Analysis
-
max time kernel
180s -
max time network
186s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
10-09-2024 23:37
General
-
Target
https://mega.nz/file/LEQRUawK#NpxRwDZ8v6QIl4hdk6HSi36b8ObvdpyLMo8dNgGXr_Q
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mega.nz/file/LEQRUawK#NpxRwDZ8v6QIl4hdk6HSi36b8ObvdpyLMo8dNgGXr_Q"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mega.nz/file/LEQRUawK#NpxRwDZ8v6QIl4hdk6HSi36b8ObvdpyLMo8dNgGXr_Q2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a2bc4c3-d498-4c1b-904a-0f61fd2d03d3} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5207341b-9522-4b90-a6f2-a628159163b7} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3412 -childID 1 -isForBrowser -prefsHandle 3404 -prefMapHandle 3400 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b736007a-ee73-4597-890d-85bb33d331f8} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4012 -childID 2 -isForBrowser -prefsHandle 4004 -prefMapHandle 4000 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af10c608-1ba9-4dd5-b22c-1bb3f1b1b43b} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4548 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1580 -prefMapHandle 4544 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {035d8092-3e15-4611-92e5-d8c8bb312b8f} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5424 -childID 3 -isForBrowser -prefsHandle 5400 -prefMapHandle 5392 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {debf950f-9ac6-4abf-a309-e9bfb9494f0d} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 4 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {497f34e4-102c-4a91-b68b-3a083dd89f60} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 5 -isForBrowser -prefsHandle 5840 -prefMapHandle 5836 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6180478a-dc3d-453e-9a3e-af91a0af512e} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6256 -childID 6 -isForBrowser -prefsHandle 6276 -prefMapHandle 6308 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7513be8-e506-4dc6-ba23-f1feffb3fc5a} 4364 "\\.\pipe\gecko-crash-server-pipe.4364" tab3⤵
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004D41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\CMLiteV4Installer\CMLiteInstaller.exe"C:\Users\Admin\Downloads\CMLiteV4Installer\CMLiteInstaller.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD521af7e7d2f75e08b73d345b23114c90d
SHA1038481ccfb3777f439aa76064c37711a9edc20df
SHA256c8762e5446d11810374eb50ff9b632c7f9a38fe47438c9097576437c855e9b0e
SHA5120381742822399e5f7f7e509962052232bc5835963cf2314a7afc4d2b7d7ec32c9d11f17d644b3656fe82b0fb8398eb74059a9a854c001459839f097361197846
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
Filesize
8KB
MD58e5129af25bf1738f325134d530807ef
SHA1b80474369932bc585b9165c9a58c696c2878e0cd
SHA25659ce57468d4814a40adf3942b378443c0637fbfea3c61691417ec13495ee9c91
SHA512e0350e80163dffd0a2a610bb72b428ce856cca8a60cd9a111c44900da3407d783052c4afcdd81af759f08e15446341d02ae4e6b1e71dc001e669c682b2df9bda
-
Filesize
5KB
MD5ecacc345fcc02e65da157a19bc303768
SHA1bb5185c7b99ec71f1f3996ded42a068be2cbf0c9
SHA256b851ca9c70fb6fac174b989a8245b4b1b94d92ec6d5c81c7a1f54e4f15d9301b
SHA51204eb29b87086eefb1a2b25eb8c532245c539a1db1a90d645db7763ae695f86967c14871a3240c84e151710b2d379a52da4eb0edaaeabc84d0226640ce3ff2a34
-
Filesize
5KB
MD5154c1021d01eebc5a2e6400046952a68
SHA1bbe61a366de589ad144c57aab6f2cf60eb692aab
SHA256202f933c38eaee43f5d1d465173d249ba48bb60d2e17953a6bd6a31d7c89c0b9
SHA512c7198f739a7e2c2c2aeaaf1eb10bdbc60ab6cf440f8378077fff04dc4e73a8a62c8d1d99628320e49604184e74cf97fdae028aa5eb8150a942e88be0077d629d
-
Filesize
7KB
MD51fe81c387db13f6880a56209ad76b43b
SHA11cd9f9850096042dd65a1088c4aae310b32652a3
SHA25619642c2cf526b87e184558e64fc2d46a4a6840fcfd608171609b74f7cba6bce9
SHA5126a3c5bf6b1f9a1695670b12d0d9533e7ba54e912d65c6aa7b1ef49a9fd881eb6afecf211ee900bd23c502604d139a551bbc964e46c24daf34189c09c8de6d43b
-
Filesize
982B
MD59bcd5be0f2cfcd0ef51632dd41276084
SHA1844df5fd272940344d857caaa57fb8d031a22b0d
SHA25681bbd73228212eb2db76a436d12bb1992875325f6b2baedc6cf2b76cc295fd8d
