Overview

overview

10

Static

static

1

7a22706de4...ec.exe

windows7-x64

10

7a22706de4...ec.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 01:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec.exe

  • Size

    742KB

  • MD5

    1d0892c12a2e69230e60d6f195a0d211

  • SHA1

    d02c13991e6d40047e6323e8f21743f9e6ab7bf9

  • SHA256

    7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec

  • SHA512

    593208a2e0b7962af62c393fed71634e651c6920c4f6e604fbc208c735c60266702aeebd727e35cd63044240f3417f10a3b5b740cf0330f71c001e9cc370852d

  • SSDEEP

    12288:fvPRL8Vyke763nEh7vqBdA0PCTem/8++s3fT5+9xBd9acP:F8Vyk2acyB/PCTz+s3r54x7P

Score
10/10
agentteslacollectiondefense_evasiondiscoveryevasionexecutionkeyloggerpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    alibaba.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 4 IoCs
    evasiontrojan
  • AgentTesla payload 5 IoCs
  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs
    defense_evasionprivilege_escalation
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec.exe
    "C:\Users\Admin\AppData\Local\Temp\7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • UAC bypass
    • Windows security bypass
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Drops startup file
    • Loads dropped DLL
    • Windows security modification
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2500
    • C:\Users\Admin\AppData\Local\Temp\cebaf3e1-7367-40db-a3f7-462ea58138ed\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\cebaf3e1-7367-40db-a3f7-462ea58138ed\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\cebaf3e1-7367-40db-a3f7-462ea58138ed\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Access Token Manipulation: Create Process with Token
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Users\Admin\AppData\Local\Temp\cebaf3e1-7367-40db-a3f7-462ea58138ed\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\cebaf3e1-7367-40db-a3f7-462ea58138ed\AdvancedRun.exe" /SpecialRun 4101d8 2084
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:264
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3020
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2396
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2960
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe"
      2⤵
      • UAC bypass
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1880
      • C:\Users\Admin\AppData\Local\Temp\8091bedb-d83b-43a7-9ffe-b3789568c6c6\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\8091bedb-d83b-43a7-9ffe-b3789568c6c6\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8091bedb-d83b-43a7-9ffe-b3789568c6c6\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Access Token Manipulation: Create Process with Token
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Users\Admin\AppData\Local\Temp\8091bedb-d83b-43a7-9ffe-b3789568c6c6\AdvancedRun.exe
          "C:\Users\Admin\AppData\Local\Temp\8091bedb-d83b-43a7-9ffe-b3789568c6c6\AdvancedRun.exe" /SpecialRun 4101d8 1236
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1680
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2400
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:580
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2256
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2456
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:828
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2648
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Users\Admin\AppData\Local\Temp\7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec.exe
      "C:\Users\Admin\AppData\Local\Temp\7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Impair Defenses

4
T1562

Disable or Modify Tools

4
T1562.001

Modify Registry

6
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    28212792d39d38b6961f7fff1c34ada7

    SHA1

    a8fe43e9d7385197999e74b9b30dee6a756102b5

    SHA256

    cf8b0571cd3fc225a478cf44237d698f0f207fabff7da16465ab296bd6e30bfb

    SHA512

    9769f8901d6fcc61c71845bfac09aa134a17535f80c7070f4332a4e9bb3e48ea093b24a3e4e4fce9235cf6f4ebbcb8160de94605f9918237e429d2a4dae3b549

    Download Submit

  • \Users\Admin\AppData\Local\Temp\cebaf3e1-7367-40db-a3f7-462ea58138ed\AdvancedRun.exe
    Filesize

    88KB

    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
    Filesize

    742KB

    MD5

    1d0892c12a2e69230e60d6f195a0d211

    SHA1

    d02c13991e6d40047e6323e8f21743f9e6ab7bf9

    SHA256

    7a22706de45b3b503a6fa91723ae49dfd6e9a9cd55509bbe19685056fd34efec

    SHA512

    593208a2e0b7962af62c393fed71634e651c6920c4f6e604fbc208c735c60266702aeebd727e35cd63044240f3417f10a3b5b740cf0330f71c001e9cc370852d

    Download Submit

  • memory/828-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1880-42-0x0000000001110000-0x00000000011CE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2500-80-0x0000000001F80000-0x0000000001F88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2500-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2500-2-0x0000000074D30000-0x000000007541E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2500-1-0x0000000000930000-0x00000000009EE000-memory.dmp

    Filesize

    760KB

    Download

  • memory/2500-3-0x0000000000620000-0x000000000068E000-memory.dmp

    Filesize

    440KB

    Download

  • memory/2500-83-0x0000000074D30000-0x000000007541E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2532-72-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2532-79-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2532-78-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2532-77-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2532-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-74-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2532-70-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2532-68-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download