Analysis
-
max time kernel
104s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe
Resource
win7-20240903-en
General
-
Target
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe
-
Size
2.3MB
-
MD5
839127291c05e0fe8f2db4b678397ec0
-
SHA1
9a7e243162ad7947d0625a47e20fe26ebc82f0fc
-
SHA256
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095
-
SHA512
7a1503b5f498050d2545195da2eaf41e8919c2f15dc9680cb51b7a502029d934fbbb3be9fb70d352239d88d36ff14b020cc5264dd6b24be0c9d2c844041b62cb
-
SSDEEP
12288:WtFghMFvcxxO1Dqm+eO+Crln1lXaPZrBDNCIDvYoGbSNF:2FghKvExAO5rlnLcDC0GbsF
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe -
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe = "0" be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe -
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe = "0" be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe -
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription pid process target process PID 924 set thread context of 4548 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeAddInProcess32.exepid process 4564 powershell.exe 4564 powershell.exe 4548 AddInProcess32.exe 4548 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exepowershell.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 4548 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription pid process target process PID 924 wrote to memory of 4564 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe powershell.exe PID 924 wrote to memory of 4564 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe powershell.exe PID 924 wrote to memory of 4548 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe PID 924 wrote to memory of 4548 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe PID 924 wrote to memory of 4548 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe PID 924 wrote to memory of 4548 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe PID 924 wrote to memory of 4548 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe PID 924 wrote to memory of 4548 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe PID 924 wrote to memory of 4548 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe PID 924 wrote to memory of 4548 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe PID 924 wrote to memory of 3000 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe PID 924 wrote to memory of 3000 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe PID 924 wrote to memory of 3000 924 be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe AddInProcess32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe"C:\Users\Admin\AppData\Local\Temp\be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\be5538ff87a5b5219e063a8de6a59efae7b953fe2a3b2e6035bccd321d3d5095.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:3000
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82