Overview

overview

10

Static

static

3

Legacy IV - V1.1.exe

windows7-x64

10

Legacy IV - V1.1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    44s
  • max time network
    45s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 19:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Legacy IV - V1.1.exe

  • Size

    3.0MB

  • MD5

    a615213f1160b542f885be5fe2f0e807

  • SHA1

    8ef48ff19450fa65bce8ca82188ef61a8551b7ad

  • SHA256

    5fdebcc9fecc2084617bbd9fd2f55e7844f85ae16bcc8531edb5a92442e2eb58

  • SHA512

    f1af7653724c363e9aca4bd75476c13e0976bf7b21314936c5250c436bf8f56bfb307e64e34e0c277873a63d2a91e3f440d449e285fde7f9dc9a277f694de1fd

  • SSDEEP

    49152:X3c/GqhV0aC1jfMQ+ScvKp//dNbo4mDpt5GOQUiLVCiM+bqFsz6Z2g3VHqnVD:Xs/GnaC9MzScvK5/dQXdAUbEVXgFHq

Score
10/10
agenttesladiscoveryevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 3 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Legacy IV - V1.1.exe
    "C:\Users\Admin\AppData\Local\Temp\Legacy IV - V1.1.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM WmiPrvSE.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM WmiPrvSE.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1304
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM WmiPrvSE.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3148
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM WmiPrvSE.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1416
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /F /IM WmiPrvSE.exe /T
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4316
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM WmiPrvSE.exe /T
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4844
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
    1⤵
      PID:3764
    • C:\Users\Admin\AppData\Local\Temp\Legacy IV - V1.1.exe
      "C:\Users\Admin\AppData\Local\Temp\Legacy IV - V1.1.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
    • C:\Windows\SysWOW64\werfault.exe
      werfault.exe /h /shared Global\29abd9d1bbc74a218c02f20e87dbe790 /t 4052 /p 4748
      1⤵
        PID:4112

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Legacy IV - V1.1.exe.log
        Filesize

        1KB

        MD5

        f67ea27f1d659bebaeea796ba7e8f5e5

        SHA1

        e7814eb5be196ee31a749b70706b6bec0e84c7c1

        SHA256

        55bd45b05184cb1dc5bf10dd64a963b86469762d8da1a81c87e8681600ba6822

        SHA512

        bcdb293e2fd5ce6b19255445ed9869964a3d4cfb77340391a34c8d785b56301cff0b93b700bde357063b57bc2e22cfb731d2f6dee01e65922c64b40870a467cd

        Download Submit

      • C:\Windows\SysWOW64\serials.txt
        Filesize

        44B

        MD5

        484313e1dc9486f966950b9149730410

        SHA1

        3f82b23fee27ca38ee7ae8746304d360d3ec4884

        SHA256

        d37051a46ecb6945c00ad2cadbc82d8987a4f887c2c0a7cfcaec5e966b770371

        SHA512

        7c3c3481435513d9b1403e7e7c5404aadec1635374936b02da6908def09d4f640ec622b8dfd05fde804752527ab27b34f71617d0ff724b12dc0ed4bdcb3bf2f1

        Download Submit

      • memory/1700-18-0x00000000752F0000-0x0000000075AA0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1700-32-0x00000000752F0000-0x0000000075AA0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1700-26-0x00000000752F0000-0x0000000075AA0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1700-25-0x00000000752F0000-0x0000000075AA0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1700-19-0x00000000752F0000-0x0000000075AA0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4748-5-0x0000000006A90000-0x0000000006B22000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4748-6-0x0000000006B30000-0x0000000006B96000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4748-9-0x00000000752F0000-0x0000000075AA0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4748-15-0x00000000752FE000-0x00000000752FF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4748-16-0x00000000752F0000-0x0000000075AA0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4748-17-0x00000000752F0000-0x0000000075AA0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4748-7-0x00000000058B0000-0x00000000058BA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4748-8-0x0000000005970000-0x0000000005B84000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/4748-0-0x00000000752FE000-0x00000000752FF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4748-4-0x0000000006FA0000-0x0000000007544000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4748-3-0x0000000006770000-0x00000000069EC000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/4748-28-0x00000000752F0000-0x0000000075AA0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4748-29-0x00000000752F0000-0x0000000075AA0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4748-2-0x00000000752F0000-0x0000000075AA0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4748-1-0x0000000000880000-0x0000000000B86000-memory.dmp

        Filesize

        3.0MB

        Download