Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 19:31
Static task
static1
Behavioral task
behavioral1
Sample
SaturnxExternal.exe
Resource
win7-20240221-en
General
-
Target
SaturnxExternal.exe
-
Size
7.6MB
-
MD5
39b0f9e3674e8434d552abbf494f5d9f
-
SHA1
e4d284205e6dc6febc6829980026a6ec08089d75
-
SHA256
ce02a8c4fed7aefb3da421a2eaffd13fe92495d8701f8016b7cbe946d380b493
-
SHA512
f27311b90d923dcf364ec6cb674273c681aae874675bb8948a74f69984da8844ec1eb1b31513221e224b370e644d05dff1e4678ba5a7a9065dc78aeca59541dd
-
SSDEEP
98304:g68jFBO6Y86I/aK0itvOYvIKW8w4avoEeB0EYISxkLwBOIwz8:gxH6FkVzvIT8w4soRpYHxk0BRwz8
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2160-4-0x000000001E230000-0x000000001E444000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
SaturnxExternal.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions SaturnxExternal.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
SaturnxExternal.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools SaturnxExternal.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SaturnxExternal.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SaturnxExternal.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SaturnxExternal.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SaturnxExternal.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SaturnxExternal.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 SaturnxExternal.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
SaturnxExternal.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SaturnxExternal.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer SaturnxExternal.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion SaturnxExternal.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SaturnxExternal.exedescription pid process target process PID 2160 wrote to memory of 2524 2160 SaturnxExternal.exe WerFault.exe PID 2160 wrote to memory of 2524 2160 SaturnxExternal.exe WerFault.exe PID 2160 wrote to memory of 2524 2160 SaturnxExternal.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SaturnxExternal.exe"C:\Users\Admin\AppData\Local\Temp\SaturnxExternal.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2160 -s 9842⤵PID:2524
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2424