Overview

overview

10

Static

static

10

f3dce07ef3...80.exe

windows7-x64

10

f3dce07ef3...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 08:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3dce07ef36310e3d43a014c12c02312797d1d1b42c841089e5f02b5a0165780.exe

  • Size

    3.8MB

  • MD5

    56f465f72c1d03714aa6cedadcee54f1

  • SHA1

    15c128e34eba74fc9d49333eec77a9af8dbf2b35

  • SHA256

    f3dce07ef36310e3d43a014c12c02312797d1d1b42c841089e5f02b5a0165780

  • SHA512

    ea324c6d06448f1ef487cb597985280b8c57ab93ca4dca358961a5f2f0085ea833091fbe704b954003eca093aeb32a71dd07a4abe3e01ebdf14dacc4d8800d26

  • SSDEEP

    49152:IrJtPEr7HuX1vWGgSppA3tfae4atH3Imc74mPbA30f6nty:IrJtPE+XjZy5tXlc7RPbbgy

Score
10/10
agenttesladcratzgratinfostealerkeyloggerratspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Detect ZGRat V1 1 IoCs
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • AgentTesla payload 1 IoCs
  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f3dce07ef36310e3d43a014c12c02312797d1d1b42c841089e5f02b5a0165780.exe
    "C:\Users\Admin\AppData\Local\Temp\f3dce07ef36310e3d43a014c12c02312797d1d1b42c841089e5f02b5a0165780.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Users\Admin\AppData\Local\Temp\Free_changer_fix.exe
      "C:\Users\Admin\AppData\Local\Temp\Free_changer_fix.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1176
    • C:\Users\Admin\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe
      "C:\Users\Admin\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:688
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\msDriverSessionHost\myVrliqnAWGzbaQrrwFJCBOXabSQn5.vbe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\msDriverSessionHost\LoFbtYsm9QvENfKMo8zDNNjCY.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4504
          • C:\msDriverSessionHost\chainProvider.exe
            "C:\msDriverSessionHost\chainProvider.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3692
            • C:\Windows\IME\fr-FR\sppsvc.exe
              "C:\Windows\IME\fr-FR\sppsvc.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\ImmersiveControlPanel\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3152
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\ImmersiveControlPanel\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3516
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3224
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4148
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4948
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4852
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\fr-FR\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2252
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\IME\fr-FR\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\fr-FR\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4420
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\TextInputHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4220
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5032
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\en-US\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4516
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2868
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "chainProviderc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\chainProvider.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1096
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "chainProvider" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\chainProvider.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3136
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "chainProviderc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\chainProvider.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1608
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2984
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\msDriverSessionHost\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1128
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\msDriverSessionHost\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:448
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\msDriverSessionHost\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Free_changer_fix.exe
    Filesize

    2.7MB

    MD5

    182c8c85cd01c8e5152658f6f0b262a4

    SHA1

    ad1e862a5c335890ca7a3b4af6f674a614b228ca

    SHA256

    fbfba988983d2da82a6cce045873e45e3183bdc65af0cabf34dcb4e0201833cf

    SHA512

    c14af43c88859658be5482040f2e4ae5c1c8e2ef0618cebee4ad4a34b0fbf5638941f9b686e72e54f0ba2d6410ab34044b856d8cacf652cf8bbe0201f0ef1641

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\grunge cheat softwsre 0.28.4.exe
    Filesize

    1.1MB

    MD5

    37066df7982d37cf9c751f3c0de6350e

    SHA1

    20bc6fb42d7d51d2984e92df4854a48aa980dfdb

    SHA256

    60f7ff42a1f78d26118a468f9a5845be288490bad1ccafaf41d6ddf7c2dcec68

    SHA512

    8e7c3a70826bf13c1028dd3f7c50ae9b891e7f542afd5c94fd6cdf365e37eb999043ff08aa900dc9e3057488a6116de8dcc8450528c93f792bb6640a932d2e08

    Download Submit

  • C:\msDriverSessionHost\LoFbtYsm9QvENfKMo8zDNNjCY.bat
    Filesize

    42B

    MD5

    ee69bea9cbdeacbb8865ca6e239a2f1c

    SHA1

    2245a6f63706dc238d9376062aa552ef03f6615e

    SHA256

    b0c0d34dc780e0780a2130e82e993478b8b0460a2c9443a36f87d2c289e675f4

    SHA512

    f038017e5ead4fa232ed831a6696b4af62635ea6875c8ef593e2ca5a52708e1065327a06cee3428732a8134b6b737b1832f77427b8f2671ba5cecbc822b69fb6

    Download Submit

  • C:\msDriverSessionHost\chainProvider.exe
    Filesize

    827KB

    MD5

    aacdc2fcb7887ae7c0343109672d2735

    SHA1

    d0d8e247ceee657826043200654f6c1e88392ff4

    SHA256

    9e7c7320ff8d2f9b898bfb76d4e6b87db347835f9cfe4a4a02243e3e7168d06c

    SHA512

    8f09d115557378e1aa5fce099782fe452647b1d170a6aae09f1ba961e45d09a8066d3212a11c623a5c3ad57d452d956b8b6d60b116a3e833a79be6b32121fd28

    Download Submit

  • C:\msDriverSessionHost\myVrliqnAWGzbaQrrwFJCBOXabSQn5.vbe
    Filesize

    221B

    MD5

    85de50f9f320656763d04a59f18f358f

    SHA1

    8c20a881b25365729386add715a614f636022f3f

    SHA256

    3a16fb81412f2ec2c075911fe8c1dd78901d893edf13fef7697c8b40c9adf728

    SHA512

    c8dab3c9a3971d54aaf0463d8f22ea68203053294aaed1c3e629019c0dad77269761566ac8bc87c1fd88608a196b71b824c5e761c7faa2eaed51edd3d44b9011

    Download Submit

  • memory/1176-32-0x00000227C1A70000-0x00000227C1C86000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1176-23-0x00007FF913A50000-0x00007FF913C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1176-30-0x00000227C1990000-0x00000227C1A6A000-memory.dmp

    Filesize

    872KB

    Download

  • memory/1176-22-0x00007FF913A50000-0x00007FF913C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1176-20-0x00000227A6EA0000-0x00000227A714C000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1176-17-0x00007FF913A50000-0x00007FF913C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1176-68-0x00000227C1C90000-0x00000227C1E39000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1176-70-0x00007FF913A50000-0x00007FF913C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1176-71-0x00007FF913A50000-0x00007FF913C45000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3692-38-0x00000000006F0000-0x00000000007C6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/4992-19-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download