Analysis

  • max time kernel
    84s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 17:18

General

  • Target

    $PLUGINSDIR/woskyvpzx.dll

  • Size

    19KB

  • MD5

    dd4ff4b24f8b39951e3946a5282b7ed0

  • SHA1

    d4d1015d01326ba4526fcff52e4c9bbb271d951e

  • SHA256

    f880d09a6f9bc64f974844f92fa9bb764dc2613342fde134d8c037a2267506bc

  • SHA512

    6e822b523f15948a42b1d2703525c8f3744fbb6a7e3aff99345908822fbd65dafe38d6972976211f9558c712d65be1c1a42bb9dabb63fb4576c409ce95e93528

  • SSDEEP

    384:ZS6zZ1fZeiwx2OoULif7NSrSinQyTL8vj:ZTzZ1BeigaxSrSi2

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Agenttesla family
  • AgentTesla payload 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\woskyvpzx.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\woskyvpzx.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\woskyvpzx.dll,#1
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 548
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2336-0-0x0000000010005000-0x0000000010007000-memory.dmp

    Filesize

    8KB

  • memory/2340-6-0x0000000074281000-0x0000000074282000-memory.dmp

    Filesize

    4KB

  • memory/2340-7-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2340-9-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2340-11-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2340-10-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2340-8-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2340-5-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2340-3-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2340-1-0x0000000000400000-0x000000000044B000-memory.dmp

    Filesize

    300KB

  • memory/2340-13-0x0000000074280000-0x000000007482B000-memory.dmp

    Filesize

    5.7MB

  • memory/2788-12-0x0000000000570000-0x0000000000571000-memory.dmp

    Filesize

    4KB