Analysis
-
max time kernel
107s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 14:00
Static task
static1
Behavioral task
behavioral1
Sample
tmp4vvsfrfw.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tmp4vvsfrfw.exe
Resource
win10v2004-20240426-en
General
-
Target
tmp4vvsfrfw.exe
-
Size
3.2MB
-
MD5
b3cdc9e5d148f28c40fcb727100aab8c
-
SHA1
3361179695c8ffa760a1607339c8cd4b1e1b9780
-
SHA256
98be3ef42a4bbf286fb1be8b0837a24704f87f2d2ae3e84f380479c08d600b81
-
SHA512
ae57d3bd52c5ba642ce890ca715143e08f9aedc1ae28f67efa82d7a0d545c7f2bca61529fe66a45e5f1a72347ed169cba1718639a6768452bc1a7b9c6c77c5e7
-
SSDEEP
49152:fzBfc7Dk8mQmKHGcfDVu5Pc09JJtKzh8CLCs1+s2aGhfUo5S3I628:fzu1vMPKPLoT98I6L
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6902894171:AAF7F2wI9rfwYzH0AbQJ7rRjfVP2yL6ehww/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
tmp4vvsfrfw.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp4vvsfrfw.exe -
Processes:
tmp4vvsfrfw.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths tmp4vvsfrfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\tmp4vvsfrfw.exe = "0" tmp4vvsfrfw.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp4vvsfrfw.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation tmp4vvsfrfw.exe -
Processes:
tmp4vvsfrfw.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions tmp4vvsfrfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\tmp4vvsfrfw.exe = "0" tmp4vvsfrfw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths tmp4vvsfrfw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
jsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ubSLUM = "C:\\Users\\Admin\\AppData\\Roaming\\ubSLUM\\ubSLUM.exe" jsc.exe -
Processes:
tmp4vvsfrfw.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tmp4vvsfrfw.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp4vvsfrfw.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 18 api.ipify.org 19 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmp4vvsfrfw.exedescription pid process target process PID 4972 set thread context of 2432 4972 tmp4vvsfrfw.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exejsc.exepid process 1448 powershell.exe 1448 powershell.exe 2432 jsc.exe 2432 jsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tmp4vvsfrfw.exepowershell.exejsc.exedescription pid process Token: SeDebugPrivilege 4972 tmp4vvsfrfw.exe Token: SeDebugPrivilege 1448 powershell.exe Token: SeDebugPrivilege 2432 jsc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
tmp4vvsfrfw.exedescription pid process target process PID 4972 wrote to memory of 1448 4972 tmp4vvsfrfw.exe powershell.exe PID 4972 wrote to memory of 1448 4972 tmp4vvsfrfw.exe powershell.exe PID 4972 wrote to memory of 2432 4972 tmp4vvsfrfw.exe jsc.exe PID 4972 wrote to memory of 2432 4972 tmp4vvsfrfw.exe jsc.exe PID 4972 wrote to memory of 2432 4972 tmp4vvsfrfw.exe jsc.exe PID 4972 wrote to memory of 2432 4972 tmp4vvsfrfw.exe jsc.exe PID 4972 wrote to memory of 2432 4972 tmp4vvsfrfw.exe jsc.exe PID 4972 wrote to memory of 2432 4972 tmp4vvsfrfw.exe jsc.exe PID 4972 wrote to memory of 2432 4972 tmp4vvsfrfw.exe jsc.exe PID 4972 wrote to memory of 2432 4972 tmp4vvsfrfw.exe jsc.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
tmp4vvsfrfw.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp4vvsfrfw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp4vvsfrfw.exe"C:\Users\Admin\AppData\Local\Temp\tmp4vvsfrfw.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\tmp4vvsfrfw.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pur3iwlw.bi4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1448-25-0x00007FFA35930000-0x00007FFA363F1000-memory.dmpFilesize
10.8MB
-
memory/1448-7-0x00000146C9740000-0x00000146C9750000-memory.dmpFilesize
64KB
-
memory/1448-19-0x00007FFA35930000-0x00007FFA363F1000-memory.dmpFilesize
10.8MB
-
memory/1448-20-0x00000146C9740000-0x00000146C9750000-memory.dmpFilesize
64KB
-
memory/1448-12-0x00000146C96F0000-0x00000146C9712000-memory.dmpFilesize
136KB
-
memory/2432-29-0x0000000006A80000-0x0000000006AD0000-memory.dmpFilesize
320KB
-
memory/2432-31-0x0000000006CB0000-0x0000000006D42000-memory.dmpFilesize
584KB
-
memory/2432-5-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2432-21-0x0000000005390000-0x00000000053A0000-memory.dmpFilesize
64KB
-
memory/2432-33-0x0000000074BE0000-0x0000000075390000-memory.dmpFilesize
7.7MB
-
memory/2432-34-0x0000000005390000-0x00000000053A0000-memory.dmpFilesize
64KB
-
memory/2432-32-0x0000000006C50000-0x0000000006C5A000-memory.dmpFilesize
40KB
-
memory/2432-8-0x0000000005950000-0x0000000005EF4000-memory.dmpFilesize
5.6MB
-
memory/2432-22-0x0000000005410000-0x0000000005476000-memory.dmpFilesize
408KB
-
memory/2432-6-0x0000000074BE0000-0x0000000075390000-memory.dmpFilesize
7.7MB
-
memory/2432-30-0x0000000006B70000-0x0000000006C0C000-memory.dmpFilesize
624KB
-
memory/4972-2-0x000002D574790000-0x000002D5747A0000-memory.dmpFilesize
64KB
-
memory/4972-26-0x00007FFA35930000-0x00007FFA363F1000-memory.dmpFilesize
10.8MB
-
memory/4972-0-0x000002D559DF0000-0x000002D55A08C000-memory.dmpFilesize
2.6MB
-
memory/4972-4-0x000002D55A440000-0x000002D55A4D8000-memory.dmpFilesize
608KB
-
memory/4972-1-0x00007FFA35930000-0x00007FFA363F1000-memory.dmpFilesize
10.8MB
-
memory/4972-3-0x000002D5747A0000-0x000002D574A3C000-memory.dmpFilesize
2.6MB