Analysis
-
max time kernel
115s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 16:59
Behavioral task
behavioral1
Sample
SploitXE_BEta.rar
Resource
win7-20240508-en
General
-
Target
SploitXE_BEta.rar
-
Size
3.3MB
-
MD5
68f23738f5bf5e2612eb02d5e1526b8a
-
SHA1
f59898686617dab7a596f5c452e4a38d90b90449
-
SHA256
e9c4cdb578c440ae2f25590d9ad7b155ae309d4f0cdc67c1f9528e070b30fac9
-
SHA512
3897abe5798c11bbe8ca45c59c1a73d055313bc41b42ef7feba9a504f01d7fa155d4a7b26193c51cbb1ccc245305ad71f7c900dbee15316261d09f997119bcb2
-
SSDEEP
98304:oEc3CcFLpIlSZfA9l0N4MRpJ7BwsE60b81jvO:+lVugOlCRpJ7BwsEGZm
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\SploitXE BEta\Guna.UI2.dll family_agenttesla behavioral2/memory/4672-22-0x00000000060B0000-0x00000000062C4000-memory.dmp family_agenttesla -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
fraps.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fraps.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fraps.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fraps.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fraps.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SploitXE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation SploitXE.exe -
Executes dropped EXE 4 IoCs
Processes:
SploitXE.exerbxfpsunlocker.exesetup.exefraps.exepid process 4672 SploitXE.exe 2368 rbxfpsunlocker.exe 4444 setup.exe 3192 fraps.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
fraps.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine fraps.exe -
Loads dropped DLL 6 IoCs
Processes:
SploitXE.exesetup.exepid process 4672 SploitXE.exe 4672 SploitXE.exe 4444 setup.exe 4444 setup.exe 4444 setup.exe 4444 setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Windows\SysWOW64\frapsvid.dll setup.exe File created C:\Windows\system32\frapsv64.dll setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\SploitXE BEta\setup.exe nsis_installer_1 C:\Users\Admin\Desktop\SploitXE BEta\setup.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
SploitXE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion SploitXE.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SploitXE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer SploitXE.exe -
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
SploitXE.exeTaskmgr.exepid process 4672 SploitXE.exe 4672 SploitXE.exe 4672 SploitXE.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 4672 SploitXE.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4204 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
7zG.exeSploitXE.exeTaskmgr.exedescription pid process Token: SeRestorePrivilege 4184 7zG.exe Token: 35 4184 7zG.exe Token: SeSecurityPrivilege 4184 7zG.exe Token: SeSecurityPrivilege 4184 7zG.exe Token: SeDebugPrivilege 4672 SploitXE.exe Token: SeDebugPrivilege 2068 Taskmgr.exe Token: SeSystemProfilePrivilege 2068 Taskmgr.exe Token: SeCreateGlobalPrivilege 2068 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
Processes:
7zG.exeTaskmgr.exepid process 4184 7zG.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe -
Suspicious use of SendNotifyMessage 19 IoCs
Processes:
Taskmgr.exepid process 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe 2068 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
OpenWith.exepid process 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe 4204 OpenWith.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SploitXE.exesetup.exedescription pid process target process PID 4672 wrote to memory of 2368 4672 SploitXE.exe rbxfpsunlocker.exe PID 4672 wrote to memory of 2368 4672 SploitXE.exe rbxfpsunlocker.exe PID 4672 wrote to memory of 4444 4672 SploitXE.exe setup.exe PID 4672 wrote to memory of 4444 4672 SploitXE.exe setup.exe PID 4672 wrote to memory of 4444 4672 SploitXE.exe setup.exe PID 4444 wrote to memory of 3192 4444 setup.exe fraps.exe PID 4444 wrote to memory of 3192 4444 setup.exe fraps.exe PID 4444 wrote to memory of 3192 4444 setup.exe fraps.exe PID 4672 wrote to memory of 2068 4672 SploitXE.exe Taskmgr.exe PID 4672 wrote to memory of 2068 4672 SploitXE.exe Taskmgr.exe PID 4672 wrote to memory of 2068 4672 SploitXE.exe Taskmgr.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\SploitXE_BEta.rar1⤵
- Modifies registry class
PID:1068
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4204
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1788
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap23745:84:7zEvent190681⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4184
-
C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe"C:\Users\Admin\Desktop\SploitXE BEta\SploitXE.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\Desktop\SploitXE BEta\rbxfpsunlocker.exe"C:\Users\Admin\Desktop\SploitXE BEta\rbxfpsunlocker.exe"2⤵
- Executes dropped EXE
PID:2368 -
C:\Users\Admin\Desktop\SploitXE BEta\setup.exe"C:\Users\Admin\Desktop\SploitXE BEta\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Fraps\fraps.exe"C:\Fraps\fraps.exe" /exit3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:3192 -
C:\Windows\SysWOW64\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD50ff5b5161a78bf5721811779376db71d
SHA135308429117b514237d34bd8015bfe4efa8e7d55
SHA256da7f61f2b04266a2ae897a0b001e721f1920cb579d5e08a8e5930a79c5d2fb80
SHA512d701440fa49f287a9631c8fb98cef5ea89b4f135901519d3ff3c45d0a7b8c464901514078bcf5ea8d2ffd23dbc7e30816ec0beaf06a531af045fdd1f5aec0204
-
Filesize
6KB
MD513cc92f90a299f5b2b2f795d0d2e47dc
SHA1aa69ead8520876d232c6ed96021a4825e79f542f
SHA256eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3
-
Filesize
7KB
MD5a4173b381625f9f12aadb4e1cdaefdb8
SHA1cf1680c2bc970d5675adbf5e89292a97e6724713
SHA2567755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b
SHA512fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
2.1MB
MD5c19e9e6a4bc1b668d19505a0437e7f7e
SHA173be712aef4baa6e9dabfc237b5c039f62a847fa
SHA2569ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
SHA512b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
-
Filesize
59KB
MD58f53627c43fe6a510a9fc17a7a50c348
SHA1813323918300c83c8878a043db0631b1d156f07a
SHA256f8fd35f40cf45e0332813d5ac555663c6d041256120d6e0fd0300d7b677379e1
SHA512f4e0f4e3cf8833b9caab846e16558b882905d2cf5d0f037aa15cbe818f33052236780aea4c5e84eafc61333e63decfe64c694f1536117d39001a2e39f8f58c11
-
Filesize
189B
MD59dbad5517b46f41dbb0d8780b20ab87e
SHA1ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e
SHA25647e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf
SHA51243825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8
-
Filesize
605KB
MD509d083f0e2c1e8a3561209902333ad8f
SHA1d9692d3aba34a39aeb9e53cb3d25562b94e2e597
SHA25683dfcb08ea4aa1b857d952a8a177db775d1a7e9cfc30b528848a4a29c8dbf0b9
SHA512c71371263cacc4872a4bf621614940f08c9436062683be5de921ae6e509079e25ea380623e8945d40858819a664bd76590defb2a89949e8e5666190f1024ca6b
-
Filesize
2.4MB
MD5d1be561690e1d91e515faf9581cf81a6
SHA19fed9a02c3845ca78bd72319bbfcf5140e64a36a
SHA2567213f30970c9764e1e0f85f15125f9241cf2619fb4724d322b5fe6f8ee3d9da0
SHA512919e7bd14b65bf4fc778ce3409a92fdb5a59516cdb43d5dd3626ff2d18be9389951a289afe7453aeb6f8b9e314007c007a6f3bb7137f4fd167ce5688cebf28f5