Overview

overview

10

Static

static

1

1.exe

windows7-x64

10

1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 08:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    761KB

  • MD5

    77c6015c8c679abe8cd11cb51125f6c9

  • SHA1

    f9fd8a7f13b03480ae58622c228d6a6bb660f409

  • SHA256

    63219f4d5975bf956a1c5c8b98011f721cfb1e2b4894c6ec9f5a94d77e2652e8

  • SHA512

    510a8a2e2905eebd97bbda9e4cf183392b59aa18f9bb3278fed82fd10721ebc1ad06633992e6f4ee8b4eb64b4d89cf185aeab3b316d041ccb523c0d46110f52a

  • SSDEEP

    12288:YzDn6yWn7fcpVZlu/6uHD73sYw0WJv1/wHiksaGdt8qmUMbpG/IinMkqFozGrCWW:sn698VVYHst0WrTkGrpm4/nMHvv/QO4v

Score
10/10
agentteslaexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3648
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ziQWPdVrQxk.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4516
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ziQWPdVrQxk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A0D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1392
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:2264
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
          PID:5068
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          2⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2120
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4640

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
          Filesize

          53KB

          MD5

          124edf3ad57549a6e475f3bc4e6cfe51

          SHA1

          80f5187eeebb4a304e9caa0ce66fcd78c113d634

          SHA256

          638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

          SHA512

          b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwrlgvhg.shn.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp5A0D.tmp
          Filesize

          1KB

          MD5

          9e0c1c9f136065647a37f16285b808e4

          SHA1

          5645d0d320580a61499755087733d3006e126719

          SHA256

          e88226e7b6dd278c6548ae53045c21b0ef9d0b18fcb842177f8be3c41b52feb0

          SHA512

          362bb2fe798c1e7e6926d60e33a76e768fb6237aa4f68c8d4dbbed1e5ed5267d2aeae5173ca09503d2646f1d8644748aa1cea82733ee9ce197884acd81478c75

          Download Submit

        • memory/636-8-0x0000000005A40000-0x0000000005A4C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/636-10-0x0000000005A50000-0x0000000005A60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/636-5-0x00000000056E0000-0x00000000056EA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/636-6-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-7-0x00000000059D0000-0x00000000059F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/636-3-0x0000000005730000-0x00000000057C2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/636-9-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/636-4-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/636-11-0x0000000002F50000-0x0000000002FD4000-memory.dmp

          Filesize

          528KB

          Download

        • memory/636-12-0x000000000FE70000-0x000000000FF0C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/636-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/636-2-0x0000000005CE0000-0x0000000006284000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/636-31-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/636-1-0x0000000000C30000-0x0000000000CF0000-memory.dmp

          Filesize

          768KB

          Download

        • memory/2120-56-0x0000000005DD0000-0x0000000005E20000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2120-28-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/3648-15-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3648-85-0x0000000007B30000-0x0000000007BC6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/3648-97-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3648-16-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3648-88-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3648-21-0x00000000057D0000-0x0000000005DF8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/3648-29-0x00000000055B0000-0x0000000005616000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3648-87-0x0000000006A40000-0x0000000006A51000-memory.dmp

          Filesize

          68KB

          Download

        • memory/3648-19-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3648-66-0x0000000070B00000-0x0000000070B4C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3648-51-0x00000000063D0000-0x00000000063EE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3648-84-0x0000000007900000-0x000000000790A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3648-53-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3648-55-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3648-17-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

          Filesize

          216KB

          Download

        • memory/3648-57-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3648-83-0x00000000078A0000-0x00000000078BA000-memory.dmp

          Filesize

          104KB

          Download

        • memory/3648-81-0x0000000007770000-0x0000000007813000-memory.dmp

          Filesize

          652KB

          Download

        • memory/4516-50-0x0000000005A30000-0x0000000005D84000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4516-60-0x0000000070B00000-0x0000000070B4C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4516-80-0x00000000066E0000-0x00000000066FE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4516-59-0x0000000006700000-0x0000000006732000-memory.dmp

          Filesize

          200KB

          Download

        • memory/4516-82-0x0000000007A80000-0x00000000080FA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4516-58-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4516-52-0x0000000006160000-0x00000000061AC000-memory.dmp

          Filesize

          304KB

          Download

        • memory/4516-24-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4516-22-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4516-27-0x00000000050B0000-0x0000000005116000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4516-89-0x0000000007680000-0x0000000007694000-memory.dmp

          Filesize

          80KB

          Download

        • memory/4516-90-0x0000000007760000-0x000000000777A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/4516-91-0x00000000076B0000-0x00000000076B8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4516-26-0x0000000004F80000-0x0000000004FA2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4516-23-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4516-98-0x0000000074DD0000-0x0000000075580000-memory.dmp

          Filesize

          7.7MB

          Download