Malware Analysis Report

2024-08-06 15:25

Sample ID 240521-lrmgqagh45
Target IMG1024785000.exe
SHA256 68d48d53b40a2c1c905dcfbb4062066dfdf38f24440da5ac3a679e466a96bf1e
Tags
agenttesla nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68d48d53b40a2c1c905dcfbb4062066dfdf38f24440da5ac3a679e466a96bf1e

Threat Level: Known bad

The file IMG1024785000.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

AgentTesla

Reads user/profile data of local email clients

Loads dropped DLL

Reads data files stored by FTP clients

Executes dropped EXE

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Credentials in Registry
T1552.002
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-21 09:46

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 09:46

Reported

2024-05-21 09:48

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepads = "C:\\Users\\Admin\\AppData\\Roaming\\notepads.exe" C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\notepads = "C:\\Users\\Admin\\AppData\\Roaming\\notepads.exe" C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4676 set thread context of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 4064 set thread context of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe
PID 4676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe
PID 4676 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe
PID 4676 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 4676 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 4676 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 4676 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 4676 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 4676 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 4676 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 4676 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 4064 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4064 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4064 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4064 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4064 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4064 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4064 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4064 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe

"C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe"

C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe

"C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe"

C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe

"C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3919855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
UA 193.238.153.34:80 193.238.153.34 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 34.153.238.193.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
UA 193.238.153.34:80 193.238.153.34 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 66.29.151.236:587 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 236.151.29.66.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 94.156.68.219:2323 tcp
US 8.8.8.8:53 219.68.156.94.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4676-0-0x00000000750EE000-0x00000000750EF000-memory.dmp

memory/4676-1-0x0000000000050000-0x00000000000C6000-memory.dmp

memory/4676-2-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/4676-3-0x0000000006CC0000-0x0000000006F20000-memory.dmp

memory/4676-7-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-17-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-19-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-25-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-35-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-23-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-21-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-15-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-13-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-11-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-37-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-47-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-53-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-65-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-67-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-63-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-61-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-59-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-57-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-55-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-49-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-45-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-43-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-41-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-39-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-51-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-33-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-31-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-29-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-27-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-9-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-5-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-4-0x0000000006CC0000-0x0000000006F1A000-memory.dmp

memory/4676-4890-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/4676-4891-0x00000000053F0000-0x00000000053F6000-memory.dmp

memory/4676-4892-0x0000000005430000-0x00000000054CC000-memory.dmp

memory/4676-4893-0x00000000054D0000-0x000000000551C000-memory.dmp

memory/4676-4894-0x00000000750EE000-0x00000000750EF000-memory.dmp

memory/4676-4895-0x00000000750E0000-0x0000000075890000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe

MD5 3096b4b10cadb369dfe4bf9baeb90fb9
SHA1 9c4901dd318cb7aa215b5b9729c368d0567cc42c
SHA256 7369e401e7fc860dca295f09625f4ef16235db5cad392e1c6ab4607c22b729dd
SHA512 49297c01ade6fcf408e2defc6f143ca7db2822acd2d2a9d9614e2272f7df02d64d815f262d158441c695769ae917a5a9216b86185377e817ce2f980f688c84f8

memory/4676-4907-0x0000000008840000-0x0000000008DE4000-memory.dmp

memory/4064-4908-0x0000000000CB0000-0x0000000000D26000-memory.dmp

memory/4064-4910-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/4064-4912-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/4676-4909-0x0000000005870000-0x00000000058C4000-memory.dmp

memory/3800-4916-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/3800-4918-0x00000000003A0000-0x00000000003E2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG1024785000.exe.log

MD5 489c7565f9b029ba9fadff774073cc98
SHA1 56c05089b33ee7e7dfa9e6a2d098164efd8e1150
SHA256 10bf6242da02dad8b2e1208b9dab9a7303cf986320e05e5ef20b99c9b71326d4
SHA512 ddea09c011a8d4f85905842c2f34c98add0110a0b6b3b2709718c3614a2c42dec5f4f5d5b9442cfd3c6c23e9a90c8c0b25c14c3dbd42faea9cc8dd232cace1ac

memory/4676-4917-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/3800-4919-0x0000000004E00000-0x0000000004E66000-memory.dmp

memory/3800-4920-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/4064-4921-0x0000000007810000-0x0000000007A52000-memory.dmp

memory/4064-9808-0x0000000005E40000-0x0000000005E46000-memory.dmp

memory/4064-9809-0x0000000005E70000-0x0000000005EEE000-memory.dmp

memory/3800-9810-0x0000000006420000-0x0000000006470000-memory.dmp

memory/3800-9811-0x0000000006510000-0x00000000065AC000-memory.dmp

memory/3800-9812-0x00000000065B0000-0x0000000006642000-memory.dmp

memory/3800-9813-0x00000000064B0000-0x00000000064BA000-memory.dmp

memory/4064-9814-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/3800-9815-0x00000000750E0000-0x0000000075890000-memory.dmp

