Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-04-2024 22:37

General

  • Target

    A007 Termbase.msi

  • Size

    26.4MB

  • MD5

    0d74999e3ce596667b1cef92ebac05fa

  • SHA1

    f4cecf3d7f2563b5c74c86f744061e338d2d3421

  • SHA256

    6d0e896d138e1e12f3c29a4fe7b91618774a7aa59fe1a818853d32c8b06786f4

  • SHA512

    e36740d392e751e94f3273d68e6235b03b96ca5f9a63f33ea0a7b3a19545be1cc889aa245c4a85a318e2b36cbcc31c356911476a58d24c9f16f4a18fd419f245

  • SSDEEP

    786432:UeBHVLpoSprl9J1P2nYOWMzgpEH68ppppppppb:U21poSRPynwMzgpEa8ppppppppb

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\A007 Termbase.msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4024
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 109964F7E10A18BED8C2C923C5C2FA22 C
      2⤵
      • Loads dropped DLL
      PID:1088
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3268
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding BF5C24625A33F6135E45309824739C08
        2⤵
        • Loads dropped DLL
        PID:3800
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:3928
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
        1⤵
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:3716
      • C:\Users\Admin\AppData\Roaming\A007 Termbase\A007 Termbase\A007 Termbase.exe
        "C:\Users\Admin\AppData\Roaming\A007 Termbase\A007 Termbase\A007 Termbase.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        PID:1148

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Discovery

      Query Registry

      3
      T1012

      Peripheral Device Discovery

      2
      T1120

      System Information Discovery

      3
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57d33f.rbs
        Filesize

        13KB

        MD5

        78fa415aab84cf37c603013f874171dd

        SHA1

        dd3405921792f6d0bb9dfa246053895c6f87e5fa

        SHA256

        ebc951ae904d6bd66b7779d6a96a470c4c18ef213976649cf55ec3b1d5372868

        SHA512

        b6a679a0354a9b2cf0e144017020bd31e26c4226e302b3eceb42acb11b57775db390820bff129cf6decae39780592e8cd47bb814ea91c5177bceebfde75b14a4

      • C:\Users\Admin\AppData\Local\Temp\MSI5EF8.tmp
        Filesize

        559KB

        MD5

        fe4d2f9cad2f30990e8f845d4052c2fd

        SHA1

        3c2ebd01fdd78f2424d8c76e36404933e4a71a11

        SHA256

        1e28349bf342dd176ff7a899b73e7a1b5792c95e099212a72d7dfe9e75836695

        SHA512

        6dd5d5d30002d18d37a1068730657c84142bf0bd81cc9aab6bcb67286b4f4dd5b77e3b8fb3e6356ea86e26a79805e50a33e686859f5d9e065129a34b7cac66f4

      • C:\Users\Admin\AppData\Roaming\A007 Termbase\A007 Termbase\A007 Termbase.exe
        Filesize

        3.8MB

        MD5

        91c5f605ef08f598a67a2a656e1c8372

        SHA1

        615fd9322152a8f47915ff7004fb5c4e4334df75

        SHA256

        430bb0f33e20b9c05a8176a851fe32165c35d0ae2e7d9ba88ad4eb5d7f298936

        SHA512

        3752720cb2480f2aa6231a286b9d369718a60f68a1aeb0aede8b0c2239fdcdc8be71e5f805b7b2908c5a3bbc104b44cc2b60cfbc6dcac09b97cf5f7883291310

      • C:\Users\Admin\AppData\Roaming\A007 Termbase\A007 Termbase\A007 Termbase.exe.config
        Filesize

        1KB

        MD5

        3088574e97b18a8ee6e0397a9e8764cb

        SHA1

        40b7cbcbf07d7fdd1f806fb134f230b359ce9264

        SHA256

        424be48e945b4e0b5ece9a811babafe83a1e5027d084433af5001de0b60330af

        SHA512

        bb0f0d46eb419aac3a9202999cb11c98a8bf960f8f520639f2ae551c0bfeacf82c58b68df04baecf3d3d6b73f7abafd494b30c8d971e7ba4db8701b8068ad166

      • C:\Users\Admin\AppData\Roaming\A007 Termbase\A007 Termbase\Guna.UI2.dll
        Filesize

        1.9MB

        MD5

        a6c5c5d8f6a0e33f789c1c9c070a38d6

        SHA1

        f36efdf71e737c78e83d8d284ba03b5d5aff95f1

        SHA256

        cf423a447e5c1dc8bc0b84ef005e2e942fa149ba4f9caf7e2f12f672cad55385

        SHA512

        fd679781213be3b7ec6a39b2dacb2b96c356d4276e8b23995f243cbda88f56e311f2933244f50e50a27c72d664b67bb337ab0053c5e83fd934bbb67d6576a124

      • C:\Windows\Installer\e57d33e.msi
        Filesize

        26.4MB

        MD5

        0d74999e3ce596667b1cef92ebac05fa

        SHA1

        f4cecf3d7f2563b5c74c86f744061e338d2d3421

        SHA256

        6d0e896d138e1e12f3c29a4fe7b91618774a7aa59fe1a818853d32c8b06786f4

        SHA512

        e36740d392e751e94f3273d68e6235b03b96ca5f9a63f33ea0a7b3a19545be1cc889aa245c4a85a318e2b36cbcc31c356911476a58d24c9f16f4a18fd419f245

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        26.0MB

        MD5

        4670455441e9030336cd7a0c529e6fee

        SHA1

        5c855ef59662b9d076353780f428e194e84c7bd7

        SHA256

        abe8510325d3a6f20e884902f2e87fc8a0cb572bf1831d43987d96668c16a22a

        SHA512

        228273890d34e091d96c80f55e4caaffd362d6b021a5c0604a321f3ddc6bb1449a37811010de725d1372db26a581127175ac39dff2202393513567130d9a3748

      • \??\Volume{38fc7460-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e3f55898-5092-47e5-8dd4-bd207754d250}_OnDiskSnapshotProp
        Filesize

        5KB

        MD5

        e69d564a5bce8160701387a080319587

        SHA1

        30011a0c0beda7254d9cba5979d4db67eaac89a2

        SHA256

        342fb8fe2cf747dd64f6f2c0901322ec2cc7921396cc9cbb643bb24c1f87a63c

        SHA512

        ef91173e0a3802939c60393f0fb16ec9066a44a8c433c695fb306cf5d6a026dc9693410f27b0796c560178b1a911042fb0ca91b9825fbd5a3588e3ed741c32af

      • memory/1148-102-0x0000000005460000-0x000000000595E000-memory.dmp
        Filesize

        5.0MB

      • memory/1148-103-0x0000000004F60000-0x0000000004FF2000-memory.dmp
        Filesize

        584KB

      • memory/1148-104-0x0000000004F40000-0x0000000004F4A000-memory.dmp
        Filesize

        40KB

      • memory/1148-101-0x0000000000320000-0x00000000006F0000-memory.dmp
        Filesize

        3.8MB

      • memory/1148-108-0x0000000005960000-0x0000000005B56000-memory.dmp
        Filesize

        2.0MB