Analysis

  • max time kernel
    145s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 18:42

General

  • Target

    Debug/Crystal.exe

  • Size

    144KB

  • MD5

    9e353bbaf855fd44edba02d747b6e9f4

  • SHA1

    289146c6c89604690048b018638e147e8a53cbed

  • SHA256

    2d0efe812711be404787e0c6832284bbacb0e16e35d241cb29d88f44e8bc336e

  • SHA512

    13ebe39c7665b2d17d83f2df9d4241bcc2ddc7e086ab8b7b031ed56f8356611b92901f70e202d44e2d2d349e9c135202592dcc0ce3a45017576e0cde7d7760e5

  • SSDEEP

    3072:kjWWh/jzNFzkIbdb3gAp4bTv4A8D625U7N4MDaAiDmbUaXVNXa6fm:kjXzFzZdbQTbj4+PZ3DaAiDmbUUVN

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Debug\Crystal.exe
    "C:\Users\Admin\AppData\Local\Temp\Debug\Crystal.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:2284

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2284-0-0x00000000742DE000-0x00000000742DF000-memory.dmp
    Filesize

    4KB

  • memory/2284-1-0x0000000000A10000-0x0000000000A3C000-memory.dmp
    Filesize

    176KB

  • memory/2284-2-0x00000000008A0000-0x00000000008B6000-memory.dmp
    Filesize

    88KB

  • memory/2284-3-0x0000000000800000-0x000000000080E000-memory.dmp
    Filesize

    56KB

  • memory/2284-4-0x00000000742D0000-0x00000000749BE000-memory.dmp
    Filesize

    6.9MB

  • memory/2284-5-0x0000000001F80000-0x0000000002010000-memory.dmp
    Filesize

    576KB

  • memory/2284-6-0x000000000AAB0000-0x000000000ACC2000-memory.dmp
    Filesize

    2.1MB

  • memory/2284-7-0x0000000002080000-0x000000000208A000-memory.dmp
    Filesize

    40KB

  • memory/2284-8-0x00000000742D0000-0x00000000749BE000-memory.dmp
    Filesize

    6.9MB

  • memory/2284-9-0x00000000742DE000-0x00000000742DF000-memory.dmp
    Filesize

    4KB

  • memory/2284-10-0x00000000742D0000-0x00000000749BE000-memory.dmp
    Filesize

    6.9MB

  • memory/2284-11-0x00000000742D0000-0x00000000749BE000-memory.dmp
    Filesize

    6.9MB

  • memory/2284-12-0x00000000742D0000-0x00000000749BE000-memory.dmp
    Filesize

    6.9MB

  • memory/2284-13-0x00000000742D0000-0x00000000749BE000-memory.dmp
    Filesize

    6.9MB