Analysis
-
max time kernel
856s -
max time network
1612s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09-05-2024 00:54
Static task
static1
General
-
Target
0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe
-
Size
1.1MB
-
MD5
0c2885a542e3657e075c1293204f663d
-
SHA1
33c0b535333dbdfb18da6798945c3ab2e992c2bc
-
SHA256
0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c
-
SHA512
1376c53fad25020a9227652905eb15c44fb0eece475bc528186b067e3143e2acf5764b8231e39515cf9e9ad0edbf83461c4f16331fde1a097d1de0462a1dedf5
-
SSDEEP
24576:U4lavt0LkLL9IMixoEgeaIDVROzFnw+198UCsq9MmCS:jkwkn9IMHeaIDuFnwyjaPCS
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-49-0x0000000002B90000-0x0000000002BE4000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-51-0x0000000002F20000-0x0000000002F74000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-87-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-93-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-113-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-109-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-107-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-105-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-103-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-102-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-99-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-97-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-91-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-89-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-85-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-83-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-81-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-77-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-75-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-71-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-69-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-65-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-63-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-61-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-59-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-57-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-111-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-95-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-79-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-73-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-67-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-55-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-53-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 behavioral1/memory/1944-52-0x0000000002F20000-0x0000000002F6D000-memory.dmp family_zgrat_v1 -
Drops startup file 1 IoCs
Processes:
name.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 2 IoCs
Processes:
name.exename.exepid Process 2448 name.exe 2532 name.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 api.ipify.org 26 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
name.exedescription pid Process procid_target PID 2532 set thread context of 1944 2532 name.exe 76 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid Process 1944 RegSvcs.exe 1944 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
name.exename.exepid Process 2448 name.exe 2532 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid Process Token: SeDebugPrivilege 1944 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exename.exename.exepid Process 4512 0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe 4512 0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe 2448 name.exe 2448 name.exe 2532 name.exe 2532 name.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exename.exename.exepid Process 4512 0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe 4512 0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe 2448 name.exe 2448 name.exe 2532 name.exe 2532 name.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exename.exename.exedescription pid Process procid_target PID 4512 wrote to memory of 2448 4512 0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe 73 PID 4512 wrote to memory of 2448 4512 0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe 73 PID 4512 wrote to memory of 2448 4512 0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe 73 PID 2448 wrote to memory of 4732 2448 name.exe 74 PID 2448 wrote to memory of 4732 2448 name.exe 74 PID 2448 wrote to memory of 4732 2448 name.exe 74 PID 2448 wrote to memory of 2532 2448 name.exe 75 PID 2448 wrote to memory of 2532 2448 name.exe 75 PID 2448 wrote to memory of 2532 2448 name.exe 75 PID 2532 wrote to memory of 1944 2532 name.exe 76 PID 2532 wrote to memory of 1944 2532 name.exe 76 PID 2532 wrote to memory of 1944 2532 name.exe 76 PID 2532 wrote to memory of 1944 2532 name.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe"C:\Users\Admin\AppData\Local\Temp\0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\0e09cd29aa8d2132c8c0d343cca42500155ef9be2419241c7b15a99726b0aa2c.exe"3⤵PID:4732
-
-
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\directory\name.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\directory\name.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5f71a0a1a58dc6390331cc56629d406dc
SHA12fe32e196eb40cfcc34b6004d353252b1afc9e77
SHA256246898bca4fcdfa86e1c4f6e26fd298e9955a2f37c95c4e14c32bbeccc693196
SHA512f84ab89907390c5e38311f41439ca0dc0a950577997af001355ef849b8eee08bb33c402d5885d5d25890f01b5ec15f77ece4e3214d21a068017d0512f8ac2934
-
Filesize
262KB
MD579ed92f60cb4cf94ab17f9e34d2bc976
SHA1db5bf6a36e3b0a8734b9d2bc62ad1769d142de6f
SHA25652e40c5543fb6d12f0ccf41b4473f32734fdcadb24a33fcb1deeec3c5d1d0322
SHA5127a4b1cc21094a278d29cd477f613cdc882c260f2c1fc1ea47ba7c8ea37c6adf0bb9d89c12aada9e431065e606fade96ee04afa38ce78a26b4d523a4838e2dcbb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
29KB
MD571a1a397de0241edb69ba26e4d1a6de2
SHA1f1ef83f74085c7b2afebed1542c5bc0a406c29cf
SHA2565bd9f63f66ee056a1ac8307a72c42bc3d4af5167a2b6a8bc69271cbb6b3433c3
SHA5124b157a9a62c4296395fa7a664a548b3ce89450591fb51d257b077878cc5ba8f8cea294031a76ae4b71b7c57e9cc100cdf7a24b1657109f79934990cb73a4ea4b