Analysis

  • max time kernel
    115s
  • max time network
    89s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-06-2024 16:59

General

  • Target

    SploitXE_BEta.rar

  • Size

    3.3MB

  • MD5

    68f23738f5bf5e2612eb02d5e1526b8a

  • SHA1

    f59898686617dab7a596f5c452e4a38d90b90449

  • SHA256

    e9c4cdb578c440ae2f25590d9ad7b155ae309d4f0cdc67c1f9528e070b30fac9

  • SHA512

    3897abe5798c11bbe8ca45c59c1a73d055313bc41b42ef7feba9a504f01d7fa155d4a7b26193c51cbb1ccc245305ad71f7c900dbee15316261d09f997119bcb2

  • SSDEEP

    98304:oEc3CcFLpIlSZfA9l0N4MRpJ7BwsE60b81jvO:+lVugOlCRpJ7BwsEGZm

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 20 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\SploitXE_BEta.rar
    1⤵
    • Modifies registry class
    PID:1068
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:4204
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1788
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap23745:84:7zEvent19068
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4184
    • C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe
      "C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4672
      • C:\Users\Admin\Desktop\SploitXE BEta\rbxfpsunlocker.exe
        "C:\Users\Admin\Desktop\SploitXE BEta\rbxfpsunlocker.exe"
        2⤵
        • Executes dropped EXE
        PID:2368
      • C:\Users\Admin\Desktop\SploitXE BEta\setup.exe
        "C:\Users\Admin\Desktop\SploitXE BEta\setup.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Fraps\fraps.exe
          "C:\Fraps\fraps.exe" /exit
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          PID:3192
      • C:\Windows\SysWOW64\Taskmgr.exe
        "C:\Windows\System32\Taskmgr.exe"
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2068

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Fraps\fraps.exe

      Filesize

      2.5MB

      MD5

      0ff5b5161a78bf5721811779376db71d

      SHA1

      35308429117b514237d34bd8015bfe4efa8e7d55

      SHA256

      da7f61f2b04266a2ae897a0b001e721f1920cb579d5e08a8e5930a79c5d2fb80

      SHA512

      d701440fa49f287a9631c8fb98cef5ea89b4f135901519d3ff3c45d0a7b8c464901514078bcf5ea8d2ffd23dbc7e30816ec0beaf06a531af045fdd1f5aec0204

    • C:\Users\Admin\AppData\Local\Temp\nsfB747.tmp\AdvSplash.dll

      Filesize

      6KB

      MD5

      13cc92f90a299f5b2b2f795d0d2e47dc

      SHA1

      aa69ead8520876d232c6ed96021a4825e79f542f

      SHA256

      eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb

      SHA512

      ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

    • C:\Users\Admin\AppData\Local\Temp\nsfB747.tmp\StartMenu.dll

      Filesize

      7KB

      MD5

      a4173b381625f9f12aadb4e1cdaefdb8

      SHA1

      cf1680c2bc970d5675adbf5e89292a97e6724713

      SHA256

      7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b

      SHA512

      fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82

    • C:\Users\Admin\AppData\Local\Temp\nsfB747.tmp\System.dll

      Filesize

      11KB

      MD5

      c17103ae9072a06da581dec998343fc1

      SHA1

      b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

      SHA256

      dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

      SHA512

      d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    • C:\Users\Admin\Desktop\SploitXE BEta\Guna.UI2.dll

      Filesize

      2.1MB

      MD5

      c19e9e6a4bc1b668d19505a0437e7f7e

      SHA1

      73be712aef4baa6e9dabfc237b5c039f62a847fa

      SHA256

      9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

      SHA512

      b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

    • C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe

      Filesize

      59KB

      MD5

      8f53627c43fe6a510a9fc17a7a50c348

      SHA1

      813323918300c83c8878a043db0631b1d156f07a

      SHA256

      f8fd35f40cf45e0332813d5ac555663c6d041256120d6e0fd0300d7b677379e1

      SHA512

      f4e0f4e3cf8833b9caab846e16558b882905d2cf5d0f037aa15cbe818f33052236780aea4c5e84eafc61333e63decfe64c694f1536117d39001a2e39f8f58c11

    • C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe.config

      Filesize

      189B

      MD5

      9dbad5517b46f41dbb0d8780b20ab87e

      SHA1

      ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

      SHA256

      47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

      SHA512

      43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

    • C:\Users\Admin\Desktop\SploitXE BEta\rbxfpsunlocker.exe

      Filesize

      605KB

      MD5

      09d083f0e2c1e8a3561209902333ad8f

      SHA1

      d9692d3aba34a39aeb9e53cb3d25562b94e2e597

      SHA256

      83dfcb08ea4aa1b857d952a8a177db775d1a7e9cfc30b528848a4a29c8dbf0b9

      SHA512

      c71371263cacc4872a4bf621614940f08c9436062683be5de921ae6e509079e25ea380623e8945d40858819a664bd76590defb2a89949e8e5666190f1024ca6b

    • C:\Users\Admin\Desktop\SploitXE BEta\setup.exe

      Filesize

      2.4MB

      MD5

      d1be561690e1d91e515faf9581cf81a6

      SHA1

      9fed9a02c3845ca78bd72319bbfcf5140e64a36a

      SHA256

      7213f30970c9764e1e0f85f15125f9241cf2619fb4724d322b5fe6f8ee3d9da0

      SHA512

      919e7bd14b65bf4fc778ce3409a92fdb5a59516cdb43d5dd3626ff2d18be9389951a289afe7453aeb6f8b9e314007c007a6f3bb7137f4fd167ce5688cebf28f5

    • memory/2068-84-0x0000000006190000-0x0000000006191000-memory.dmp

      Filesize

      4KB

    • memory/2068-83-0x0000000006190000-0x0000000006191000-memory.dmp

      Filesize

      4KB

    • memory/2068-88-0x0000000006190000-0x0000000006191000-memory.dmp

      Filesize

      4KB

    • memory/2068-85-0x0000000006190000-0x0000000006191000-memory.dmp

      Filesize

      4KB

    • memory/2068-82-0x0000000006190000-0x0000000006191000-memory.dmp

      Filesize

      4KB

    • memory/2068-86-0x0000000006190000-0x0000000006191000-memory.dmp

      Filesize

      4KB

    • memory/2068-87-0x0000000006190000-0x0000000006191000-memory.dmp

      Filesize

      4KB

    • memory/2068-78-0x0000000006190000-0x0000000006191000-memory.dmp

      Filesize

      4KB

    • memory/2068-76-0x0000000006190000-0x0000000006191000-memory.dmp

      Filesize

      4KB

    • memory/2068-77-0x0000000006190000-0x0000000006191000-memory.dmp

      Filesize

      4KB

    • memory/3192-75-0x0000000000400000-0x0000000000C03000-memory.dmp

      Filesize

      8.0MB

    • memory/3192-73-0x0000000000400000-0x0000000000C03000-memory.dmp

      Filesize

      8.0MB

    • memory/4672-18-0x0000000005710000-0x000000000571A000-memory.dmp

      Filesize

      40KB

    • memory/4672-15-0x0000000000B40000-0x0000000000B56000-memory.dmp

      Filesize

      88KB

    • memory/4672-16-0x0000000005B00000-0x00000000060A4000-memory.dmp

      Filesize

      5.6MB

    • memory/4672-17-0x0000000005550000-0x00000000055E2000-memory.dmp

      Filesize

      584KB

    • memory/4672-22-0x00000000060B0000-0x00000000062C4000-memory.dmp

      Filesize

      2.1MB