Overview

overview

10

Static

static

3

b6d43405e5...52.exe

windows7-x64

10

b6d43405e5...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe

  • Size

    3.2MB

  • MD5

    06dcb15ae610d9451fb568bc536069ee

  • SHA1

    611af21b221bd004e7546d2603793de501b4f38d

  • SHA256

    b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252

  • SHA512

    9ce44cf3089f267b8db94ae4bdb3e78655fefe0aab4125cae956f0fbef4aa161e6eaca1f3ac0b755d75e10a1e31a5231c450ac8a04fc461bd1dbf45ee92c19fb

  • SSDEEP

    49152:tJkY6l5vePmrlqqZZp/wuERzibxCfAz7x:bkY6l5vePGlp99b/x

Score
10/10
agenttesladiscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • AgentTesla payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe
    "C:\Users\Admin\AppData\Local\Temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3584
    • \??\c:\users\admin\appdata\local\temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe 
      c:\users\admin\appdata\local\temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe 
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1208
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3276
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2036
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2620
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3112
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3216
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
    1⤵
      PID:3168

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe 
      Filesize

      3.1MB

      MD5

      0c33284728a138decf9bf5229bc1272a

      SHA1

      41bac3740aee663620d82503e7dda4cd3f564eb7

      SHA256

      ad013bc1676f0fb7f9dd576d5d96e4b121770756abeb70379e01d0003dca8681

      SHA512

      0c9a0647418ffdf03ca31db1fbe7152a301953d1fe9a7115f18271c4690ed72af0e2b0acf9f6ad05234e6faa7cba759d815435cb67536a1253f1959a953a6622

      Download Submit

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      e0ce927092f7bbe4c3ff2d33e0ddd784

      SHA1

      fd8ff5eb972de4488fc280ce50a9b3c923a4d4ca

      SHA256

      18c456fa2da34d7f9c2ea9e041a5fb137c641f491e0da4c8a1c60390d52c7596

      SHA512

      1e9fb6696d2dd03d81065de9ee246f2f406170f5aa442380bd84cd69445f23a1f3553b9fbf4c42a051c9feeeb80067c1573542ac7b661647e3e594bd30785b95

      Download Submit

    • C:\Windows\Resources\Themes\icsys.icn.exe
      Filesize

      135KB

      MD5

      a082983f3d6f012f8b211bcac9df371d

      SHA1

      8f13e36f5ec891cf4eccfc77694b6268f50f07d9

      SHA256

      9a45fb25503111878442721305dfd9f5c9bd9cf3e60e1d5b5e9c754b48166253

      SHA512

      b5d3c96efb0d84ee4d7c968ea90d7c75b8203667ea9beaa655e6507f03d146e5fccbfb45561559085fdba9e016c645959f6e510cb8a43a351aa4ac856253b04a

      Download Submit

    • C:\Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      74fa9fabaaba7cbb2db5ef3cdfca597e

      SHA1

      c47599b53ff58f2c2e008f9828757df23846df41

      SHA256

      8c3ae3dc64e8959a43dfb9bf8f7209755aed09c8b9dc9bcf91e6cf55c4693a63

      SHA512

      a718674860a5a7cbbca48be921f14e543c3f1728896c6ce93dc295da58f57ac4212799e58287720251d7d0c33d3d6af32d0b87f09c2c9570b3f1017e84474a9b

      Download Submit

    • \??\c:\windows\resources\svchost.exe
      Filesize

      135KB

      MD5

      ba0e67b578123d12d2f270e0ad1ef48c

      SHA1

      d29ae52c2d4327bbae984f42876ea7959b8ca13e

      SHA256

      0a4988c138e98f4cfa5a452b7a1192f0ea36dc323d8d8b458034790e5bb6c500

      SHA512

      a584a8889d2939c37a2d49f66f02ee79163987d2f782f3db02e9041923df26a1fc6aacc128a0eb24c6e6d1afc01ece51e7f70c9d37f269d8a062ebf6e6545f79

      Download Submit

    • memory/1208-30-0x00000000064E0000-0x00000000066F2000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1208-61-0x00000000097F0000-0x0000000009B44000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1208-14-0x0000000004E90000-0x0000000004EF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1208-12-0x0000000005010000-0x000000000517A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1208-65-0x0000000073F40000-0x00000000746F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1208-21-0x00000000060F0000-0x0000000006182000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1208-22-0x0000000004E60000-0x0000000004E72000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1208-24-0x0000000006060000-0x000000000606A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1208-11-0x0000000073F40000-0x00000000746F0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1208-64-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1208-10-0x00000000000E0000-0x00000000003FA000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1208-9-0x0000000073F4E000-0x0000000073F4F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1208-63-0x0000000009B90000-0x0000000009BCC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1208-13-0x0000000005730000-0x0000000005CD4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1208-60-0x00000000097C0000-0x00000000097E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1208-59-0x0000000009710000-0x00000000097C2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2036-66-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2620-56-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3112-67-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3216-55-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3216-54-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3276-57-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3276-18-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3584-58-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/3584-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download