Analysis
-
max time kernel
92s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe
Resource
win10v2004-20240802-en
General
-
Target
462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe
-
Size
1.1MB
-
MD5
96f60e7b370e3f1886ff83c067312108
-
SHA1
b1e275bc665b436180a81e1c631118a92fa628db
-
SHA256
462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1
-
SHA512
a78d9ef2fbfcab228572de7fa1f65511b4f38c98c73fd0f194fc851fc9eaeec1597b1c687f40c9b80a3af2a09b92ea8ec8eef53b460e9ff076743d3dc91a0e01
-
SSDEEP
24576:j4lavt0LkLL9IMixoEgeacCRMTCcfEXq4PeGxq9MmCS:2kwkn9IMHeacCRMTwxaPCS
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
tank576$%)&** - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2024 set thread context of 4728 2024 462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2800 2024 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4728 RegSvcs.exe 4728 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2024 462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4728 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2024 462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe 2024 462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2024 462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe 2024 462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2024 wrote to memory of 4728 2024 462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe 82 PID 2024 wrote to memory of 4728 2024 462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe 82 PID 2024 wrote to memory of 4728 2024 462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe 82 PID 2024 wrote to memory of 4728 2024 462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe"C:\Users\Admin\AppData\Local\Temp\462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\462d52d82377841b63ebcf43f25772edb2a761c559be9d28a510c0ab7155d2c1.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 8042⤵
- Program crash
PID:2800
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2024 -ip 20241⤵PID:4584