Analysis
-
max time kernel
51s -
max time network
42s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-04-2024 11:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Dist.exe
Resource
win11-20240412-en
windows11-21h2-x64
6 signatures
1800 seconds
General
-
Target
Dist.exe
-
Size
3.6MB
-
MD5
f361f816f04927b3141122a57f2f3f82
-
SHA1
409cf10a30f668bcd1f6becdcc9089849b3d18ac
-
SHA256
0a13e3279eca443d8e25bcc1c7e1bc6701fc4ab4dade37a7a52995a09f33ff39
-
SHA512
f4aee7372d58f8099e6290375d92277a8e8c118941d9c3020bcaa88c8cac6df04b97832b5b412bffe27278e636aa53fd7e9315d473892aadf94a119377dbca02
-
SSDEEP
98304:Ok5IT4bNJFY3Oqt/h+KH4kpc+DX/0H4feb5CE:Ok5jBHYYKYODJebgE
Score
10/10
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1272-3-0x00000211D3AE0000-0x00000211D3CF4000-memory.dmp family_agenttesla -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
Dist.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Dist.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Dist.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Dist.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Dist.exepid process 1272 Dist.exe 1272 Dist.exe 1272 Dist.exe 1272 Dist.exe 1272 Dist.exe 1272 Dist.exe 1272 Dist.exe 1272 Dist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Dist.exedescription pid process Token: SeDebugPrivilege 1272 Dist.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Dist.exepid process 1272 Dist.exe 1272 Dist.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dist.exe"C:\Users\Admin\AppData\Local\Temp\Dist.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1272-0-0x00000211B8F80000-0x00000211B9314000-memory.dmpFilesize
3.6MB
-
memory/1272-1-0x00007FF8157B0000-0x00007FF816272000-memory.dmpFilesize
10.8MB
-
memory/1272-2-0x00000211BB040000-0x00000211BB050000-memory.dmpFilesize
64KB
-
memory/1272-3-0x00000211D3AE0000-0x00000211D3CF4000-memory.dmpFilesize
2.1MB
-
memory/1272-4-0x00000211D3CF0000-0x00000211D40F6000-memory.dmpFilesize
4.0MB
-
memory/1272-5-0x00000211BB040000-0x00000211BB050000-memory.dmpFilesize
64KB
-
memory/1272-6-0x00000211BB040000-0x00000211BB050000-memory.dmpFilesize
64KB
-
memory/1272-7-0x00007FF8157B0000-0x00007FF816272000-memory.dmpFilesize
10.8MB