Overview

overview

10

Static

static

10

f3dce07ef3...80.exe

windows7-x64

10

f3dce07ef3...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 08:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3dce07ef36310e3d43a014c12c02312797d1d1b42c841089e5f02b5a0165780.exe

  • Size

    3.8MB

  • MD5

    56f465f72c1d03714aa6cedadcee54f1

  • SHA1

    15c128e34eba74fc9d49333eec77a9af8dbf2b35

  • SHA256

    f3dce07ef36310e3d43a014c12c02312797d1d1b42c841089e5f02b5a0165780

  • SHA512

    ea324c6d06448f1ef487cb597985280b8c57ab93ca4dca358961a5f2f0085ea833091fbe704b954003eca093aeb32a71dd07a4abe3e01ebdf14dacc4d8800d26

  • SSDEEP

    49152:IrJtPEr7HuX1vWGgSppA3tfae4atH3Imc74mPbA30f6nty:IrJtPE+XjZy5tXlc7RPbbgy

Score
10/10
agenttesladcratzgratinfostealerkeyloggerratspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect ZGRat V1 1 IoCs
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • AgentTesla payload 1 IoCs
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3dce07ef36310e3d43a014c12c02312797d1d1b42c841089e5f02b5a0165780.exe
    "C:\Users\Admin\AppData\Local\Temp\f3dce07ef36310e3d43a014c12c02312797d1d1b42c841089e5f02b5a0165780.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Users\Admin\AppData\Local\Temp\Free_changer_fix.exe
      "C:\Users\Admin\AppData\Local\Temp\Free_changer_fix.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1936
    • C:\Users\Admin\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe
      "C:\Users\Admin\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\msDriverSessionHost\myVrliqnAWGzbaQrrwFJCBOXabSQn5.vbe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\msDriverSessionHost\LoFbtYsm9QvENfKMo8zDNNjCY.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\msDriverSessionHost\chainProvider.exe
            "C:\msDriverSessionHost\chainProvider.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2672
            • C:\Users\All Users\Templates\explorer.exe
              "C:\Users\All Users\Templates\explorer.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\taskhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\en-US\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\taskhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2752
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2788
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1828
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1540
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "chainProviderc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\chainProvider.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "chainProvider" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\chainProvider.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2120
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "chainProviderc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\chainProvider.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2124
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2508
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Templates\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1196
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1136
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Videos\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1036
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2396
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1888
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2240
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\msDriverSessionHost\LoFbtYsm9QvENfKMo8zDNNjCY.bat
    Filesize

    42B

    MD5

    ee69bea9cbdeacbb8865ca6e239a2f1c

    SHA1

    2245a6f63706dc238d9376062aa552ef03f6615e

    SHA256

    b0c0d34dc780e0780a2130e82e993478b8b0460a2c9443a36f87d2c289e675f4

    SHA512

    f038017e5ead4fa232ed831a6696b4af62635ea6875c8ef593e2ca5a52708e1065327a06cee3428732a8134b6b737b1832f77427b8f2671ba5cecbc822b69fb6

    Download Submit

  • C:\msDriverSessionHost\myVrliqnAWGzbaQrrwFJCBOXabSQn5.vbe
    Filesize

    221B

    MD5

    85de50f9f320656763d04a59f18f358f

    SHA1

    8c20a881b25365729386add715a614f636022f3f

    SHA256

    3a16fb81412f2ec2c075911fe8c1dd78901d893edf13fef7697c8b40c9adf728

    SHA512

    c8dab3c9a3971d54aaf0463d8f22ea68203053294aaed1c3e629019c0dad77269761566ac8bc87c1fd88608a196b71b824c5e761c7faa2eaed51edd3d44b9011

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Free_changer_fix.exe
    Filesize

    2.7MB

    MD5

    182c8c85cd01c8e5152658f6f0b262a4

    SHA1

    ad1e862a5c335890ca7a3b4af6f674a614b228ca

    SHA256

    fbfba988983d2da82a6cce045873e45e3183bdc65af0cabf34dcb4e0201833cf

    SHA512

    c14af43c88859658be5482040f2e4ae5c1c8e2ef0618cebee4ad4a34b0fbf5638941f9b686e72e54f0ba2d6410ab34044b856d8cacf652cf8bbe0201f0ef1641

    Download Submit

  • \Users\Admin\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe
    Filesize

    1.1MB

    MD5

    37066df7982d37cf9c751f3c0de6350e

    SHA1

    20bc6fb42d7d51d2984e92df4854a48aa980dfdb

    SHA256

    60f7ff42a1f78d26118a468f9a5845be288490bad1ccafaf41d6ddf7c2dcec68

    SHA512

    8e7c3a70826bf13c1028dd3f7c50ae9b891e7f542afd5c94fd6cdf365e37eb999043ff08aa900dc9e3057488a6116de8dcc8450528c93f792bb6640a932d2e08

    Download Submit

  • \msDriverSessionHost\chainProvider.exe
    Filesize

    827KB

    MD5

    aacdc2fcb7887ae7c0343109672d2735

    SHA1

    d0d8e247ceee657826043200654f6c1e88392ff4

    SHA256

    9e7c7320ff8d2f9b898bfb76d4e6b87db347835f9cfe4a4a02243e3e7168d06c

    SHA512

    8f09d115557378e1aa5fce099782fe452647b1d170a6aae09f1ba961e45d09a8066d3212a11c623a5c3ad57d452d956b8b6d60b116a3e833a79be6b32121fd28

    Download Submit

  • memory/1936-13-0x00000000001E0000-0x000000000048C000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1936-23-0x000000001CA00000-0x000000001CADA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/1936-24-0x000000001D0E0000-0x000000001D2F6000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2312-52-0x00000000000B0000-0x0000000000186000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2672-31-0x0000000000870000-0x0000000000946000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2940-11-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download