Overview

overview

10

Static

static

3

Sims4PacksFree.exe

windows10-1703-x64

10

Sims4PacksFree.exe

windows7-x64

3

Analysis

  • max time kernel
    75s
  • max time network
    80s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-09-2024 00:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sims4PacksFree.exe

  • Size

    838KB

  • MD5

    3c9e58ab21918fe8f8e293aecdda6873

  • SHA1

    d44373360e9154395410e802e25c7595ebdab5b3

  • SHA256

    2b9bd8d11af530575428374ebd596899cb8efc734eee775f74fb458b4fe37850

  • SHA512

    d696ea552c646c03a559dfb0e580ef23b27c70f6da0b3f049ec1ff1521dfef0b98f1f6573595775ad7d801e0ad8c5f421336d9616d27878f2d75ad7717cf63d1

  • SSDEEP

    24576:mEW8odvocoQ9i816JzYoJ/8aooznCpzNA3/:uZ9obSQYE8ozIS3

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sims4PacksFree.exe
    "C:\Users\Admin\AppData\Local\Temp\Sims4PacksFree.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3904
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2948
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:3044
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4768
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:4460
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3380
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:1692
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2772
    • C:\Users\Admin\AppData\Local\Temp\Sims4PacksFree.exe
      "C:\Users\Admin\AppData\Local\Temp\Sims4PacksFree.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sims4PacksFree.exe.log
      Filesize

      1KB

      MD5

      c9607ffba33e4f4abc4fbb93cf22ac5c

      SHA1

      93aa7a46926ce34b2fe6481474e0de1745050b13

      SHA256

      5d3ea8dbb9576030497acae4b28341076eb88ef07e49edd14ecc4444f51dc84d

      SHA512

      26ff0b3c41b256c762908e517099e1af677f1fc5b1ec8c8960858b61ae36278e8e49ef2135c5107c16ba03a7bbfa8184796b2dd5ec89f47942b24f723f604edc

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFEF57979F4BD2C71B.TMP
      Filesize

      16KB

      MD5

      33d26340d0e095be82869be3aa35373f

      SHA1

      2a234895b28689841ee0f55697752b509feba563

      SHA256

      53be5f3219a729d884885218f2c2fc2a2e4ea9cd504cbe4f84ac16307ccd6ba7

      SHA512

      b8725a02112bb4d5699097a621da4668fed86dc41d94fbcd99218db13db92ce9c7db02ca45259341409a84b464064bce9c0ddec80607b9cb25a88179925ac4cf

      Download Submit

    • memory/2948-29-0x000001DCA1920000-0x000001DCA1930000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-104-0x000001DC9E9B0000-0x000001DC9E9B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2948-100-0x000001DC9E9F0000-0x000001DC9E9F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2948-97-0x000001DC9EDC0000-0x000001DC9EDC2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2948-48-0x000001DC9E9C0000-0x000001DC9E9C2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2948-13-0x000001DCA1820000-0x000001DCA1830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3380-78-0x0000015F52440000-0x0000015F52442000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3380-68-0x0000015F412D0000-0x0000015F412D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3380-74-0x0000015F52400000-0x0000015F52402000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3380-76-0x0000015F52420000-0x0000015F52422000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3380-63-0x0000015F41280000-0x0000015F41282000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3380-70-0x0000015F41500000-0x0000015F41600000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/3380-66-0x0000015F412B0000-0x0000015F412B2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3904-7-0x0000000006230000-0x0000000006444000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3904-6-0x0000000006040000-0x000000000604A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3904-9-0x0000000073A7E000-0x0000000073A7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3904-8-0x0000000073A70000-0x000000007415E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3904-12-0x0000000073A70000-0x000000007415E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3904-0-0x0000000073A7E000-0x0000000073A7F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3904-10-0x0000000073A70000-0x000000007415E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3904-5-0x0000000073A70000-0x000000007415E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3904-4-0x0000000005240000-0x00000000052A6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3904-3-0x00000000052E0000-0x0000000005372000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3904-2-0x0000000005740000-0x0000000005C3E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/3904-1-0x00000000008C0000-0x0000000000998000-memory.dmp

      Filesize

      864KB

      Download

    • memory/4460-57-0x00000285C2900000-0x00000285C2A00000-memory.dmp

      Filesize

      1024KB

      Download