Overview

overview

10

Static

static

1

X-TPM.msi

windows10-1703-x64

10

X-TPM.msi

windows10-2004-x64

6

X-TPM.msi

windows11-21h2-x64

6

Analysis

  • max time kernel
    141s
  • max time network
    158s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-04-2024 22:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    X-TPM.msi

  • Size

    41.1MB

  • MD5

    1c3ae290b4057032b76e189009cbeaf0

  • SHA1

    06d5dc01195e2f499806e76049b6c3a28fa029d0

  • SHA256

    ac0ad6fa6a84cd64a77bd52cb09bf01213b6e2bccccd09d7dabea222419a3bc6

  • SHA512

    e9cbea7a43e2fdaf8233a64c89f52c47eb80ac5489f249d9dc8656898c83b01626e7b8fd94525209098ce8a8828874875bed856d1741f0d603ad3fd771d9a64a

  • SSDEEP

    786432:QA2pJpNITFIyP9uI4SD+o/iNmvYMONJfzYj40ZNhUmfIyU3rzyAB2AeS75/3e1C:QVnD2FIyP9uI8o0lJfi40ZNjj2Xy49e8

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 10 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\X-TPM.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3068
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 061440E7D35E0658A54DD6BE8BAA3A86 C
      2⤵
      • Loads dropped DLL
      PID:4468
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1608
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding DDDBC9A9C8B5B71BEF2C9A369DB56D08
        2⤵
        • Loads dropped DLL
        PID:1240
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:4792
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
        1⤵
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:3116
      • C:\Users\Admin\AppData\Roaming\X-TPM\X-TPM\X-TPM.exe
        "C:\Users\Admin\AppData\Roaming\X-TPM\X-TPM\X-TPM.exe"
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        PID:2972
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
        1⤵
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4140
      • C:\Windows\system32\browser_broker.exe
        C:\Windows\system32\browser_broker.exe -Embedding
        1⤵
        • Modifies Internet Explorer settings
        PID:236
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4200
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        PID:2068
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
          PID:5088

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        4
        T1012

        Peripheral Device Discovery

        2
        T1120

        System Information Discovery

        4
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\e586f02.rbs
          Filesize

          15KB

          MD5

          f40d8414e188e47b71f7e837433fcf52

          SHA1

          e60cbae0d8bca50e3b92a38fbd857dde957d82cc

          SHA256

          fd68c987245e6671b7834ca39de009cd3f7ef89eeb6135c40c6ea473907976aa

          SHA512

          2e34d46613e013d18aacd01e4fb9cf0044fa8335587c8676b541320ceb7b0f7aef304f526d65c5b5c94e3f20d090fd5c4748d34199898f5cf109dd42183424c6

          Download Submit
        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8BB34D7AC6ADCC019FE5325FE9DECAE8
          Filesize

          422B

          MD5

          c2ecf1ef8294ee7f6da515c6e9cedca4

          SHA1

          af242482ea411598ffffbdb7164c0c6a13e6692a

          SHA256

          1ee7acd8a856b6689cd1c04c50bab613e5a8f773e8297899e73db294b093fc1d

          SHA512

          833f26de90bead4eac55c3b83230f28b0c58b2a66f27671f95aee3cc8ec9944abc243f2d2562b24dfd82c46c72f1cbd1e8b1e115c1f4a9020f26321be5bd8e71

          Download Submit
        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F
          Filesize

          414B

          MD5

          6ee2df0b64b618c117b178e2eb01be34

          SHA1

          9184bab437e79c18624760525eca00ad0b4fac82

          SHA256

          4593a731166cce3cb22094d8c9f2c09e8a3b61918e03b2a14af601781ed93c79

          SHA512

          fae506c08b28349b6b50656968dc1f66613ab39708a0a1de9e62389f13c271ac67bbc6752bd03db7357cc7d774750e99a1823b42ad118b516508faff297e17e8

          Download Submit
        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\FDCKBH4I\ABDELLAH[1].png
          Filesize

          39KB

          MD5

          3404a714fbb43470cbadebdb63ccfb1f

          SHA1

          ef0b4b81319e760ecc53c4b25b05ea3cb1af7324

          SHA256

          5f7c441abb982d3da22f22f11c0422b3865d4b7e422b76ceb60acf508a57e911

          SHA512

          6e6f521a5eb43c16d1c821ce013d02c838da0aa9cf3a3933ba23bb184907abe5654c4c4f548647f942edc175f8f8dc3cdae094b0528ed0c50336f8208c7e79b4

          Download Submit
        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_91B924923180E8714F1EDBCBF8DDC70F
          Filesize

