Overview

overview

10

Static

static

10

temp Beta/...I2.dll

windows7-x64

1

temp Beta/...I2.dll

windows10-2004-x64

1

temp Beta/...UI.dll

windows7-x64

1

temp Beta/...UI.dll

windows10-2004-x64

1

temp Beta/...a).exe

windows7-x64

10

temp Beta/...a).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 15:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    temp Beta/Temp (Beta).exe

  • Size

    1.6MB

  • MD5

    5076b6ad3b1a79a5d3ccafa201660a00

  • SHA1

    5daaf43df37e8220443e41daaf1fd089b92435a7

  • SHA256

    829fc63d05403cb63347896fdab68d143e21ccea4dfa9bbe8e967dc79caf1ce9

  • SHA512

    2b6a62a2ffb472ef24561d07878b1c559413aecb0e0bc4a023c9f88de47b2ad036ff53d23105ae1541d1c5399348f35a25f45fcc64e1a13951e0568d15aca7cf

  • SSDEEP

    49152:PVfCiOCBYl6yp+ZdoPGyNUud4iK8JJv7:tfCEY6y4doPGyNNd4vCv7

Score
10/10
agenttesladiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\temp Beta\Temp (Beta).exe
    "C:\Users\Admin\AppData\Local\Temp\temp Beta\Temp (Beta).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Users\Admin\AppData\Local\Temp\map.exe
      "C:\Users\Admin\AppData\Local\Temp\map.exe" C:\Users\Admin\AppData\Local\Temp\SenaTemp.sys
      2⤵
      • Executes dropped EXE
      PID:3768
    • C:\Users\Admin\AppData\Local\Temp\SerialsChecker_1.bat
      "C:\Users\Admin\AppData\Local\Temp\SerialsChecker_1.bat"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\SYSTEM32\cmd.exe
        cmd /c "SerialsChecker_1.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1468
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic bios get serialnumber
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1768
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4216
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic cpu get serialnumber
          4⤵
            PID:4092
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic cpu get processorid
            4⤵
              PID:2520
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic diskdrive get serialnumber
              4⤵
                PID:1780
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic baseboard get serialnumber
                4⤵
                  PID:4404
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic baseboard get manufacturer
                  4⤵
                    PID:4300
                  • C:\Windows\System32\Wbem\WMIC.exe
                    wmic path Win32_NetworkAdapter where "PNPDeviceID like '%PCI%' AND NetConnectionStatus=2 AND AdapterTypeID='0'" get MacAddress
                    4⤵
                      PID:4172

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SerialsChecker_1.bat
                Filesize

                552B

                MD5

                cafeb0fcc11b3bf52565f5178c5dbf48

                SHA1

                1c8cdb1da4c497572c1698fb9fcf9488012dfdb2

                SHA256

                496a1c0b8d690d9afeb91cec90509e10094c4b998838251cda967c48b1a52f46

                SHA512

                136d020595d9585dc948748f401994825c9601b240f1cd67430791956e0e087b9ba842821e1b1f1dce6f85aa48f08fa7a6cf60c850afc4fee080017b8113c164

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\SerialsChecker_1.bat
                Filesize

                155KB

                MD5

                9c462640fd6fb2a974048d589371792a

                SHA1

                14df2b3a3853d971ea0e1db9a4b67642fafd6b18

                SHA256

                03117612ee8f61c00d57c6292be38f0176a7a1e89570a70ad4ba98d33f2fdd44

                SHA512

                7ee35676e22d208eed6f9feb02942de85fd5bb3df28dc451afaee865306bb639d299dbcf478535d0c3a05356a907f679d6f359d81ca235246cbd5a2fcb50c485

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\map.exe
                Filesize

                550KB

                MD5

                9d5ab8b8021d3f87470a1cd44f0f161c

                SHA1

                3508d0afff20ad3c342137c33e71ac4e826bf217

                SHA256

                9b6f50dfad6e8f3c1e49a50e7405bdeaabde8bc22097651f46e7739e9075923d

                SHA512

                92aaacd9399cc9beeba289499ee7ebbcc94b303a6e8a805a2e50493ccd45ad472ec7288bf777ac331067225d9e0c555d49658333cddaa15a5fcdc5f6e8a5ff72

                Download Submit

              • memory/3768-23-0x00007FF633420000-0x00007FF6334DA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/3768-21-0x00007FF633420000-0x00007FF6334DA000-memory.dmp

                Filesize

                744KB

                Download

              • memory/4076-8-0x0000000005EA0000-0x00000000060B4000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/4076-6-0x0000000005300000-0x000000000544E000-memory.dmp

                Filesize

                1.3MB

                Download

              • memory/4076-7-0x0000000004EC0000-0x0000000004ED4000-memory.dmp

                Filesize

                80KB

                Download

              • memory/4076-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4076-9-0x0000000074D00000-0x00000000754B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4076-10-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4076-11-0x0000000074D00000-0x00000000754B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4076-12-0x0000000074D00000-0x00000000754B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4076-5-0x0000000074D00000-0x00000000754B0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4076-4-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/4076-3-0x0000000004E10000-0x0000000004EA2000-memory.dmp

                Filesize

                584KB

                Download

              • memory/4076-2-0x00000000054D0000-0x0000000005A74000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/4076-1-0x00000000002B0000-0x0000000000444000-memory.dmp

                Filesize

                1.6MB

                Download