Overview

overview

10

Static

static

1

bf252b8ef4...b4.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30/08/2024, 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bf252b8ef4fb77ea9b7a7369d779f7bcb5160bb2af7d40859978b78d873400b4.exe

  • Size

    981KB

  • MD5

    bb21b9bc8eb02f11dfa61dd0b1fd3e23

  • SHA1

    4389be9b203db228114c15216511150525849e8c

  • SHA256

    bf252b8ef4fb77ea9b7a7369d779f7bcb5160bb2af7d40859978b78d873400b4

  • SHA512

    84ae7dbdec0f7925141b50b34f8f174f49a3713b398cc6318910921427ad1ae73b14d0673794785009c07e8bbf6a6f201d794ed539e6cea3eaa6d9bcdee4a380

  • SSDEEP

    12288:2LXTxqqEvq2zRbjGPswaUW1vfNaO5uTpaO9eXVKrPtK6p/qr+aUmvCFMQsbzZHcU:2LBkpjGP/avkOIFaO0IpK6N7nm6uBX

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bf252b8ef4fb77ea9b7a7369d779f7bcb5160bb2af7d40859978b78d873400b4.exe
    "C:\Users\Admin\AppData\Local\Temp\bf252b8ef4fb77ea9b7a7369d779f7bcb5160bb2af7d40859978b78d873400b4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bf252b8ef4fb77ea9b7a7369d779f7bcb5160bb2af7d40859978b78d873400b4.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HOdckjqilPep.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4264
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOdckjqilPep" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1930.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3380
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4172
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:228
    • C:\Users\Admin\AppData\Roaming\boqXv\boqXv.exe
      "C:\Users\Admin\AppData\Roaming\boqXv\boqXv.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3836

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Discovery

    System Information Discovery

    1
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      1c19c16e21c97ed42d5beabc93391fc5

      SHA1

      8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

      SHA256

      1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

      SHA512

      7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f0midy10.4tg.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp1930.tmp
      Filesize

      1KB

      MD5

      614eab765e4d2061b886a85ebbb5437e

      SHA1

      b972939e0384037bc5cb2e108195f0b45c8e03b8

      SHA256

      4ff70fb9166cf0bb9d3fc3ade58b626a26a589f5ee0c41c079fd69a4db6a3b1a

      SHA512

      911eed206ffc71530d24f66f2bb3c0742a79b62bc1142a8b93140ba7744843bca4d1b6d10f3418e2d2e81674563554bf6a5a4d52b0d851fd7489becfbb5e0865

      Download Submit

    • C:\Users\Admin\AppData\Roaming\boqXv\boqXv.exe
      Filesize

      44KB

      MD5

      0e06054beb13192588e745ee63a84173

      SHA1

      30b7d4d1277bafd04a83779fd566a1f834a8d113

      SHA256

      c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

      SHA512

      251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

      Download Submit

    • memory/540-5-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/540-11-0x0000000005A10000-0x0000000005A18000-memory.dmp

      Filesize

      32KB

      Download

    • memory/540-6-0x0000000005670000-0x000000000570C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/540-7-0x0000000006460000-0x000000000698C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/540-8-0x00000000057D0000-0x00000000057E2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/540-9-0x00000000737FE000-0x00000000737FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/540-10-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/540-4-0x00000000054F0000-0x00000000054FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/540-12-0x0000000005A20000-0x0000000005A2C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/540-13-0x0000000009890000-0x0000000009924000-memory.dmp

      Filesize

      592KB

      Download

    • memory/540-14-0x0000000009BF0000-0x0000000009C72000-memory.dmp

      Filesize

      520KB

      Download

    • memory/540-3-0x0000000005530000-0x00000000055C2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/540-2-0x0000000005A30000-0x0000000005F2E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/540-1-0x0000000000980000-0x0000000000A76000-memory.dmp

      Filesize

      984KB

      Download

    • memory/540-38-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/540-0-0x00000000737FE000-0x00000000737FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/940-35-0x0000000007E90000-0x00000000081E0000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/940-230-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/940-30-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/940-31-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/940-32-0x0000000007D10000-0x0000000007D76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/940-34-0x0000000007DF0000-0x0000000007E56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/940-23-0x0000000006F60000-0x0000000006F96000-memory.dmp

      Filesize

      216KB

      Download

    • memory/940-520-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/940-24-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/940-489-0x0000000009A00000-0x0000000009A08000-memory.dmp

      Filesize

      32KB

      Download

    • memory/940-39-0x00000000081E0000-0x00000000081FC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/940-40-0x0000000008710000-0x000000000875B000-memory.dmp

      Filesize

      300KB

      Download

    • memory/940-41-0x00000000087E0000-0x0000000008856000-memory.dmp

      Filesize

      472KB

      Download

    • memory/940-29-0x0000000007C70000-0x0000000007C92000-memory.dmp

      Filesize

      136KB

      Download

    • memory/940-72-0x0000000070670000-0x00000000706BB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/940-161-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/940-71-0x00000000095C0000-0x00000000095F3000-memory.dmp

      Filesize

      204KB

      Download

    • memory/940-74-0x00000000095A0000-0x00000000095BE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/940-79-0x0000000009910000-0x00000000099B5000-memory.dmp

      Filesize

      660KB

      Download

    • memory/940-80-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/940-86-0x0000000009B10000-0x0000000009BA4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/3836-525-0x00000000029A0000-0x00000000029C0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/3836-524-0x0000000004EF0000-0x0000000004F2C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3836-523-0x0000000000740000-0x000000000074E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4172-36-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4172-73-0x0000000006590000-0x00000000065E0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4264-480-0x00000000083B0000-0x00000000083CA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4264-87-0x0000000070670000-0x00000000706BB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/4264-25-0x0000000007260000-0x0000000007888000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4264-231-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4264-519-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4264-27-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4264-33-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4264-26-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4264-160-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/4264-81-0x00000000737F0000-0x0000000073EDE000-memory.dmp

      Filesize

      6.9MB

      Download