          471B

          MD5

          d77116e4a9939fddab4a7b2ca9284425

          SHA1

          e762aa845a264143b6b8fea4e54cfacc75ac27fc

          SHA256

          0d780f10922d260e5e51c92dbdf407bba5de23add35bcf9fc2795e234c9ed74a

          SHA512

          1860c0eb47cde8a540d4d866c9540d1106491b6082c6a0219b439f3fd0b84d32312af9e7e9440d909f225b2da5646ad69de844930ec844d88cb7d237af07f139

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\MSIE7A1.tmp
          Filesize

          559KB

          MD5

          fe4d2f9cad2f30990e8f845d4052c2fd

          SHA1

          3c2ebd01fdd78f2424d8c76e36404933e4a71a11

          SHA256

          1e28349bf342dd176ff7a899b73e7a1b5792c95e099212a72d7dfe9e75836695

          SHA512

          6dd5d5d30002d18d37a1068730657c84142bf0bd81cc9aab6bcb67286b4f4dd5b77e3b8fb3e6356ea86e26a79805e50a33e686859f5d9e065129a34b7cac66f4

          Download Submit
        • C:\Users\Admin\AppData\Roaming\X-TPM\X-TPM\Guna.UI2.dll
          Filesize

          1.9MB

          MD5

          a6c5c5d8f6a0e33f789c1c9c070a38d6

          SHA1

          f36efdf71e737c78e83d8d284ba03b5d5aff95f1

          SHA256

          cf423a447e5c1dc8bc0b84ef005e2e942fa149ba4f9caf7e2f12f672cad55385

          SHA512

          fd679781213be3b7ec6a39b2dacb2b96c356d4276e8b23995f243cbda88f56e311f2933244f50e50a27c72d664b67bb337ab0053c5e83fd934bbb67d6576a124

          Download Submit
        • C:\Users\Admin\AppData\Roaming\X-TPM\X-TPM\X-TPM.exe
          Filesize

          1.4MB

          MD5

          fa05c4a10950d5eb86306dee7ca9e1d5

          SHA1

          d27d10b5739b67a2edea9e46626103030b0ef506

          SHA256

          1726fc654f1a86dc6f17a47febd507c8cd0fbaab5b6c5dfae21c158af72256cd

          SHA512

          746c34523c1f693159c9d1f08109046b2d16f6e2a796ca9f4d0a1fa8f758ec4e8af6daf6f15c18fd51df6e623961a854e39cdf8af0697340e626f7c48ef4ae43

          Download Submit
        • C:\Users\Admin\AppData\Roaming\X-TPM\X-TPM\X-TPM.exe.config
          Filesize

          2KB

          MD5

          ae36eae877b17f0c6eaa5150cdc207f8

          SHA1

          8e13196355e71167f2ef84dab46f45fc84ce8578

          SHA256

          e96d39129b1ad1fd895e6572aa3bfd7320839e6faa6fbb4a76976ad32ac0ab32

          SHA512

          15214b0b99d26087b6780a0a2e797980d9b137b1e44f68ab9cd68e53013b5a367ca68e491803bc00bba917147658719dee1c777c240196575e521700a354d142

          Download Submit
        • C:\Users\Admin\AppData\Roaming\X-TPM\X-TPM\xtpmdb.ldb
          Filesize

          128B

          MD5

          0cafad6dd69dc1596fd183be091440ab

          SHA1

          beae00e0fc00c1c33c01220a28135be644701a99

          SHA256

          98ece97d73b586dabf1059d518845f7625beacb4b0bdb8d034d920a4a67a2d02

          SHA512

          ca88d6c918eddce05a66d85f46ae5c8ff246ca0742e5dc9df7764e266fdd5849899cc9978ee5425d79e51749658babf3bc39764ea4b760ae0ce6d5af94c6ad2f

          Download Submit
        • C:\Users\Admin\AppData\Roaming\X-TPM\X-TPM\xtpmdb.mdb
          Filesize

          3.4MB

          MD5

          4f082743f5c089242dc46cf38db7a08d

          SHA1

          26a0e210398ead374b5271fe4f036f17766bfb4f

          SHA256

          e1458d36bb81a452fd4b9a9ab08df272de43bb45b5fb2922f5c0905bc88ca810

          SHA512

          bb353348c75a873ef724e3429e1f73f59aca9f8ffd4ac836a991f302683b2e3f7eba827daac37991e3a0cbaf36c259f3cedaf0f907e01fb46166f6aeb7720e76

          Download Submit
        • C:\Windows\Installer\e586f01.msi
          Filesize

          41.1MB

          MD5

          1c3ae290b4057032b76e189009cbeaf0

          SHA1

          06d5dc01195e2f499806e76049b6c3a28fa029d0

          SHA256

          ac0ad6fa6a84cd64a77bd52cb09bf01213b6e2bccccd09d7dabea222419a3bc6

          SHA512

          e9cbea7a43e2fdaf8233a64c89f52c47eb80ac5489f249d9dc8656898c83b01626e7b8fd94525209098ce8a8828874875bed856d1741f0d603ad3fd771d9a64a

