Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 02:04

General

  • Target

    b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe

  • Size

    1.2MB

  • MD5

    ab3fa137f1603d28a0c4f79d4bb4c418

  • SHA1

    d76a52558a2a30343a7e0595d3f951683db444a5

  • SHA256

    b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883

  • SHA512

    262a143884a62d1c161545efbbbd7f8ea14f55ed62fe65bf568d3a35ad5e3a82c4e456da8e8ee8d440043e91a9d59735cbd2fc121b4238a70f2993705142ef3f

  • SSDEEP

    24576:3AHnh+eWsN3skA4RV1Hom2KXMmHaRI6pG0YhZ4WIT1QesUz+C7h5:qh+ZkldoPK8YaRI68SKesU1

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect packed .NET executables. Mostly AgentTeslaV4. 33 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 33 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 33 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 33 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 33 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 33 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe
    "C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"
      2⤵
        PID:924
      • C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe
        "C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"
        2⤵
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"
          3⤵
            PID:1576
          • C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe
            "C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:1712
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1272
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
        1⤵
          PID:5128

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Melber

          Filesize

          28KB

          MD5

          cbef02b13616b971d9ee3a12cfb806b8

          SHA1

          57f755b94add6c0d30b8ead691eae92839133609

          SHA256

          d2f5e3c76c00df75d797415396979d4acaaddc51c26b685036f6bc33d3baa84f

          SHA512

          7e8633ce85d9a0c93a998b5a43ff37b6bddb87d2eaaa7db2820f3e24879882c21b39f2581fa951375e803ae53cd172c2b8409f61f5d8e03942741c33a0987b9c

        • C:\Users\Admin\AppData\Local\Temp\aut693.tmp

          Filesize

          255KB

          MD5

          1f68ab1a913155475090c1b6920b2100

          SHA1

          a5f5ee6767e46d2a14f04fc56c0609ae7f045e46

          SHA256

          895be284a7a2fd435ef1aad4428496b0a44d7ec75130f3c9fd2aa72b501543e4

          SHA512

          614b6ddf6edfb2ae18caa8eba1e9d9515436d88ae577108b3c14571f27708100b258f25ee73f3b782082e32d5e5a0f4dfa1f8b52b3c666f29b5884265483d088

        • C:\Users\Admin\AppData\Local\Temp\aut6A3.tmp

          Filesize

          9KB

          MD5

          32b0677668558a39f86bbb428d200f31

          SHA1

          e700c24e6e5854d552e2a3b8fca1ecf6f5d68372

          SHA256

          2227e8b902d06540892f364fb943dc40f1e5e0a12c41a9b5e4925bf0f2e0d0f9

          SHA512

          72586a6a2da9429b99ca8d2ae83fa973f4c80a4ab2836ab6120f47637584d6131d619898cf1b3faa041bda5acd420d895270b49e7639c9c6a0b1379b9283d518

        • C:\Users\Admin\AppData\Local\Temp\prophetesses

          Filesize

          261KB

          MD5

          2fd14cb64c85288ce300a01aa0206b37

          SHA1

          add171fddcd001c709dc745bf3cd3b9ed4aa254b

          SHA256

          b8a3e5188aa61b09556215649a89210e9cd48aa0ca8b893a4c299d721be4147b

          SHA512

          5072663b1f0c2dee814050cf7682a58fc0184570c56ddb746d98bf0cd04dfd2cfd1786b6349676b94cd07f665738f340575baccfcbac0db7882663b7f5f0551f

        • memory/1272-73-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-38-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

        • memory/1272-37-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

        • memory/1272-71-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-36-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

        • memory/1272-39-0x0000000005560000-0x00000000055B4000-memory.dmp

          Filesize

          336KB

        • memory/1272-40-0x0000000005BA0000-0x0000000006144000-memory.dmp

          Filesize

          5.6MB

        • memory/1272-41-0x0000000005630000-0x0000000005682000-memory.dmp

          Filesize

          328KB

        • memory/1272-53-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-99-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-1076-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

        • memory/1272-93-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-69-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-89-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-87-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-85-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-83-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-79-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-77-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-75-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-97-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-35-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

        • memory/1272-91-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-67-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-65-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-63-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-61-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-59-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-57-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-55-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-51-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-49-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-47-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-101-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-95-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-45-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-81-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-43-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-42-0x0000000005630000-0x000000000567D000-memory.dmp

          Filesize

          308KB

        • memory/1272-1072-0x0000000005810000-0x0000000005876000-memory.dmp

          Filesize

          408KB

        • memory/1272-1073-0x0000000006DD0000-0x0000000006E20000-memory.dmp

          Filesize

          320KB

        • memory/1272-1074-0x0000000006EC0000-0x0000000006F52000-memory.dmp

          Filesize

          584KB

        • memory/1272-1075-0x0000000006E30000-0x0000000006E3A000-memory.dmp

          Filesize

          40KB

        • memory/2800-10-0x00000000010B0000-0x00000000010B4000-memory.dmp

          Filesize

          16KB