Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:15
Static task
static1
Behavioral task
behavioral1
Sample
Vienna-EXEC.exe
Resource
win10v2004-20240508-en
General
-
Target
Vienna-EXEC.exe
-
Size
1.2MB
-
MD5
10c8524f6e32771be766ce9713bdbda5
-
SHA1
086a7e3b346430d187bea3ac6a2c93cb6a38e765
-
SHA256
9ce36bf852b19244ba6a3aad4cd925caf7f2de79c9580e0ed856a23baaa59eba
-
SHA512
5da3698486a3b206bfae5b6b2587cb82ec1dca0253b602e6637afaac9f92ee6c06e9301d405505457b975ae4859800041250f30f80b957d63e1a8a4552f531d4
-
SSDEEP
24576:14pSyydXFDFG4nqMpa0diPe0bkkh8TakoOkzLSXDjnKGYRIIGuUtxj29+DbF:ghyxlF5M0diWKkkqtBXPpOmjja+D
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x000e000000023380-37.dat family_agenttesla behavioral1/memory/4364-40-0x0000000005600000-0x0000000005814000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs 5 IoCs
Processes:
Svhost.exeSvhost.exeVienna-EXEC.exeSvhost.exeSvhost.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Svhost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Svhost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Vienna-EXEC.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Svhost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Svhost.exe -
Looks for VMWare Tools registry key 2 TTPs 5 IoCs
Processes:
Vienna-EXEC.exeSvhost.exeSvhost.exeSvhost.exeSvhost.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Vienna-EXEC.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Svhost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Svhost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Svhost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Svhost.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Svhost.exeSvhost.exeSvhost.exeVienna-EXEC.exeSvhost.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Svhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Svhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Svhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Vienna-EXEC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Vienna-EXEC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Svhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Svhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Svhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Svhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Svhost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Svhost.exeVienna-EXEC.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Svhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation Vienna-EXEC.exe -
Executes dropped EXE 5 IoCs
Processes:
tt.exeSvhost.exeSvhost.exeSvhost.exeSvhost.exepid Process 4364 tt.exe 1056 Svhost.exe 644 Svhost.exe 3520 Svhost.exe 4484 Svhost.exe -
Loads dropped DLL 2 IoCs
Processes:
tt.exepid Process 4364 tt.exe 4364 tt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Svhost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Svhost = "C:\\Users\\Admin\\AppData\\Roaming\\Svhost.exe" Svhost.exe -
Maps connected drives based on registry 3 TTPs 10 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Svhost.exeSvhost.exeVienna-EXEC.exeSvhost.exeSvhost.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Svhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Svhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Vienna-EXEC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Svhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Svhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Svhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Svhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Vienna-EXEC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Svhost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Svhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
tt.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS tt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer tt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion tt.exe -
Suspicious behavior: EnumeratesProcesses 55 IoCs
Processes:
Vienna-EXEC.exeSvhost.exeSvhost.exeSvhost.exeSvhost.exepid Process 1344 Vienna-EXEC.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 644 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 3520 Svhost.exe 1056 Svhost.exe 3520 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 4484 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe 1056 Svhost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Vienna-EXEC.exeSvhost.exeSvhost.exeSvhost.exeSvhost.exedescription pid Process Token: SeDebugPrivilege 1344 Vienna-EXEC.exe Token: SeDebugPrivilege 1056 Svhost.exe Token: SeDebugPrivilege 644 Svhost.exe Token: SeDebugPrivilege 3520 Svhost.exe Token: SeDebugPrivilege 4484 Svhost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
tt.exepid Process 4364 tt.exe 4364 tt.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
tt.exepid Process 4364 tt.exe 4364 tt.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Vienna-EXEC.exeSvhost.exedescription pid Process procid_target PID 1344 wrote to memory of 4364 1344 Vienna-EXEC.exe 88 PID 1344 wrote to memory of 4364 1344 Vienna-EXEC.exe 88 PID 1344 wrote to memory of 4364 1344 Vienna-EXEC.exe 88 PID 1344 wrote to memory of 1056 1344 Vienna-EXEC.exe 90 PID 1344 wrote to memory of 1056 1344 Vienna-EXEC.exe 90 PID 1056 wrote to memory of 4600 1056 Svhost.exe 95 PID 1056 wrote to memory of 4600 1056 Svhost.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vienna-EXEC.exe"C:\Users\Admin\AppData\Local\Temp\Vienna-EXEC.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\tt.exe"C:\Users\Admin\AppData\Local\Temp\tt.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4364
-
-
C:\Users\Admin\AppData\Local\Temp\Svhost.exe"C:\Users\Admin\AppData\Local\Temp\Svhost.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Svhost" /tr "C:\Users\Admin\AppData\Roaming\Svhost.exe"3⤵
- Creates scheduled task(s)
PID:4600
-
-
-
C:\Users\Admin\AppData\Roaming\Svhost.exeC:\Users\Admin\AppData\Roaming\Svhost.exe1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644
-
C:\Users\Admin\AppData\Roaming\Svhost.exeC:\Users\Admin\AppData\Roaming\Svhost.exe1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
C:\Users\Admin\AppData\Roaming\Svhost.exeC:\Users\Admin\AppData\Roaming\Svhost.exe1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f91be20cbf7fa6f403e352d73b196c79
SHA12b27b75b7b17d7012ed7655649d644e7d105a548
SHA2568d520c20017c84f0ddd5bdf341c534a9f9ec9e2b6556eaeb1df86a29cf62e0a3
SHA512442ea828390f53956f3a6bcad83dc7b3ada6a01b6319a322e38a523dffaadb01649663c8e33ad898c5a8bdcf1a0ef9805f29f2b61da970a88d7176ee1ae300e6
-
Filesize
2.1MB
MD5c19e9e6a4bc1b668d19505a0437e7f7e
SHA173be712aef4baa6e9dabfc237b5c039f62a847fa
SHA2569ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
SHA512b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
-
Filesize
123KB
MD569a4f157bf0bc87f9bcddb65ef00a257
SHA166eabd44f105875d0ef922b82376e65abdbb9a21
SHA2568e04e32d8aeeabf2aee325579ac865958f24892c5bee6b81f8eb98ee6cfcbe0b
SHA512a85cb7fbd7d6ac1e4806cb7ff03b93552d494de9fcf36f8311ff69fd475bf3de219280a8387687c31dd5f861e8eab8bd7ec5c759f37c93034f37db81c92405be
-
Filesize
480KB
MD5bdd7e91ec5ebafbbfb0bd220b435d639
SHA15f9de84f3990584c208a961064154cf1a463a353
SHA25614e81c1f6462c84909a63a34223f35b1a2b9f53a73f1e79c30c2b2a871556e6b
SHA512216fbb914dc28fee7f473bbda2de9ec1fa8dcf637ddbfaaf22aec32a3ef454b3b0d8efb296c70bcfdeff0608cf8948bc8386ad8fd29da1c2f674a1bc3958e5ad