          Download Submit
        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
          Filesize

          26.0MB

          MD5

          e368aa4f4e4d38c35b0d96a72704789d

          SHA1

          c8d4056ce2352b2534f0710a4238718c30801ae1

          SHA256

          a63450bc00b099a7ec5d35aac33c3ded576c6f19dee1e17d19d7553d0d89fb98

          SHA512

          fed0e678c54ff92fda2574dd3503f3490b4e07c696a23dfe12bbe56f54a469012880f6d9266caa09b1d8f8fc195bb7b1a72e06337a27e685ab94ea688bc3f20a

          Download Submit
        • \??\Volume{34d48da6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0bfe91f0-f324-44b7-a1b0-869624acd86e}_OnDiskSnapshotProp
          Filesize

          5KB

          MD5

          2c1e8a759f98fddab4fd804e3c41bf21

          SHA1

          ec8c59e5ed598f6d55439d0218f600a740a4290a

          SHA256

          fc605e1d2ad04a450307f5b0c65a7694fe00d935513ccd83390fb5ecaf094499

          SHA512

          6ffc79b68dcf847d25104f65691b74cadec1335cf1f4c029d44cf15c45a851fd2a920f6225949e95d230ad89ee613f84770b6cb0a7dd716923c6c59f047b349d

          Download Submit
        • memory/2068-322-0x0000029F23800000-0x0000029F23900000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/2972-140-0x000000000E240000-0x000000000E27C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/2972-138-0x0000000009AD0000-0x0000000009B1B000-memory.dmp
          Filesize

          300KB

          Download
        • memory/2972-129-0x00000000057A0000-0x00000000057AA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2972-127-0x0000000005E40000-0x000000000633E000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/2972-141-0x0000000009DD0000-0x0000000009DF0000-memory.dmp
          Filesize

          128KB

          Download
        • memory/2972-126-0x00000000058A0000-0x000000000593C000-memory.dmp
          Filesize

          624KB

          Download
        • memory/2972-125-0x0000000000CD0000-0x0000000000E38000-memory.dmp
          Filesize

          1.4MB

          Download
        • memory/2972-135-0x00000000092A0000-0x00000000095F0000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2972-134-0x0000000006340000-0x0000000006536000-memory.dmp
          Filesize

          2.0MB

          Download
        • memory/2972-128-0x0000000005940000-0x00000000059D2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/2972-130-0x0000000005AA0000-0x0000000005AF6000-memory.dmp
          Filesize

          344KB

          Download
        • memory/4140-313-0x000002B4478C0000-0x000002B4478C2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/4140-294-0x000002B44A520000-0x000002B44A530000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4140-278-0x000002B44A420000-0x000002B44A430000-memory.dmp
          Filesize

          64KB

          Download
        • memory/5088-515-0x000001D480E80000-0x000001D480E82000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-404-0x000001D480110000-0x000001D480112000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-513-0x000001D480E60000-0x000001D480E62000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-415-0x000001D483CC0000-0x000001D483CE0000-memory.dmp
          Filesize

          128KB

          Download
        • memory/5088-416-0x000001D484300000-0x000001D484320000-memory.dmp
          Filesize

          128KB

          Download
        • memory/5088-418-0x000001D480640000-0x000001D480740000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/5088-527-0x000001D481C70000-0x000001D481C72000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-525-0x000001D481C50000-0x000001D481C52000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-576-0x000001D480740000-0x000001D480840000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/5088-517-0x000001D4815B0000-0x000001D4815B2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-340-0x000001DCEE700000-0x000001DCEE800000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/5088-406-0x000001D480150000-0x000001D480152000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-519-0x000001D4815D0000-0x000001D4815D2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-615-0x000001D481D70000-0x000001D481D72000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-612-0x000001D481C20000-0x000001D481C22000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-619-0x000001D481D90000-0x000001D481D92000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-622-0x000001D481DA0000-0x000001D481DA2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-624-0x000001D481DC0000-0x000001D481DC2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-628-0x000001D481DF0000-0x000001D481DF2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-654-0x000001DCEE4E0000-0x000001DCEE4F0000-memory.dmp
          Filesize

          64KB

          Download
        • memory/5088-410-0x000001D480210000-0x000001D480212000-memory.dmp
          Filesize

          8KB

          Download
        • memory/5088-341-0x000001DCEE700000-0x000001DCEE800000-memory.dmp
          Filesize

          1024KB

          Download