agenttesla | 0368ab0f24763144b866c9894899858d8c493d13c3d9cb170edf4582adbf4514

Analysis

max time kernel
109s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zara+Perm_new.zip
Size

1.3MB
MD5

ff31dd46cc80d102852a370f4dc13aba
SHA1

e6644f9d9a87e59dca851fbdaeed3017a9901d95
SHA256

0368ab0f24763144b866c9894899858d8c493d13c3d9cb170edf4582adbf4514
SHA512

7b4fe8da1d901136a6cce97ad438e492bcd74aa9b24f760401df3a75f8e5a8cec395377a1ec7e06acfa32582ae18ebfc7ce0068debff679925d62f8137a4e05f
SSDEEP

24576:VxQRub/VUyYo233SqR57Ckd1J4xi/BQrN+CECdGkx2cka5rVmbHqakNOcEZ8flf8:VGRubKp3SqRVCkHJ4xCOG+h2cH5UHqhe

Score

10^/10

agenttesla discovery evasion execution keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/3768-7-0x0000000005590000-0x00000000057A4000-memory.dmp	family_agenttesla

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gqtSZZRGgcAdfNAtu\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\gqtSZZRGgcAdfNAtu"	2.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 18 IoCs

pid	Process
4028	winxsrcsv64.exe
1604	winxsrcsv64.exe
4068	winxsrcsv64.exe
3576	winxsrcsv64.exe
3964	winxsrcsv64.exe
2856	winxsrcsv64.exe
5092	winxsrcsv64.exe
2656	winxsrcsv64.exe
2392	winxsrcsv64.exe
400	winxsrcsv64.exe
3536	winxsrcsv64.exe
5016	winxsrcsv64.exe
4584	winxsrcsv64.exe
4564	winxsrcsv64.exe
392	winxsrcsv64.exe
1528	winxsrcsv64.exe
5096	2.exe
4036	2.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\IME\1.sys	Lucky.exe
File created	C:\Windows\IME\2.exe	Lucky.exe
File created	C:\Windows\Globalization\Time Zone\winxsrcsv64.sys	Lucky.exe
File created	C:\Windows\Globalization\Time Zone\winxsrcsv64.exe	Lucky.exe
File created	C:\Windows\Globalization\Time Zone\iqvw64e.sys	Lucky.exe
File created	C:\Windows\Globalization\Time Zone\skibnidi.bat	Lucky.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4684	sc.exe
4352	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lucky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lucky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Lucky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Lucky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Lucky.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Lucky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Lucky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Lucky.exe

