Overview

overview

10

Static

static

10

56f465f72c...f1.exe

windows7-x64

10

56f465f72c...f1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56f465f72c1d03714aa6cedadcee54f1.exe

  • Size

    3.8MB

  • MD5

    56f465f72c1d03714aa6cedadcee54f1

  • SHA1

    15c128e34eba74fc9d49333eec77a9af8dbf2b35

  • SHA256

    f3dce07ef36310e3d43a014c12c02312797d1d1b42c841089e5f02b5a0165780

  • SHA512

    ea324c6d06448f1ef487cb597985280b8c57ab93ca4dca358961a5f2f0085ea833091fbe704b954003eca093aeb32a71dd07a4abe3e01ebdf14dacc4d8800d26

  • SSDEEP

    49152:IrJtPEr7HuX1vWGgSppA3tfae4atH3Imc74mPbA30f6nty:IrJtPE+XjZy5tXlc7RPbbgy

Score
10/10
agenttesladcratzgratinfostealerkeyloggerratspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect ZGRat V1 1 IoCs
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • AgentTesla payload 1 IoCs
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\56f465f72c1d03714aa6cedadcee54f1.exe
    "C:\Users\Admin\AppData\Local\Temp\56f465f72c1d03714aa6cedadcee54f1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4708
    • C:\Users\Admin\AppData\Local\Temp\Free_changer_fix.exe
      "C:\Users\Admin\AppData\Local\Temp\Free_changer_fix.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
    • C:\Users\Admin\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe
      "C:\Users\Admin\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\msDriverSessionHost\myVrliqnAWGzbaQrrwFJCBOXabSQn5.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:440
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\msDriverSessionHost\LoFbtYsm9QvENfKMo8zDNNjCY.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5068
          • C:\msDriverSessionHost\chainProvider.exe
            "C:\msDriverSessionHost\chainProvider.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5060
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OCiuSCmNvf.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4680
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1696
                • C:\Users\Public\Videos\RuntimeBroker.exe
                  "C:\Users\Public\Videos\RuntimeBroker.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4952
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\fr\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\System32\fr\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3808
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\fr\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2784
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3536
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:392
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4320
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\msDriverSessionHost\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\msDriverSessionHost\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3852
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\msDriverSessionHost\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2104
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4404
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2304
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:468
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2168
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1508
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:216
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4520
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Setup\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4804
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3624
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4144
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Free_changer_fix.exe
      Filesize

      2.7MB

      MD5

      182c8c85cd01c8e5152658f6f0b262a4

      SHA1

      ad1e862a5c335890ca7a3b4af6f674a614b228ca

      SHA256

      fbfba988983d2da82a6cce045873e45e3183bdc65af0cabf34dcb4e0201833cf

      SHA512

      c14af43c88859658be5482040f2e4ae5c1c8e2ef0618cebee4ad4a34b0fbf5638941f9b686e72e54f0ba2d6410ab34044b856d8cacf652cf8bbe0201f0ef1641

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\OCiuSCmNvf.bat
      Filesize

      205B

      MD5

      20c9adfa74a99981d78b8ec25918854d

      SHA1

      1a61a58bba4cb90eb7613c46aa98d710c9df5b88

      SHA256

      9c52702ce6a3fb3fe084c8b9f53853967790e5b17c882c314d1a02407722cf1b

      SHA512

      0674058f490d7a7d1ba94e26aaeaeffdda5b5ffc642beeed73280719b24af0ce55367d1a4bb1d19c8c75ad4d3f704bf7d0494bca4c7d1e4a754b60dcbfe074e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe
      Filesize

      1.1MB

      MD5

      37066df7982d37cf9c751f3c0de6350e

      SHA1

      20bc6fb42d7d51d2984e92df4854a48aa980dfdb

      SHA256

      60f7ff42a1f78d26118a468f9a5845be288490bad1ccafaf41d6ddf7c2dcec68

      SHA512

      8e7c3a70826bf13c1028dd3f7c50ae9b891e7f542afd5c94fd6cdf365e37eb999043ff08aa900dc9e3057488a6116de8dcc8450528c93f792bb6640a932d2e08

      Download Submit

    • C:\msDriverSessionHost\LoFbtYsm9QvENfKMo8zDNNjCY.bat
      Filesize

      42B

      MD5

      ee69bea9cbdeacbb8865ca6e239a2f1c

      SHA1

      2245a6f63706dc238d9376062aa552ef03f6615e

      SHA256

      b0c0d34dc780e0780a2130e82e993478b8b0460a2c9443a36f87d2c289e675f4

      SHA512

      f038017e5ead4fa232ed831a6696b4af62635ea6875c8ef593e2ca5a52708e1065327a06cee3428732a8134b6b737b1832f77427b8f2671ba5cecbc822b69fb6

      Download Submit

    • C:\msDriverSessionHost\chainProvider.exe
      Filesize

      827KB

      MD5

      aacdc2fcb7887ae7c0343109672d2735

      SHA1

      d0d8e247ceee657826043200654f6c1e88392ff4

      SHA256

      9e7c7320ff8d2f9b898bfb76d4e6b87db347835f9cfe4a4a02243e3e7168d06c

      SHA512

      8f09d115557378e1aa5fce099782fe452647b1d170a6aae09f1ba961e45d09a8066d3212a11c623a5c3ad57d452d956b8b6d60b116a3e833a79be6b32121fd28

      Download Submit

    • C:\msDriverSessionHost\myVrliqnAWGzbaQrrwFJCBOXabSQn5.vbe
      Filesize

      221B

      MD5

      85de50f9f320656763d04a59f18f358f

      SHA1

      8c20a881b25365729386add715a614f636022f3f

      SHA256

      3a16fb81412f2ec2c075911fe8c1dd78901d893edf13fef7697c8b40c9adf728

      SHA512

      c8dab3c9a3971d54aaf0463d8f22ea68203053294aaed1c3e629019c0dad77269761566ac8bc87c1fd88608a196b71b824c5e761c7faa2eaed51edd3d44b9011

      Download Submit

    • memory/2192-21-0x000002B9F9930000-0x000002B9F9BDC000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/2192-31-0x000002B9FCC60000-0x000002B9FCD3A000-memory.dmp

      Filesize

      872KB

      Download

    • memory/2192-32-0x00007FFF25B50000-0x00007FFF26611000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2192-33-0x000002B9FCD40000-0x000002B9FCF56000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2192-29-0x00007FFF25B50000-0x00007FFF26611000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2192-17-0x00007FFF25B53000-0x00007FFF25B55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2192-66-0x00007FFF25B53000-0x00007FFF25B55000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2192-67-0x00007FFF25B50000-0x00007FFF26611000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2192-68-0x00007FFF25B50000-0x00007FFF26611000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4708-19-0x0000000000400000-0x00000000007CE000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/5060-38-0x0000000000870000-0x0000000000946000-memory.dmp

      Filesize

      856KB

      Download