Analysis
-
max time kernel
723s -
max time network
789s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
-
submitted
29-06-2024 06:36
Errors
General
-
Target
无害.exe
-
Size
5.6MB
-
MD5
eb08619ed85a31118a80ce0a2f73f25f
-
SHA1
4289df26068458def91c876933e0483867625b2b
-
SHA256
f775611b5d45d3c13217c30f3792963894ecf0726a554188e5e2ee72077e6939
-
SHA512
b8f32587867025e11c6af73c8c3c7ba8f0ec2966cbd2a702240ab26c789ff791475d753ce53114d4c07dc0e2b2c79deba7ae1752d8ccca1ba6337d4a468e3fb0
-
SSDEEP
98304:F3AszIKgNQbnhi1ZKUZWFCGFR62sn+s0eFyVJPJuyacAlKWjR9qw4H9U:F3jzIRi1S+LFR6DZwrPJuplKWvgW
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 48 IoCs
-
Suspicious use of SendNotifyMessage 44 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\无害.exe"C:\Users\Admin\AppData\Local\Temp\无害.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ae8855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.0.69365711\883118109" -parentBuildID 20221007134813 -prefsHandle 1572 -prefMapHandle 1564 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af300eaf-e04e-4bb1-af94-d40b1cb9bc98} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1652 1ae7faed558 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.1.1702318259\1397290179" -parentBuildID 20221007134813 -prefsHandle 1984 -prefMapHandle 1980 -prefsLen 20926 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {135a5b57-6b03-4518-81e0-8aed6ceb9a27} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 1996 1ae7f632f58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.2.1351364638\276159456" -childID 1 -isForBrowser -prefsHandle 2552 -prefMapHandle 2548 -prefsLen 21029 -prefMapSize 233444 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d310183d-f44e-427e-a309-3b3ca93a7dff} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 2888 1ae067d4758 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.3.1469555923\367750658" -childID 2 -isForBrowser -prefsHandle 3176 -prefMapHandle 3172 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b027ac89-32d4-4973-a51a-fcecc44a464e} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 3188 1ae05146f58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.4.1635809839\1554943041" -childID 3 -isForBrowser -prefsHandle 3472 -prefMapHandle 3468 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d4670d8-b6a2-4aea-ac21-ecbfe8ba7159} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 3496 1ae77464158 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.5.327793836\590333762" -childID 4 -isForBrowser -prefsHandle 4148 -prefMapHandle 4132 -prefsLen 26349 -prefMapSize 233444 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21339795-e969-43a3-b81f-198cc8f61b72} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 4156 1ae08a0f658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.6.402636126\496461988" -childID 5 -isForBrowser -prefsHandle 4332 -prefMapHandle 4336 -prefsLen 26349 -prefMapSize 233444 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb73b8e5-158c-48c0-a1e0-9e8fba66923f} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 3032 1ae08a0ea58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.7.657773897\2064873551" -childID 6 -isForBrowser -prefsHandle 4540 -prefMapHandle 4484 -prefsLen 26349 -prefMapSize 233444 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89589002-e4fc-42af-83de-d4da57b5553a} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 4320 1ae08a0e458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4068.8.360232692\1438696593" -childID 7 -isForBrowser -prefsHandle 4916 -prefMapHandle 3968 -prefsLen 26524 -prefMapSize 233444 -jsInitHandle 1172 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b6e33d3-2a4b-4d22-84cb-0e3def701b55} 4068 "\\.\pipe\gecko-crash-server-pipe.4068" 4924 1ae09cd0f58 tab3⤵
