Analysis
-
max time kernel
105s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 02:32
Static task
static1
Behavioral task
behavioral1
Sample
53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe
Resource
win7-20240903-en
General
-
Target
53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe
-
Size
1.1MB
-
MD5
d1b0f594c2162e517c30a3fd9a87085b
-
SHA1
249e2e865e1abb381dfbdf6a340db76fd0749591
-
SHA256
53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485
-
SHA512
84554080601be34f64768d7ae52513571c4dd7bfb40d766dc30702b09804754771fccc94fd2463d63f43479727a72e70aa2c7a25eb1e4aea31022d550fd83ca3
-
SSDEEP
12288:Ytb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgao73rAFx83DGd7J2WLjJ:Ytb20pkaCqT5TBWgNQ7aoRTmos+E6A
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.ipify.org 15 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exedescription pid Process procid_target PID 3652 set thread context of 1788 3652 53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exeRegSvcs.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid Process 1788 RegSvcs.exe 1788 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exepid Process 3652 53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid Process Token: SeDebugPrivilege 1788 RegSvcs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exedescription pid Process procid_target PID 3652 wrote to memory of 1788 3652 53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe 86 PID 3652 wrote to memory of 1788 3652 53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe 86 PID 3652 wrote to memory of 1788 3652 53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe 86 PID 3652 wrote to memory of 1788 3652 53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe"C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD538f32ed0ac96cb9d6a3ee68ee2b6ece8
SHA1a4ff8874c060347eb17afa37e645babd57757784
SHA25608574f71828bb98f99c15327ed1b8085dcf95f32d448ce34b2e85c34d782d2f3
SHA512c9a1656e599e392d5da78ba87a5536ef9ccbde76a20a58497c2d3a8f2bb658f36c58add85288264537024e85b920ca8889f016a7b02874f62480bd06dc03c3a4