Overview

overview

10

Static

static

3

a342ce10ee...86.exe

windows7-x64

10

a342ce10ee...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    359s
  • max time network
    360s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 17:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886.exe

  • Size

    759KB

  • MD5

    b79f97e4db70037b5bc5151fbe634d93

  • SHA1

    81283e71c6dedb7335c0adaa51c0ca3f804638a2

  • SHA256

    a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886

  • SHA512

    3fab52033ca9ded4e123253bc74912c60fdfc38ee5272df66fd6e77430f460ec13ea3a482df6488bb18c362abf0ec3b155664350f1f5950a2362b0db1bcc48e5

  • SSDEEP

    12288:Bz9TjhnjhvWr1NhQCKBtVOrH/ks40Zstp+wSb/YEXk6SvXRyp3Gb5:BzdNnNmXhjaDuR40Z/YokXPIFGb

Score
10/10
agentteslacollectionexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886.exe
    "C:\Users\Admin\AppData\Local\Temp\a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a342ce10ee92e28fe35aae7804785ff5de362be4445501b18c322a049625f886.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2552
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rDqZKcwn.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rDqZKcwn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD652.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1680
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD652.tmp
    Filesize

    1KB

    MD5

    9da5ac1981084fe8b2d398850e6bda49

    SHA1

    c510e9de6b2748a2d74d0dc83ad93ee73ec81ef9

    SHA256

    aad19a404d229ab3a2ad6843a16573ec28e012d4c2ea0fcfe7939b4cb33f13bc

    SHA512

    06ed42efba15faae6ee6824ae787f6e3d59a41fafce07ab94af6c312003905a853b4f4bc93d87b076383ab1f979d1b590f2cad8334c55672810015f16ae2f6da

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    eec754f93a34b5b5432736f55f3070f8

    SHA1

    8b924732ebcb4f38aa0abba65006c198279be8ac

    SHA256

    92231ea2560295be78f70cbca584c582baced236dac57edc639042fbe830dc8c

    SHA512

    5dabda5639cbc3f6b7e172df8ded516ae717cd4b36a9b70aa640a59b9a648302876c634399f9723a2dd7a248e351c129fff43d92cce5b16cbdab7c93d053ca7d

    Download Submit

  • memory/2036-4-0x00000000746FE000-0x00000000746FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2036-3-0x0000000000490000-0x000000000049C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2036-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2036-5-0x00000000746F0000-0x0000000074DDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2036-6-0x00000000004B0000-0x00000000004BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2036-7-0x0000000005410000-0x000000000547A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2036-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2036-1-0x0000000001250000-0x0000000001312000-memory.dmp

    Filesize

    776KB

    Download

  • memory/2036-33-0x00000000746F0000-0x0000000074DDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2820-32-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2820-30-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2820-29-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2820-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2820-26-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2820-22-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2820-20-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2820-24-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download