Overview

overview

10

Static

static

3

ui.exe

windows7-x64

10

ui.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    20s
  • max time network
    17s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2024 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ui.exe

  • Size

    3.8MB

  • MD5

    3569910289e6b0091cebcd43b30d93e4

  • SHA1

    bfed29dd51e28326e17f938ddb5ff59f84aac622

  • SHA256

    eec8c10e557878b327ee9e50e7b87a8205949a30775d792ea6b24b427ed01bae

  • SHA512

    7e6af73b5fafd6edfca3a76ef00f8b6db0d9ff6be317f1cedb5003893d9fe31041963145ee77953c1ccebe967e3d83b216615d26a0e5ee8c1e3c8826093d9b7e

  • SSDEEP

    98304:ZPnQZWNbNHjSZEGECRLpXa+0BmoatvfnagX/tbBhlD:eWNbNHbGEC9U78onGtjl

Score
10/10
agentteslaxwormexecutionkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

lijaligibidu-35558.portmap.host:35558

Attributes
  • Install_directory

    %AppData%

  • install_file

    Windows Security.exe

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • AgentTesla payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ui.exe
    "C:\Users\Admin\AppData\Local\Temp\ui.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\AppData\Roaming\ui.exe
      "C:\Users\Admin\AppData\Roaming\ui.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates system info in registry
      PID:4664
    • C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
      "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3220
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2288
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Security.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:656
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d42b6da621e8df5674e26b799c8e2aa

    SHA1

    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

    SHA256

    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

    SHA512

    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    83685d101174171875b4a603a6c2a35c

    SHA1

    37be24f7c4525e17fa18dbd004186be3a9209017

    SHA256

    0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

    SHA512

    005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    34f595487e6bfd1d11c7de88ee50356a

    SHA1

    4caad088c15766cc0fa1f42009260e9a02f953bb

    SHA256

    0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

    SHA512

    10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_himhw4n0.bmd.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
    Filesize

    75KB

    MD5

    cf219a189dae4a022f26dd58cd5367e6

    SHA1

    76c2e7b756e894afc4e5fd7267fce398d58c518f

    SHA256

    725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe

    SHA512

    21dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ui.exe
    Filesize

    3.8MB

    MD5

    4d0438297aedcf3351e2399ee7b9a034

    SHA1

    6b37d1a0f585c6b056b98196c13662a588d3f5e6

    SHA256

    fe4845b2f864fa1f62d04e185237aa7434d031072e601a1b5e3acee09dc66e91

    SHA512

    60d85bf1ad55302ab94baa30137a00eff52d08faaffe18f0a098998d11fd79cfd4ad4bc220f2565b076bd44022ae44532cc78035d46dc8bddbf6f461ab16c5a0

    Download Submit

  • memory/2288-34-0x00000235F3C20000-0x00000235F3C42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3220-33-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3220-29-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3220-85-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3220-25-0x0000000000260000-0x0000000000278000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4664-27-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4664-28-0x0000028C3CF80000-0x0000028C3D0CE000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4664-30-0x0000028C22D40000-0x0000028C22D54000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4664-87-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4664-32-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4664-26-0x0000028C225D0000-0x0000028C22998000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4664-88-0x0000028C3D590000-0x0000028C3D739000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4664-84-0x00007FFEAD820000-0x00007FFEAE2E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4664-31-0x0000028C3D370000-0x0000028C3D586000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4664-86-0x0000028C3D590000-0x0000028C3D739000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4944-0-0x00007FFEAD823000-0x00007FFEAD825000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4944-1-0x0000000000210000-0x00000000005EC000-memory.dmp

    Filesize

    3.9MB

    Download