Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17-06-2024 19:31

General

  • Target

    SaturnxExternal.exe

  • Size

    7.6MB

  • MD5

    39b0f9e3674e8434d552abbf494f5d9f

  • SHA1

    e4d284205e6dc6febc6829980026a6ec08089d75

  • SHA256

    ce02a8c4fed7aefb3da421a2eaffd13fe92495d8701f8016b7cbe946d380b493

  • SHA512

    f27311b90d923dcf364ec6cb674273c681aae874675bb8948a74f69984da8844ec1eb1b31513221e224b370e644d05dff1e4678ba5a7a9065dc78aeca59541dd

  • SSDEEP

    98304:g68jFBO6Y86I/aK0itvOYvIKW8w4avoEeB0EYISxkLwBOIwz8:gxH6FkVzvIT8w4soRpYHxk0BRwz8

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SaturnxExternal.exe
    "C:\Users\Admin\AppData\Local\Temp\SaturnxExternal.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2160 -s 984
      2⤵
        PID:2524
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:2424

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2160-0-0x000007FEF57A3000-0x000007FEF57A4000-memory.dmp

        Filesize

        4KB

      • memory/2160-1-0x000000013FD70000-0x0000000140516000-memory.dmp

        Filesize

        7.6MB

      • memory/2160-2-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

        Filesize

        9.9MB

      • memory/2160-3-0x000000001C530000-0x000000001C906000-memory.dmp

        Filesize

        3.8MB

      • memory/2160-4-0x000000001E230000-0x000000001E444000-memory.dmp

        Filesize

        2.1MB

      • memory/2160-5-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

        Filesize

        9.9MB