Runs net.exe

Suspicious behavior: LoadsDriver 17 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
5096	2.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	Lucky.exe
Token: SeDebugPrivilege	4396	Lucky.exe
Token: SeLoadDriverPrivilege	5096	2.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 4028	3768	Lucky.exe	101
PID 3768 wrote to memory of 4028	3768	Lucky.exe	101
PID 3768 wrote to memory of 1604	3768	Lucky.exe	103
PID 3768 wrote to memory of 1604	3768	Lucky.exe	103
PID 3768 wrote to memory of 4068	3768	Lucky.exe	105
PID 3768 wrote to memory of 4068	3768	Lucky.exe	105
PID 3768 wrote to memory of 3576	3768	Lucky.exe	107
PID 3768 wrote to memory of 3576	3768	Lucky.exe	107
PID 3768 wrote to memory of 3964	3768	Lucky.exe	109
PID 3768 wrote to memory of 3964	3768	Lucky.exe	109
PID 3768 wrote to memory of 2856	3768	Lucky.exe	111
PID 3768 wrote to memory of 2856	3768	Lucky.exe	111
PID 3768 wrote to memory of 5092	3768	Lucky.exe	113
PID 3768 wrote to memory of 5092	3768	Lucky.exe	113
PID 3768 wrote to memory of 2656	3768	Lucky.exe	115
PID 3768 wrote to memory of 2656	3768	Lucky.exe	115
PID 3768 wrote to memory of 2392	3768	Lucky.exe	117
PID 3768 wrote to memory of 2392	3768	Lucky.exe	117
PID 3768 wrote to memory of 400	3768	Lucky.exe	119
PID 3768 wrote to memory of 400	3768	Lucky.exe	119
PID 3768 wrote to memory of 3536	3768	Lucky.exe	121
PID 3768 wrote to memory of 3536	3768	Lucky.exe	121
PID 3768 wrote to memory of 5016	3768	Lucky.exe	123
PID 3768 wrote to memory of 5016	3768	Lucky.exe	123
PID 3768 wrote to memory of 4584	3768	Lucky.exe	125
PID 3768 wrote to memory of 4584	3768	Lucky.exe	125
PID 3768 wrote to memory of 4564	3768	Lucky.exe	127
PID 3768 wrote to memory of 4564	3768	Lucky.exe	127
PID 3768 wrote to memory of 392	3768	Lucky.exe	129
PID 3768 wrote to memory of 392	3768	Lucky.exe	129
PID 3768 wrote to memory of 1528	3768	Lucky.exe	131
PID 3768 wrote to memory of 1528	3768	Lucky.exe	131
PID 3768 wrote to memory of 4632	3768	Lucky.exe	133
PID 3768 wrote to memory of 4632	3768	Lucky.exe	133
PID 3768 wrote to memory of 4632	3768	Lucky.exe	133
PID 4632 wrote to memory of 3452	4632	cmd.exe	135
PID 4632 wrote to memory of 3452	4632	cmd.exe	135
PID 4632 wrote to memory of 3452	4632	cmd.exe	135
PID 3452 wrote to memory of 1804	3452	net.exe	136
PID 3452 wrote to memory of 1804	3452	net.exe	136
PID 3452 wrote to memory of 1804	3452	net.exe	136
PID 4632 wrote to memory of 348	4632	cmd.exe	137
PID 4632 wrote to memory of 348	4632	cmd.exe	137
PID 4632 wrote to memory of 348	4632	cmd.exe	137
PID 348 wrote to memory of 4620	348	net.exe	138
PID 348 wrote to memory of 4620	348	net.exe	138
PID 348 wrote to memory of 4620	348	net.exe	138
PID 4632 wrote to memory of 4684	4632	cmd.exe	140
PID 4632 wrote to memory of 4684	4632	cmd.exe	140
PID 4632 wrote to memory of 4684	4632	cmd.exe	140
PID 4632 wrote to memory of 4352	4632	cmd.exe	141
PID 4632 wrote to memory of 4352	4632	cmd.exe	141
PID 4632 wrote to memory of 4352	4632	cmd.exe	141
PID 4396 wrote to memory of 5096	4396	Lucky.exe	145
PID 4396 wrote to memory of 5096	4396	Lucky.exe	145
PID 4396 wrote to memory of 1044	4396	Lucky.exe	147
PID 4396 wrote to memory of 1044	4396	Lucky.exe	147
PID 4396 wrote to memory of 1044	4396	Lucky.exe	147
PID 1044 wrote to memory of 4036	1044	cmd.exe	149
PID 1044 wrote to memory of 4036	1044	cmd.exe	149

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Zara+Perm_new.zip
1⤵
PID:3576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2640

C:\Users\Admin\Downloads\Zara+Perm_new\Lucky.exe
"C:\Users\Admin\Downloads\Zara+Perm_new\Lucky.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SU AUTO
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BS TMCK6PUV57Q7JEZU
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CS TMCK6PUV57Q7JEZU
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SS TMCK6PUV57Q7JEZU
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SM "System manufacturer"
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SP "System Product Name"
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SV "System Version"
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SK "SKU"
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BT "Default string"
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /BLC "Default string"
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CM "Default string"
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CV "Default string"
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CA "Default string"
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /CSK "Default string"
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /SF "To be filled by O.E.M."
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\Globalization\Time Zone\winxsrcsv64.exe
  "winxsrcsv64.exe" /PSN TMCK6PUV57Q7JEZU
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Globalization\Time Zone\skibnidi.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\net.exe
    net stop winmgmt /y
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop winmgmt /y
      4⤵
      System Location Discovery: System Language Discovery
      PID:1804
- - C:\Windows\SysWOW64\net.exe
    net start winmgmt /y
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start winmgmt /y
      4⤵
      System Location Discovery: System Language Discovery
      PID:4620
- - C:\Windows\SysWOW64\sc.exe
    sc stop winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4684
- - C:\Windows\SysWOW64\sc.exe
    sc start winmgmt
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:4900

C:\Users\Admin\Downloads\Zara+Perm_new\Lucky.exe
"C:\Users\Admin\Downloads\Zara+Perm_new\Lucky.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\IME\2.exe
  "C:\Windows\IME\2.exe" C:\Windows\IME\1.sys
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C C:\Windows\IME\2.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\IME\2.exe
    C:\Windows\IME\2.exe
    3⤵
    - Executes dropped EXE
    PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Globalization\Time Zone\skibnidi.bat

Filesize
90B

MD5
80ce921d39b0c2739e3edca44fcf253c

SHA1
9261684c7ab28979d40656ae0bc42f73200509cc

SHA256
40a74428be51efaf4f65f27312fc3e8946338817b7a07d67b12fd7b837bdb546

SHA512
1a085b4633a221c4dd312b13524823dc98b1851ece5b8d90392108563767ed741eb982948ae6ba92815a579313c839b80b4c84fe0752212744e7d127781e10e7

Download Submit
C:\Windows\Globalization\Time Zone\winxsrcsv64.exe

Filesize
379KB

MD5
91a31f23f3e50bd0a722e605687aed1e

SHA1
f56fa26aaccdd6eb3f1ea53f06674b01327cd7c4

SHA256
818d6d87d0facc03354bf7b0748467cf61040031248ba8b46045ed9dbe4053d8

SHA512
649ee112c0e9d0c63c199f0dee84332f915af336dd7ad0ff70cbd49cc148c832182ff748c67fe1dee958215ea4a095545d1a93fdeb90fbdeb6f98076b499aab0

Download Submit
C:\Windows\IME\2.exe

Filesize
121KB

MD5
00047e72bb99132267a4bec3158917a2

SHA1
caf72159dba3bf2af1e6f68cbcbbab7b981a4f0e

SHA256
e4f0fa3c70a4c20e7f79ac8e0c0c7b3e58e97a8e9d42274d51a54ebf9e8da5e4

SHA512
7f573d3a8a68a491c45009ce1beabc8280ccf50e10048b019146e28892c8bf3e90519721682dec5a53aa2c623af952c9957da3cf5338cded801fc7dedce99dc5

Download Submit
memory/3768-8-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/3768-10-0x000000000A560000-0x000000000A6B0000-memory.dmp

Filesize
1.3MB

Download
memory/3768-5-0x0000000004AB0000-0x0000000004ABA000-memory.dmp

Filesize
40KB

Download
memory/3768-6-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/3768-7-0x0000000005590000-0x00000000057A4000-memory.dmp

Filesize
2.1MB

Download
memory/3768-0-0x00000000753AE000-0x00000000753AF000-memory.dmp

Filesize
4KB

Download
memory/3768-9-0x0000000006700000-0x000000000673C000-memory.dmp

Filesize
240KB

Download
memory/3768-4-0x0000000004A30000-0x0000000004A42000-memory.dmp

Filesize
72KB

Download
memory/3768-11-0x00000000753AE000-0x00000000753AF000-memory.dmp

Filesize
4KB

Download
memory/3768-12-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/3768-13-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/3768-3-0x0000000004AD0000-0x0000000004B62000-memory.dmp

Filesize
584KB

Download
memory/3768-2-0x0000000004FE0000-0x0000000005584000-memory.dmp

Filesize
5.6MB

Download
memory/3768-1-0x0000000000070000-0x0000000000088000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads