Overview

overview

10

Static

static

1

SOA.exe

windows7-x64

10

SOA.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOA.exe

  • Size

    668KB

  • MD5

    1b3feb610357e53c06656f8f084b7fe8

  • SHA1

    135db2eecfdf9ec9f9a0a8ee5efe777e0f68437c

  • SHA256

    530b019d1e22535451dbefd997a09c85eeeaa313b114c67ab67329d5fe14e8fc

  • SHA512

    1773aceba4bcf0ac857a26240d63b0d700cd4a2d56e4984f3c9479653601ff737a438e97b7abc75c640c9a82665092a4d751968b9a90ac25b5f5cc6d86526ff8

  • SSDEEP

    12288:24B778Q+A/y4Zz/LQglOYiZmxjIw3jbOFu5mQf0MiZA+tlEXF4xAKkR:PB1/LMYiZ884guyN3QXF4WJ

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SOA.exe
    "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4392
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RGziIWDEowC.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1784
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RGziIWDEowC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D3A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1752
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    85a5c933c892e1c3c62ef6dece4daa0a

    SHA1

    13a2ce7637e268d551952d444957a3c20c6f5287

    SHA256

    edaebe33f0cd6602c4c730bb78f4ea16450d67d18dff65b31a9aa8fe03cf1fdf

    SHA512

    f2f0ec3d8212764bbeeb7a2c9ea38e3878be8e7752d483ffcfaeba7ceb22ebb93d496b6f577c666b6ef4bf3bd5c5360767fc6707b6773be701c50b08e03e9672

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rjgmagmk.w1p.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp9D3A.tmp
    Filesize

    1KB

    MD5

    cbaf8e8202bec09b02f81454ea915282

    SHA1

    c99e7812118b4cc7c2e26f4c9d96ef4bd78dbf3e

    SHA256

    221a64b89c54f2e3aa6d7d5d76e40c1624a60affd3a0632e104d5d14391053ce

    SHA512

    79a51a7d1ad4585d94bddfc67814dec4b504cfad4abab44f4db6d335330516ec460105a4d00ee62ea68f0d638c777b8cfeeeb490d39cde26a127d933820ab962

    Download Submit
  • memory/1728-48-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/1728-93-0x0000000005EB0000-0x0000000005F00000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1784-54-0x0000000070400000-0x000000007044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1784-78-0x0000000007CE0000-0x0000000007CEA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1784-75-0x0000000007960000-0x0000000007A03000-memory.dmp
    Filesize

    652KB

    Download
  • memory/1784-74-0x0000000006ED0000-0x0000000006EEE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1784-53-0x0000000007920000-0x0000000007952000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1784-83-0x0000000007EB0000-0x0000000007EC4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1784-22-0x0000000074DF0000-0x00000000755A0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1784-43-0x0000000006320000-0x0000000006674000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1784-92-0x0000000074DF0000-0x00000000755A0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1784-80-0x0000000007EF0000-0x0000000007F86000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1784-23-0x00000000053F0000-0x0000000005400000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1784-24-0x00000000053F0000-0x0000000005400000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4392-76-0x00000000076B0000-0x0000000007D2A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4392-81-0x0000000007200000-0x0000000007211000-memory.dmp
    Filesize

    68KB

    Download
  • memory/4392-20-0x0000000004F10000-0x0000000005538000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4392-21-0x0000000002500000-0x0000000002510000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4392-26-0x0000000005540000-0x0000000005562000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4392-28-0x0000000005650000-0x00000000056B6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4392-27-0x00000000055E0000-0x0000000005646000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4392-18-0x0000000074DF0000-0x00000000755A0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4392-91-0x0000000074DF0000-0x00000000755A0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4392-17-0x00000000023A0000-0x00000000023D6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4392-50-0x0000000005CE0000-0x0000000005CFE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4392-85-0x0000000007320000-0x0000000007328000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4392-51-0x0000000005D70000-0x0000000005DBC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4392-84-0x0000000007340000-0x000000000735A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4392-82-0x0000000007230000-0x000000000723E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4392-60-0x0000000070400000-0x000000007044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4392-19-0x0000000002500000-0x0000000002510000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4392-77-0x00000000063A0000-0x00000000063BA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4700-5-0x0000000004E10000-0x0000000004E1A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4700-0-0x00000000004B0000-0x000000000055A000-memory.dmp
    Filesize

    680KB

    Download
  • memory/4700-7-0x0000000005120000-0x000000000512E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4700-6-0x0000000004F80000-0x0000000004F98000-memory.dmp
    Filesize

    96KB

    Download
  • memory/4700-9-0x0000000006070000-0x00000000060F4000-memory.dmp
    Filesize

    528KB

    Download
  • memory/4700-10-0x0000000006300000-0x000000000639C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4700-8-0x0000000005130000-0x0000000005146000-memory.dmp
    Filesize

    88KB

    Download
  • memory/4700-15-0x0000000074DF0000-0x00000000755A0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4700-3-0x0000000004E80000-0x0000000004F12000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4700-4-0x0000000004E40000-0x0000000004E50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4700-52-0x0000000074DF0000-0x00000000755A0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4700-16-0x0000000004E40000-0x0000000004E50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4700-2-0x0000000005390000-0x0000000005934000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4700-1-0x0000000074DF0000-0x00000000755A0000-memory.dmp
    Filesize

    7.7MB

    Download