\??\c:\users\admin\appdata\roaming\notepads.exe

MD5 e8be2d0db77ac16032d576eaa3b954e5
SHA1 f310deafee5d1c094c7bddcb5bca14a76e41e3e8
SHA256 d7eb34b43ee0d3140ef87919278d709b72efb82b0c9da72d9e778addaed9a61c
SHA512 3b1cf586b90729eb3a7e8d6ffebe2c35f380ab97a6c460577ba5ff24578e1b3399641239758fe7855652d86785673d8c770490f7975bd91c92661bb533ce121e

memory/4064-9820-0x00000000750E0000-0x0000000075890000-memory.dmp

memory/4488-9821-0x0000000000600000-0x0000000000638000-memory.dmp

memory/4488-9823-0x0000000004D30000-0x0000000004D3A000-memory.dmp

memory/4488-9824-0x0000000004D40000-0x0000000004D5E000-memory.dmp

memory/4488-9825-0x0000000004E80000-0x0000000004E8A000-memory.dmp

memory/4488-9828-0x0000000005070000-0x0000000005082000-memory.dmp

memory/4488-9829-0x0000000006030000-0x000000000604A000-memory.dmp

memory/4488-9830-0x0000000005080000-0x000000000508E000-memory.dmp

memory/4488-9833-0x0000000006080000-0x000000000608E000-memory.dmp

memory/4488-9834-0x0000000006090000-0x00000000060A4000-memory.dmp

memory/4488-9831-0x0000000006060000-0x0000000006072000-memory.dmp

memory/4488-9835-0x00000000060A0000-0x00000000060B0000-memory.dmp

memory/4488-9832-0x0000000006070000-0x000000000607C000-memory.dmp

memory/4488-9836-0x00000000060C0000-0x00000000060D4000-memory.dmp

memory/4488-9837-0x00000000060E0000-0x00000000060EE000-memory.dmp

memory/4488-9838-0x00000000060F0000-0x000000000611E000-memory.dmp

memory/4488-9839-0x0000000006120000-0x0000000006134000-memory.dmp

C:\Users\Admin\AppData\Roaming\310807AB-751F-4D81-AE09-B202EAF21E19\settings.bin

MD5 4e5e92e2369688041cc82ef9650eded2
SHA1 15e44f2f3194ee232b44e9684163b6f66472c862
SHA256 f8098a6290118f2944b9e7c842bd014377d45844379f863b00d54515a8a64b48
SHA512 1b368018907a3bc30421fda2c935b39dc9073b9b1248881e70ad48edb6caa256070c1a90b97b0f64bbe61e316dbb8d5b2ec8dbabcd0b0b2999ab50b933671ecb

memory/3800-9847-0x00000000750E0000-0x0000000075890000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 09:46

Reported

2024-05-21 09:48

Platform

win7-20240221-en

Max time kernel

133s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\notepads = "C:\\Users\\Admin\\AppData\\Roaming\\notepads.exe" C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\notepads = "C:\\Users\\Admin\\AppData\\Roaming\\notepads.exe" C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2684 set thread context of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 3340 set thread context of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe
PID 2684 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe
PID 2684 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe
PID 2684 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe
PID 2684 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 2684 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 2684 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 2684 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 2684 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 2684 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 2684 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 2684 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 2684 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3340 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe

"C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe"

C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe

"C:\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe"

C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe

"C:\Users\Admin\AppData\Local\Temp\IMG1024785000.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
UA 193.238.153.34:80 193.238.153.34 tcp
UA 193.238.153.34:80 193.238.153.34 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
NL 94.156.68.219:2323 tcp
NL 94.156.68.219:2323 tcp

