kZPiARysLBOTO+FG
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.oripam.xyz - Port:
587 - Username:
[email protected] - Password:
1yH[0T=asUG? - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
wiru.exedescription pid process target process PID 1728 set thread context of 4520 1728 wiru.exe CasPol.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
CasPol.exemsedge.exemsedge.exepid process 4520 CasPol.exe 4520 CasPol.exe 1168 msedge.exe 1168 msedge.exe 2176 msedge.exe 2176 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wiru.exeCasPol.exedescription pid process Token: SeDebugPrivilege 1728 wiru.exe Token: SeDebugPrivilege 4520 CasPol.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe 2176 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wiru.exemsedge.exedescription pid process target process PID 1728 wrote to memory of 4520 1728 wiru.exe CasPol.exe PID 1728 wrote to memory of 4520 1728 wiru.exe CasPol.exe PID 1728 wrote to memory of 4520 1728 wiru.exe CasPol.exe PID 1728 wrote to memory of 4520 1728 wiru.exe CasPol.exe PID 1728 wrote to memory of 4520 1728 wiru.exe CasPol.exe PID 1728 wrote to memory of 4520 1728 wiru.exe CasPol.exe PID 1728 wrote to memory of 4520 1728 wiru.exe CasPol.exe PID 1728 wrote to memory of 4520 1728 wiru.exe CasPol.exe PID 1728 wrote to memory of 3368 1728 wiru.exe CasPol.exe PID 1728 wrote to memory of 3368 1728 wiru.exe CasPol.exe PID 1728 wrote to memory of 3368 1728 wiru.exe CasPol.exe PID 2176 wrote to memory of 2624 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 2624 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 5076 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1168 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1168 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1960 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1960 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1960 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1960 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1960 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1960 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1960 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1960 2176 msedge.exe msedge.exe PID 2176 wrote to memory of 1960 2176 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wiru.exe"C:\Users\Admin\AppData\Local\Temp\wiru.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4520 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:3368
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://run.exe/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa7ea3cb8,0x7fffa7ea3cc8,0x7fffa7ea3cd82⤵PID:2624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:22⤵PID:5076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:82⤵PID:1960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:4352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:4724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:12⤵PID:4612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9793497345714047331,3732128601254098743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵PID:2412
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1268
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD53e5a2dac1f49835cf442fde4b7f74b88
SHA17b2cf4e2820f304adf533d43e6d75b3008941f72
SHA25630bd1e1bafb4502c91c1fb568372c0fb046d32a4b732e6b88ce59ea23663e4ce
SHA512933ac835894ce6cb8aac0261153823c96b6abec955173653dd56e534d644efd03aec71acb4f8cb0b9af871962296ec06cd03e570a0ac53098b8cd55657543786
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56e15af8f29dec1e606c7774ef749eaf2
SHA115fbec608e4aa6ddd0e7fd8ea64c2e8197345e97
SHA256de9124e3fddde204df6a6df22b8b87a51823ba227d3e304a6a6aced9da00c74c
SHA5121c9c9acd158273749e666271a5cdb2a6aebf6e2b43b835ebcc49d5b48490cbbf4deddef08c232417cee33d4809dec9ddac2478765c1f3d7ed8ea7441f5fd1d15
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD549986c7ee635f0a77b74f73839e2980f
SHA1309138269b9a48fc467efada3bd0b87b838ba2f8
SHA25625c921207fa9c6d39c7f7d531b877bd0ea980b9c8563b7e5a01cf6d10b66238c
SHA5123d6cb030310a95a25400ed110f4c9a8c65954b97e53b9ded27e27b836a1805a938340dc0240f719c12a2526124744cc7100a6dc0d46865600bc2bdfdfe0502de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5845d74cf48f486632c38becd89037272
SHA17e6228e475ca05ad93e57b6d9b6971f4e98f29d8
SHA256cae4930c3ca5eae161e0b7ccacd34d03b2a88e0e8ca355441d4daeb599b2f6e6
SHA51238fa5ac68eeca68aeda3f56b527963d657567cc8d9a69482feaa33271b75643e7f47bcc3824b3a2c2006c79e76e8a68db294fb2e9f2270a7b19ff916f07f7d79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5aa7a8807579c5eece4be0669ed1cc997
SHA198ec59fa1ce9375b04dc0026fc157bf12d09ed61
SHA256203b85ee92e4084522d3e53be809ffabe2a74be17c26f89dae5c71717dcb75d6
SHA5124b894b807b9cbe851c4563e3d0da739cef619dd6ccef439be022190745ceef9cad94f1dbe6678734fee0502a51891d39e330346080da48be3239b7bd26e16323
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
\??\pipe\LOCAL\crashpad_2176_HMUCINGUADUEUILEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1728-2-0x0000027D4BF90000-0x0000027D4BFA0000-memory.dmpFilesize
64KB
-
memory/1728-1-0x00007FFFA8370000-0x00007FFFA8E32000-memory.dmpFilesize
10.8MB
-
memory/1728-3-0x0000027D33450000-0x0000027D334E6000-memory.dmpFilesize
600KB
-
memory/1728-0-0x0000027D31800000-0x0000027D31868000-memory.dmpFilesize
416KB
-
memory/1728-9-0x00007FFFA8370000-0x00007FFFA8E32000-memory.dmpFilesize
10.8MB
-
memory/4520-5-0x0000000074500000-0x0000000074CB1000-memory.dmpFilesize
7.7MB
-
memory/4520-13-0x0000000074500000-0x0000000074CB1000-memory.dmpFilesize
7.7MB
-
memory/4520-14-0x0000000005440000-0x0000000005450000-memory.dmpFilesize
64KB
-
memory/4520-12-0x00000000062D0000-0x00000000062DA000-memory.dmpFilesize
40KB
-
memory/4520-11-0x0000000006350000-0x00000000063E2000-memory.dmpFilesize
584KB
-
memory/4520-10-0x0000000006260000-0x00000000062B0000-memory.dmpFilesize
320KB
-
memory/4520-8-0x0000000005320000-0x0000000005386000-memory.dmpFilesize
408KB
-
memory/4520-7-0x0000000005440000-0x0000000005450000-memory.dmpFilesize
64KB
-
memory/4520-6-0x0000000005860000-0x0000000005E06000-memory.dmpFilesize
5.6MB
-
memory/4520-4-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB