Analysis

  • max time kernel
    41s
  • max time network
    42s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    17-06-2024 20:55

General

  • Target

    Debug/Unknown.exe

  • Size

    261KB

  • MD5

    ff7e8275043089f833d3a2f66e1371a2

  • SHA1

    4d25a98d06105369a683c73b3fa66f8f3c43d1dd

  • SHA256

    e37a683704bc37d29875f4d246a2b9258087a756e4782a32bb47d7f709f036f3

  • SHA512

    d4153b09a96dd78d17472e93983ee1d6a0de66064fd35c3cb03896823506330d11860bccbd487e425e95275e10d658bb07fad302c95453a93123ba4535aca898

  • SSDEEP

    6144:TdI2ZeR+KF9aCu/lrCHT4dDEOZV0wrcgo:62gR+KF9aCudrCHT4dAwr

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Debug\Unknown.exe
    "C:\Users\Admin\AppData\Local\Temp\Debug\Unknown.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    PID:3840
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 2044
      2⤵
      • Program crash
      PID:1420
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3840 -ip 3840
    1⤵
      PID:4496
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5084
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        1⤵
        • Enumerates system info in registry
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4064
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffff6beab58,0x7ffff6beab68,0x7ffff6beab78
          2⤵
            PID:4544
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1812,i,3538415946097981635,4552579120380124764,131072 /prefetch:2
            2⤵
              PID:384
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1812,i,3538415946097981635,4552579120380124764,131072 /prefetch:8
              2⤵
                PID:1176
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1812,i,3538415946097981635,4552579120380124764,131072 /prefetch:8
                2⤵
                  PID:3508
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1812,i,3538415946097981635,4552579120380124764,131072 /prefetch:1
                  2⤵
                    PID:1080
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=1812,i,3538415946097981635,4552579120380124764,131072 /prefetch:1
                    2⤵
                      PID:2032
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3516 --field-trial-handle=1812,i,3538415946097981635,4552579120380124764,131072 /prefetch:1
                      2⤵
                        PID:1672
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 --field-trial-handle=1812,i,3538415946097981635,4552579120380124764,131072 /prefetch:8
                        2⤵
                          PID:2960
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 --field-trial-handle=1812,i,3538415946097981635,4552579120380124764,131072 /prefetch:8
                          2⤵
                            PID:2492
                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                          1⤵
                            PID:672

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                            Filesize

                            2B

                            MD5

                            d751713988987e9331980363e24189ce

                            SHA1

                            97d170e1550eee4afc0af065b78cda302a97674c

                            SHA256

                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                            SHA512

                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                            Filesize

                            7KB

                            MD5

                            a7b3e5d1eff5a8323355fd35ceed4f28

                            SHA1

                            88d420f216d5c24fda3d0042dac949881430f04c

                            SHA256

                            84abc0e237e0a32957740978fdafd1842d5faba4c83c85214bed5fb450ad14b8

                            SHA512

                            14ac8711bdd332859c83711f43035bffb1169852127cdbbbe879018a52c2810477c8b3ce29eba80af736222fcd89601ba7aec62addc5f83a5b877310847c65b5

                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                            Filesize

                            129KB

                            MD5

                            0ec89dcc1a5ad8f4224490faad5650a4

                            SHA1

                            c923d517226890e0c3f67fc550eff2dffb2d0ec1

                            SHA256

                            c08e34ff51b28963552d3a0d012578e1338ec19695a52ebd7c3a12c59fa7b710

                            SHA512

                            6ab0365ae53e26e8885e785da0777bdf833fe3ced6afde3f2e2841e2bfec689406dbdd11e3cbd2db2c4170525dbc7ca98bd8e1c6e5dbedd14b5ee4adc19d93fc

                          • \??\pipe\crashpad_4064_KFCMZXFFHOXSXRHX

                            MD5

                            d41d8cd98f00b204e9800998ecf8427e

                            SHA1

                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                            SHA256

                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                            SHA512

                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                          • memory/3840-8-0x00000000052B0000-0x00000000052C4000-memory.dmp

                            Filesize

                            80KB

                          • memory/3840-5-0x0000000074880000-0x0000000075031000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/3840-6-0x0000000005E30000-0x0000000006046000-memory.dmp

                            Filesize

                            2.1MB

                          • memory/3840-7-0x00000000061A0000-0x00000000062EE000-memory.dmp

                            Filesize

                            1.3MB

                          • memory/3840-0-0x000000007488E000-0x000000007488F000-memory.dmp

                            Filesize

                            4KB

                          • memory/3840-9-0x0000000074880000-0x0000000075031000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/3840-12-0x0000000074880000-0x0000000075031000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/3840-13-0x0000000074880000-0x0000000075031000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/3840-14-0x0000000074880000-0x0000000075031000-memory.dmp

                            Filesize

                            7.7MB

                          • memory/3840-4-0x00000000051B0000-0x00000000051BA000-memory.dmp

                            Filesize

                            40KB

                          • memory/3840-3-0x00000000051D0000-0x0000000005262000-memory.dmp

                            Filesize

                            584KB

                          • memory/3840-2-0x0000000005880000-0x0000000005E26000-memory.dmp

                            Filesize

                            5.6MB

                          • memory/3840-1-0x00000000007E0000-0x0000000000828000-memory.dmp

                            Filesize

                            288KB