Analysis

  • max time kernel
    595s
  • max time network
    600s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-06-2024 16:17

General

  • Target

    reach.exe

  • Size

    4.1MB

  • MD5

    c8cbc57915836322fd79b73f5cdd0047

  • SHA1

    ab2c9a392af16dde09c032b05ad19ca7c2170434

  • SHA256

    91a7ca4f9b9361e8eb01f2c52eeb67a36233cb7ccd481214472ed9065f247c52

  • SHA512

    a72619e18e262aba281ba70edc97a038bbbcf7ef0530cf66b85432baba0f1da71edb3ccaf014775c8faea702edf86e28c3fa84ddb22f9a09c08c1b59220dd3ff

  • SSDEEP

    98304:MY/Hu/2WllEKvUVoLu98EoHqDhmt8jgRVVjlvvv0p:MYGuUEToq8DHf8jgRVVt0p

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\reach.exe
    "C:\Users\Admin\AppData\Local\Temp\reach.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2920
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:8
    1⤵
      PID:3116
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4828,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:8
      1⤵
        PID:4564

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2920-0-0x00007FFFE4253000-0x00007FFFE4255000-memory.dmp

        Filesize

        8KB

      • memory/2920-1-0x000001C95C010000-0x000001C95C42C000-memory.dmp

        Filesize

        4.1MB

      • memory/2920-2-0x000001C976AB0000-0x000001C976EC8000-memory.dmp

        Filesize

        4.1MB

      • memory/2920-3-0x000001C95C810000-0x000001C95C822000-memory.dmp

        Filesize

        72KB

      • memory/2920-4-0x000001C95C850000-0x000001C95C86A000-memory.dmp

        Filesize

        104KB

      • memory/2920-5-0x000001C9770F0000-0x000001C977304000-memory.dmp

        Filesize

        2.1MB

      • memory/2920-6-0x00007FFFE4250000-0x00007FFFE4D11000-memory.dmp

        Filesize

        10.8MB

      • memory/2920-7-0x00007FFFE4250000-0x00007FFFE4D11000-memory.dmp

        Filesize

        10.8MB

      • memory/2920-10-0x00007FFFE4250000-0x00007FFFE4D11000-memory.dmp

        Filesize

        10.8MB

      • memory/2920-9-0x00007FFFE4253000-0x00007FFFE4255000-memory.dmp

        Filesize

        8KB