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3af0055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3af2855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\SuspendRestore.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D5AC85208398E4B2B099EF3AEF5F028C --mojo-platform-channel-handle=1536 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A6C0E430C5D18413EB90FCFE138C2F38 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A6C0E430C5D18413EB90FCFE138C2F38 --renderer-client-id=2 --mojo-platform-channel-handle=1548 --allow-no-sandbox-job /prefetch:13⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=681761A68B6207C0E20B31CB58B1B0E3 --mojo-platform-channel-handle=2132 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\GrantReceive.mp4"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3afc855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3afd055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aff855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD573b7996b0b1e4e13e4089d008af2962b
SHA11c52d62d23c28395336d72a5c51666daf13e4488
SHA25620ada5c7919ec44ec4e4a818bbe471f5e26ac9e14527c643f31e5a1b4d9f678c
SHA5127242bbc20df3ed45b0186c07f869eba3e005976acf9280cc9721ea0746af5805e704be241be2cac5d62adb0ecd7aa76f912004b10b934738ef3f038a14abd24b
-
Filesize
2KB
MD588f8e2c751a2acd1358551ba0655c2dd
SHA111983c612040cea6f14fca1b7287fe15b039ca68
SHA256337289d5f4e4505224749e7db0c327494a708c3eb061d6ce254564fd5e8d82fe
SHA5127782f2e68690adbe5046c90757d12ab2d0326121ddb779fc307de332aa2bab92d3a911c707622436cad4ab4c7186b3d6db4fe6bfc9120206133c3a1f70ab7c67
-
Filesize
746B
MD5e092db89a0d1573fdfba850b94177559
SHA140721a6b922715fee7abfd1b62d35d019f1d3a4e
SHA256365d24405014b00745d1722da2dbbf359681c3e07d49362bf2fa34608ece7dfb
SHA51273e3570bbd44e3f83f3b40b7e344a78602149128f288e50a5758c039c2e9b1167a8c2f7c65363ced14747e4bfaffa9e9717be495de5d7c724231446caf2c742c
-
Filesize
10KB
MD54306ba9a85d67ac2db0f4cbec143167a
SHA1eddb8f3657afa4705ba091ef8e62bbe4dcd33a71
SHA256d1beaa2aa69cbc1dbf501dbc0a3a88e0185a9ecc3cdd1f39178f054f52695d93
SHA51272caa63e6878349fe0db1462b6620d7ff69be0192c6fd2a0b1e7e74a08df5378f03e0bf10300e4ed9200adb8d370150defcb862ee75a9a4050080cb3f7260e22
-
Filesize
6KB
MD561738015e7ee527b5eab8a050f734d06
SHA1c123679c43f2b543661dedea39d6f0a93288f86f
SHA25607d85e2d6f3e17b396b52107a901bf87e4a9f67ab61ef7e452ac29d7526acac4
SHA512ef8ec2d6c209a29528c111f64814688283d54b85521d82071583a75993ab8c04dd1e257b4c1de7e01ac270a5d7bcb5af6cb9eb90f81975a9b705cf23fd1115fa
-
Filesize
6KB
MD5cc74f12ba0cff93d552b1f8fb67e062f
SHA125816f451608ba42091862dc52d1f1ccfee70c73
SHA2568815be080dd8505d5a00345b6d79e430902d8f8584c09697b728628a396df349
SHA512206de922088034e1647fd1c336e189e862ed2f6e689935be29efef5c069545bfd888b62b5dd42b6085d4e8db9c5e4e6f8fe04e911b9a61bd2a233045847658ab
-
Filesize
1KB
MD5ba7f575b85465cdc03939165622e1984
SHA1ef3f5262c6e7c36d4a6c0e051a00d16d55f68a8a
SHA256b16257db2e43a61de5d6500483f70f134230d2a95dd79c9bee02e8751f611b48
SHA5122286f589a8f4c1d7174c7d9dbb8f2ec322a757b68ebbd3385e67e9295e17880caf3138d26cfa78014674a36c4995e5d655dff0ad91f584fc2f0aaa94fbb38a15
-
Filesize
1KB
MD5e3919f5219135a43070f9e3350053791
SHA1c847059d21501d0016c567852e6f655f1f865bd1
SHA256f296d448714d5158fd0bbb3bf5d50c915e26f83a3f5f1a57d7d89eb0703501da
SHA5129980797e02e6d014da42edc49079b71b3ba5cd8b906f82690bb3df7b970f7fddf0674752538b18f4e96fb9acc101eb96018068af784c62f90f39565236a3e035
-
Filesize
861B
MD52ed938a7e2789067f9d0a14e91c2c39a
SHA19cedec0cbec166d450946b9178e8c703491822b9
SHA2566df3f03f243d1d7d3e5f509a8d25ca71a84c332f971b6b8d338bd1d3909895ba
SHA512a7dc42193d2bf227ccbe711737681149f150186c878e51072c8154bf97ad729de61ce5fb483c39e600e282eca4b6f80a96913a7085bed66a78c33613ee4a145a
-
Filesize
99KB
MD5c3eeb7cb0b0cda60f3c9e9d75000e36e
SHA18a15e876ac149d8afb9bd16da7de2d1be86972ba
SHA256363683d9591c47a03e85cb09e1633e6dc973e066d7044fd26278cd5dc56ca320
SHA512e3cbd1ed25797274329316fca3e162d17d89d8022527f055113b4cf372b12e64b10a99ea19e1adea46f9d44fcc170926959710baa17135267cf89d6a3785622c
-
Filesize
15.8MB
-
Filesize
1.9MB
-
Filesize
5.0MB
-
Filesize
15.8MB
-
Filesize
40KB
-
Filesize
2.1MB
-
Filesize
15.8MB
-
Filesize
584KB
-
Filesize
15.8MB
-
Filesize
15.8MB
-
Filesize
208KB
-
Filesize
992KB
-
Filesize
2.7MB
-
Filesize
16.7MB