Analysis
-
max time kernel
47s -
max time network
46s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
09-09-2024 23:13
General
-
Target
wfs4r3.zip
-
Size
4.4MB
-
MD5
dc9c46a3619965e735623a5e38a1ea92
-
SHA1
588033ee11bdd103ad71cbef4314a28de268f4e5
-
SHA256
e29d278e33da6d0decd86fc5d0dc2cbd842a6b55934e4c72d10081ffb97ffbe4
-
SHA512
e8c91b7d46a0203d532c428f6ab0e060bc5e2e70d9c93ad2ec0aa5e0752001a32e34606611609d3c5649aa45dd22923a5ef9ff7877ee9d8409ca61983397e674
-
SSDEEP
98304:ruNJZ4pW50PVw2zwPb9sI0nMJR8fWVgtd/sTTNTyuvqeV7MI:ruLZsWWP5o9BJRtE03NTyuvrV7L
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\wfs4r3.zip1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap10439:92:7zEvent201061⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\VertaxNew\Vertax.exe"C:\Users\Admin\Desktop\VertaxNew\Vertax.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD532980bf90249d39c2bc463e6fb5cefa7
SHA176e18853ef019cff4b0015d1a6f8c47f3f506eba
SHA256ed2d5f70ec106e4274bca6a85022a1fffad82c66745bde3c876962c06b75b61b
SHA512156c9ffce33bf7b858bd85da726aa6ef6d8e9eee51d6c6072777037505619b144e332634158172cf36dcd3fa432fb266c32d1422f698ad1b4a9ca5087ed8c550
-
Filesize
187KB
MD5723d164690fc603643300163eba52041
SHA18533a92f65e6811bee999148e515e8c202667a9b
SHA2567d1c100f1e79e91f8d6b9eaed5900e55c9483fdb22f07af8b10ee647230bdfbf
SHA512dde4d24f122a51183ba57098b15c37fb411dbf21b8aa087e27c8394b8f7a99461a1ef30089dee44569c4fb72536dbb9b827c1f5409222339775f0279ba2fd2b9
-
Filesize
408KB
-
Filesize
9.4MB
-
Filesize
216KB
-
Filesize
9.4MB
-
Filesize
9.4MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
2.1MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
9.4MB