SHA512d771f23cb18b67846b129f0945d144a8dfe1b53837632cadf5adf21cadff71c87154ff9f248914c488dac1226eca38dedf43e1b53e058c0839904c1f593b2bb1
-
Filesize
26KB
MD5a5f08aeb6143bc8bcd208848d29b7d24
SHA104facbb57bd101822b7e728d29566828404a6fe0
SHA256125583c7b1eb2ba63bbf38ff514728ff1a4bd5dbbbb12cbf276cbdb927705bf4
SHA512ad290f7dcd73b905587f7d3d6c21e6c91c28d3dd1cf8182c6dd45efb38305a0ea78de05caeec38507fd60ce3d72d942d90b484648a69a2832d1cce39f509cad3
-
Filesize
671B
MD58c32beb333428b84b058854401328433
SHA11bfed451248eaa438b85ff1430ccb41d8b731f77
SHA2561394d89948df4570cafe89253cc450b6b4e890f0fb3381442457362b8c4e417d
SHA512cec61f1ba141b56198869d0d41dea48f76ad0eb94330532f0bd999632c700b0573b2a37bbcc7b476ac5b25b856aefc82256ea22f1cb9243fa5cd0f1fa0e84141
-
Filesize
1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
Filesize
116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
Filesize
372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
Filesize
17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
11KB
MD5edcaa18ad8b892aa87dba76d105a0a9e
SHA11dc738cae9944c999529c65e0813d554d76d9b85
SHA2569085f57dbeaa552390ac399029d8503030fb87303949afb9c1dfcf0a84a22455
SHA512b9f083d76327f22146b8007d7d342c3a87edddd414253be85c148b2d5bb1afa88d4456eee7afcd973f04c2e623e1e180fe37c580d88b6536bca3d9fb595684f0
-
Filesize
11KB
MD58e278d3a1ec21817921c83303f5dc913
SHA1428d803a1121df710a8d6bbcaf8368cd4c920bbb
SHA2568ccfe4910f08eb67a620c9fdadf06555d15f9271cedcad6a48e2f54a6698e51b
SHA512072412089f3b9c1c63a8f297f916d5b0993dc9da81369a29c286596b23b9d9bbae9d347b3b6584195628d646c70de69f0897f829e2e31a3a25460bd746b39a4c
-
Filesize
11KB
MD55afd37882ed55a3cd3fbd1df999f4af7
SHA126b7a10848273eeecd718fd05de986da3991cfcd
SHA25676b78ac41b9510c28b17c725318e9f3a9cf5ce217c650c9f7d9cff36c8285f91
SHA51262030baaaae99b74d34905fedcef3f422253149ec44731b79f9ac6bb1a586c7a85d13b4c7c42b062c11e8fd18454297f7b774da3808214713c9e7854f94b30ce
-
Filesize
10KB
MD5a51210e64cce62f653143b2adb1b085e
SHA1cbea3871f331d2cc5e4cf9a25c555efba2281606
SHA2561ae8e6687f8ebf7e940504f77b5776f9f0d4400b7327fecd6f2468ecebeb475c
SHA512bb042aa30caf9d894637642a41ff8789fcc018f6c077db59bff381393c3f98fbc8c0d7d69b1d2ef10d10e78aaded421286e33d7ccb38c94cce53ed8b63814b83
-
Filesize
6KB
MD5ad6f359169fd5281b5766e46a66f0e7a
SHA17211a2f5528ea501496472ec9199553b6b6deed9
SHA256fa611b7cb3d0a44e95bbb1fe3a79426ab65bb0c574b6fcbfd8492924e36779d7
SHA512aa211c033885de364add4ee64f94c8867ebdd876a8742078e686e1173e4e567fdab1be89683885319cb390649ae817c4b4bb1f46d9e3a83bd40ce218f7d1a91e
-
Filesize
6KB
MD52c3e5eff4a08100a022994a4aad01cc4
SHA1fcea798e005745e1d2b224caae6e11a4ade5abfd
SHA2563e51c08f83b9301b3adda733e1f374a5e7ccb0ba0834819d5d1c5cbe31ee3582
SHA512a05d7c84f142c78c149a53299ebc3739741d2e242b301751d463097f5932f336fc507355752d3b8ebeffce1eb4ee5aeb694418fd50d8cea6ba7efe5f08ccff46
-
Filesize
6KB
MD5c07b061250ddc71f17589ea7db1d0d14
SHA1053c4ace1ee1a04122d0aa146af05bb4e6e0df05
SHA256eb4ec85ca5ce9e940f48363166f4875e168dc7e4c07bd11302c2e91710f8d910
SHA512ec6cf4a4c476b0d799572279d24e0bdfd4403a84d626f031714031afd57cb101925664cdbf29b2fc2914211ca8ad1bb799bc96fdfe5e6d25222fbc675ed3e673
-
Filesize
1KB
MD53efa9abd92666265dd81c4f4311a96f9
SHA141b6b716d67b93555e444cd453f3c6e3f8c9522c
SHA2565066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7
SHA5125961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c
-
Filesize
48KB
MD5593ae9fc6bfd2798e253cde13e8c02f2
SHA154e58e5996b1ae0b104f2100353df70c3f713ab0
SHA25618ab9749e5a466b2ecdcfa01ee917023fe3027d36f4318ee4b2c3d73c92710c1
SHA512d9e45fc789f891cf6f362ada389630cbbe7cae1adf2cbd273b8f871442faf457b04a4cdff17de85384763e431be6df622bcba4ac59e5b56a30d1d3875ccdf2a4
-
Filesize
31.6MB
MD52e1ba0603375d2822140fb09dd23e60f
SHA1037aa16d5afa22864b788965fe655aa587078720
SHA2563557ec93be2db5c886071be19c3fa66e1ff3f14e0ad0d37397a2fdbb06b24c2c
SHA5125ef6c7c9439cdaf0cb6da795dd3c9cfedc47e49a994ee8924526c0211d76c2ccdb6488c37c19cbeff789cd771ad4f0aa84a2095b7e79809c4f42cf6d9a854878
-
Filesize
10.8MB
-
Filesize
992KB
-
Filesize
2.0MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB