Analysis

  • max time kernel
    96s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 14:33

General

  • Target

    PowerCheat free.exe

  • Size

    7.3MB

  • MD5

    43cb480944627cc538b1d6aba4ddef6d

  • SHA1

    dc421528bf98e998cd01a17602fe63c08a17ae57

  • SHA256

    7a5df9d2619482c2b1ae44d7099f3c184723cd06a78c45261eefd4fd5d6a175f

  • SHA512

    9b6b81d682ce9cf605b1f1d910511c649454d0eb53edf0c8e022bcc4b1f65fd680fd5a4e963f76079d1a41a7d2cc24d306ca717271e7d9e55b73dc17a91bb67c

  • SSDEEP

    196608:b/TYUOztYQC4wmOH2dWJMiUb5zBXVnTpkSIgzeRn:TWzupHjJdwbdkSpzY

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 1 IoCs
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: LoadsDriver 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PowerCheat free.exe
    "C:\Users\Admin\AppData\Local\Temp\PowerCheat free.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3452
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86a95ab58,0x7ff86a95ab68,0x7ff86a95ab78
      2⤵
        PID:1332
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:2
        2⤵
          PID:5028
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
          2⤵
            PID:1752
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
            2⤵
              PID:2852
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
              2⤵
                PID:4564
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
                2⤵
                  PID:1724
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
                  2⤵
                    PID:2316
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
                    2⤵
                      PID:776
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
                      2⤵
                        PID:3832
                      • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
                        "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
                        2⤵
                          PID:2076
                          • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
                            "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff7c86dae48,0x7ff7c86dae58,0x7ff7c86dae68
                            3⤵
                              PID:4408
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4232 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
                            2⤵
                              PID:3200
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5020 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
                              2⤵
                                PID:4188
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3224 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
                                2⤵
                                  PID:2436
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4000 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
                                  2⤵
                                    PID:64
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
                                    2⤵
                                      PID:2300
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4312 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
                                      2⤵
                                        PID:4452
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:8
                                        2⤵
                                          PID:2348
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3124 --field-trial-handle=1940,i,16202837372386412681,8292501232116540129,131072 /prefetch:1
                                          2⤵
                                            PID:1064
                                        • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
                                          "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
                                          1⤵
                                            PID:1400

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Program Files\Google\Chrome\Application\SetupMetrics\20240618143416.pma

                                            Filesize

                                            488B

                                            MD5

                                            6d971ce11af4a6a93a4311841da1a178

                                            SHA1

                                            cbfdbc9b184f340cbad764abc4d8a31b9c250176

                                            SHA256

                                            338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

                                            SHA512

                                            c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                            Filesize

                                            810B

                                            MD5

                                            3efeb4c0215c038f523f307e1372b514

                                            SHA1

                                            b1837bc871d92c1ce6199ae883c31c691561905f

                                            SHA256

                                            8a860a0925ae208f20ba279244d7bfe560e1101fbfd2dbb3357c0198ad38e12f

                                            SHA512

                                            4ab889a590019fd75f15dbc437e142d738b38cf1dd1b53ddb5858c579044962ed427bfe324f9522fc1e6c7238cce99b562876f0256eb6aa87d2e240a48722c24

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                                            Filesize

                                            2B

                                            MD5

                                            d751713988987e9331980363e24189ce

                                            SHA1

                                            97d170e1550eee4afc0af065b78cda302a97674c

                                            SHA256

                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                            SHA512

                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                            Filesize

                                            7KB

                                            MD5

                                            e66d52d0e6338cd73118a080f587d763

                                            SHA1

                                            735c9bdd201001dfc458d4675d086f168576016d

                                            SHA256

                                            9db84a2cffea19ee7f488c82be3cfedc90f6739546d74b9275e653f0746faf77

                                            SHA512

                                            fd863230d4293f4664837ed69a829aa2e10d4bfd3f6ce2e79ed26396d709681876def2fc710d4faf4caff985b6cef21aab241145ae7b582a058e4823386007e1

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                            Filesize

                                            7KB

                                            MD5

                                            b041af84241cf69a33f86ef7bb0eaccf

                                            SHA1

                                            83fd7868e36724c23ddf43b9989b3a773d575684

                                            SHA256

                                            0d7885491bb6bcee52b5e5d02153f950476e81c02d6a98d7dd4cd763171a288c

                                            SHA512

                                            7046d859d5f9bb0d428f4900909f4fa6ddffce33004da0a329ea10c8ba4ff2f809275fbf8df53b5baee8f71365e85bba1dee7f81b536b3a0f1b966b00b8d9f4d

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                            Filesize

                                            257KB

                                            MD5

                                            f4d6d93e5428d0cbdfa74bbcbef80104

                                            SHA1

                                            1372458400e250525b4a5b712e17ab212199288c

                                            SHA256

                                            735d88b1654ddd83cc1736e0c39ad1fc47d29d01eef0c7bd4dc8fcb0ebd14afa

                                            SHA512

                                            227a35c1b4753e1dbd8cc38fd0def3b7c3b2f0e8988d9e2ada5715dd27a70191016bec7c8af4bcf68b2ed4bcc65ccc76ef8213faacacb9c890d8fa8b595511f6

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                            Filesize

                                            329KB

                                            MD5

                                            3cfa6c9a8ffc475a1d73111ec2c32296

                                            SHA1

                                            a0c57088c732cc3e1938851728fff136699981a6

                                            SHA256

                                            d27481cd9aa0497a8d6eee256d10f678f63967585d113e6311476b2827b09e1b

                                            SHA512

                                            5dd4f110b7b74a24cebe95b04f3280c8601c1cf574eabf3ede35aaa47384410e23bab9505887acef01807845b24f49c41141ad01dd114152a66e1e2a95f69f1a

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                            Filesize

                                            92KB

                                            MD5

                                            eb0f4e22861f0cf33d9295c54da8c84d

                                            SHA1

                                            383f393d91c244a8013b6cef43efe4450b13a67e

                                            SHA256

                                            a730fdb7f95671d820ca8097fc0292ab024bb4ebc8211a77ba6989475546176c

                                            SHA512

                                            55ebd0e82df4b43d2d487033c98d92da9c9fad57c0f22aea56d8e902a399238fc352fe975c7908e9bde1433dacf7496d307cbb84096249bb8f617066e2d5cd8e

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe584273.TMP

                                            Filesize

                                            89KB

                                            MD5

                                            dc8842964af1824c3bb4e5847f626c18

                                            SHA1

                                            522c8e0c235a4487b1c08e84bf28d7b39381e92a

                                            SHA256

                                            2cfca7d4459c26c67cb9f33308b8e02a9378ea3204470727cb74f50ee6d32334

                                            SHA512

                                            7369878b5c7a685ff3fe1c8ca290e5b3f95be22a39ecf26cff67afd1ad6bae0844868b0293e41ba3adf5bd65097d1cf38dba456f01d66e39c618c8691f0b8633

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

                                            Filesize

                                            264KB

                                            MD5

                                            8077fb5832709a3f275efc3e2f7bb26a

                                            SHA1

                                            ab7207e0f81124b0fb2715c841665c03e0bac410

                                            SHA256

                                            d880c9e94120ef8cd897b6aad62bbe44ec64c70124fb41fd95dd449106775992

                                            SHA512

                                            ba7c59a9a150ff03c6d02a83b34e9a5d2e779da656cc8ce34fabb4129d895575a130832c2453b700a3a34e6ff06db46dc95a7a783d482f09d208d064fa04a7b0

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a8c01181-f7a4-45f1-be44-d183b926233c.tmp

                                            Filesize

                                            286KB

                                            MD5

                                            0939d50d80e668fd5be9115bf70192c6

                                            SHA1

                                            98f8bc942386247549e93959f0e702fa8543d77b

                                            SHA256

                                            7dc0a4992c237151ecd34a4d1ea65557e5554619a08a35ff4426addee9ade79d

                                            SHA512

                                            81836d3c16c771701b39fcdfca36ba9c3b9c3d953bea895aad77f786dc2c17d049f6d4b22d55ea5a259d83500239670ea8ddbbdeac632da95f37ece3ce20e96b

                                          • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\eaa93b29-9489-4b1d-91ff-a46ddde92820.tmp

                                            Filesize

                                            257KB

                                            MD5

                                            8559aaf36b4ac31e055c1fba41314dfc

                                            SHA1

                                            417bc9bdbbaf71a392a1947d44cc3c98d8a345db

                                            SHA256

                                            78409f4aa1c69c1215f9581125344e91608af0ec9900abcf6a533bd3a0a6ade7

                                            SHA512

                                            92f8ad27210da679967964b784bbf1e6485f8a9bb51807d3c353622af5d6b76aba6ee26fe6e17d99bc411ce5b7b0869c21df3b85f673e045d0fa9d206585cb15

                                          • \??\pipe\crashpad_2972_VDOCSDJSSLQJLTQG

                                            MD5

                                            d41d8cd98f00b204e9800998ecf8427e

                                            SHA1

                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                            SHA256

                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                            SHA512

                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                          • memory/3452-5-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3452-13-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3452-11-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3452-10-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3452-9-0x00007FF85B423000-0x00007FF85B425000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/3452-8-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3452-7-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp

                                            Filesize

                                            10.8MB

                                          • memory/3452-0-0x00007FF85B423000-0x00007FF85B425000-memory.dmp

                                            Filesize

                                            8KB

                                          • memory/3452-6-0x00000294F0C70000-0x00000294F0E84000-memory.dmp

                                            Filesize

                                            2.1MB

                                          • memory/3452-4-0x00000294EFE90000-0x00000294EFEA2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/3452-2-0x00000294EE5D0000-0x00000294EE622000-memory.dmp

                                            Filesize

                                            328KB

                                          • memory/3452-3-0x00000294EE5A0000-0x00000294EE5BA000-memory.dmp

                                            Filesize

                                            104KB

                                          • memory/3452-1-0x00000294EDA90000-0x00000294EE1E0000-memory.dmp

                                            Filesize

                                            7.3MB