Files

memory/2684-0-0x000000007433E000-0x000000007433F000-memory.dmp

memory/2684-1-0x0000000000050000-0x00000000000C6000-memory.dmp

memory/2684-2-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/2684-3-0x0000000008640000-0x00000000088A0000-memory.dmp

memory/2684-4-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-11-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-5-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-19-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-17-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-15-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-13-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-9-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-7-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-24-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-29-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-50-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-55-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-53-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-51-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-47-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-45-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-43-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-41-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-39-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-37-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-35-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-33-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-31-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-27-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-25-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-21-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-67-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-65-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-63-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-61-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-59-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-57-0x0000000008640000-0x000000000889A000-memory.dmp

memory/2684-4890-0x0000000001E10000-0x0000000001E16000-memory.dmp

memory/2684-4891-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/2684-4892-0x0000000005740000-0x00000000057DC000-memory.dmp

memory/2684-4893-0x0000000004A30000-0x0000000004A7C000-memory.dmp

memory/2684-4894-0x000000007433E000-0x000000007433F000-memory.dmp

memory/2684-4895-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/2684-4896-0x0000000074330000-0x0000000074A1E000-memory.dmp

\Users\Admin\AppData\Local\Temp\Pgfmnlkveb.exe

MD5 3096b4b10cadb369dfe4bf9baeb90fb9
SHA1 9c4901dd318cb7aa215b5b9729c368d0567cc42c
SHA256 7369e401e7fc860dca295f09625f4ef16235db5cad392e1c6ab4607c22b729dd
SHA512 49297c01ade6fcf408e2defc6f143ca7db2822acd2d2a9d9614e2272f7df02d64d815f262d158441c695769ae917a5a9216b86185377e817ce2f980f688c84f8

memory/3340-4904-0x0000000000DD0000-0x0000000000E46000-memory.dmp

memory/2684-4905-0x0000000005050000-0x00000000050A4000-memory.dmp

memory/3340-4907-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/3340-4908-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/3416-4920-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2684-4921-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/3340-4922-0x00000000083E0000-0x0000000008622000-memory.dmp

memory/3340-9809-0x0000000000AA0000-0x0000000000AA6000-memory.dmp

memory/3340-9810-0x0000000005490000-0x000000000550E000-memory.dmp

memory/3340-9811-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/3340-9812-0x0000000074330000-0x0000000074A1E000-memory.dmp

\??\c:\users\admin\appdata\roaming\notepads.exe

MD5 3c5eeab605bf86d93dcd01aa912efa54
SHA1 c24a07068c65fbfa25ee47246703dd4b0bb5e8d2
SHA256 68d48d53b40a2c1c905dcfbb4062066dfdf38f24440da5ac3a679e466a96bf1e
SHA512 8ac3e8098970cbdcb55acba7e5b32d5c7422b5f67376d0f1f5956a6ef052e3c29dfea2f4f154c8856d97b2b3fc132771444d7c3bfc1fb2a8331fbaa835747f30

memory/3088-9827-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3340-9828-0x0000000074330000-0x0000000074A1E000-memory.dmp

memory/3088-9830-0x00000000007E0000-0x00000000007EA000-memory.dmp

memory/3088-9831-0x0000000000800000-0x000000000081E000-memory.dmp

memory/3088-9832-0x00000000007F0000-0x00000000007FA000-memory.dmp

memory/3088-9836-0x0000000000D10000-0x0000000000D2A000-memory.dmp

memory/3088-9835-0x0000000000880000-0x0000000000892000-memory.dmp

memory/3088-9837-0x00000000008E0000-0x00000000008EE000-memory.dmp

memory/3088-9838-0x0000000000AB0000-0x0000000000AC2000-memory.dmp

memory/3088-9841-0x0000000004760000-0x0000000004774000-memory.dmp

memory/3088-9840-0x0000000000CF0000-0x0000000000CFE000-memory.dmp

memory/3088-9839-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

memory/3088-9842-0x0000000004770000-0x0000000004780000-memory.dmp

memory/3088-9843-0x0000000004780000-0x0000000004794000-memory.dmp

memory/3088-9845-0x0000000004E10000-0x0000000004E3E000-memory.dmp

memory/3088-9844-0x0000000004790000-0x000000000479E000-memory.dmp

memory/3088-9846-0x0000000004DB0000-0x0000000004DC4000-memory.dmp

memory/3088-9848-0x0000000004E80000-0x0000000004E90000-memory.dmp

C:\Users\Admin\AppData\Roaming\4456596E-0528-4680-8940-5EDC26C0FF50\settings.bin

MD5 4e5e92e2369688041cc82ef9650eded2
SHA1 15e44f2f3194ee232b44e9684163b6f66472c862
SHA256 f8098a6290118f2944b9e7c842bd014377d45844379f863b00d54515a8a64b48
SHA512 1b368018907a3bc30421fda2c935b39dc9073b9b1248881e70ad48edb6caa256070c1a90b97b0f64bbe61e316dbb8d5b2ec8dbabcd0b0b2999ab50b933671ecb