Analysis
-
max time kernel
453s -
max time network
454s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 06:19
Behavioral task
behavioral1
Sample
无害_loser.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
无害_loser.exe
Resource
win10-20240611-en
General
-
Target
无害_loser.exe
-
Size
5.2MB
-
MD5
c81c10d2b6f80f12fe481141d70c536e
-
SHA1
90b79aa16857a42466fcc2181e91701ffbf5d5a1
-
SHA256
ea458deec798ececbd3fda65fc05928c0cfc4c54eccc76f68c8dfc6d1e434024
-
SHA512
1648f975ffb40ba3d2c2a5b4b672a610cc92ae7afce1f71299f0636ff931bb351a0506929596e001780c434a2b5d467cfe721f72596d1bc8a053b6c08bbcb25d
-
SSDEEP
98304:4AnfzVUmMRJDbHhGUUu4d1Ma04HFlaUxe9c4+rlNL2fSBm8b91a2:4Anfzum+nYD1z75e9P+rlN2aU8va
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1064-19-0x0000000010000000-0x0000000010214000-memory.dmp family_agenttesla -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
无害_loser.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 无害_loser.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
无害_loser.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 无害_loser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 无害_loser.exe -
Processes:
resource yara_rule behavioral1/memory/1064-14-0x0000000000400000-0x000000000130A000-memory.dmp themida behavioral1/memory/1064-15-0x0000000000400000-0x000000000130A000-memory.dmp themida behavioral1/memory/1064-44-0x0000000000400000-0x000000000130A000-memory.dmp themida -
Processes:
无害_loser.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 无害_loser.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
无害_loser.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\Desktop\Wallpaper = "C:\\hotpfp.jpg" 无害_loser.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
无害_loser.exepid process 1064 无害_loser.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
无害_loser.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion 无害_loser.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS 无害_loser.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer 无害_loser.exe -
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
无害_loser.exetaskmgr.exetaskmgr.exepid process 1064 无害_loser.exe 1064 无害_loser.exe 1064 无害_loser.exe 1064 无害_loser.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
无害_loser.exetaskmgr.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 1064 无害_loser.exe Token: SeDebugPrivilege 4424 taskmgr.exe Token: SeSystemProfilePrivilege 4424 taskmgr.exe Token: SeCreateGlobalPrivilege 4424 taskmgr.exe Token: 33 4424 taskmgr.exe Token: SeIncBasePriorityPrivilege 4424 taskmgr.exe Token: SeDebugPrivilege 1208 taskmgr.exe Token: SeSystemProfilePrivilege 1208 taskmgr.exe Token: SeCreateGlobalPrivilege 1208 taskmgr.exe Token: 33 1208 taskmgr.exe Token: SeIncBasePriorityPrivilege 1208 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exetaskmgr.exepid process 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exetaskmgr.exepid process 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 4424 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe 1208 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\无害_loser.exe"C:\Users\Admin\AppData\Local\Temp\无害_loser.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idxFilesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lockFilesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.valFilesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
memory/1064-17-0x0000000005B70000-0x0000000005C02000-memory.dmpFilesize
584KB
-
memory/1064-19-0x0000000010000000-0x0000000010214000-memory.dmpFilesize
2.1MB
-
memory/1064-1-0x00000000766F0000-0x00000000766F1000-memory.dmpFilesize
4KB
-
memory/1064-6-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/1064-7-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/1064-12-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/1064-14-0x0000000000400000-0x000000000130A000-memory.dmpFilesize
15.0MB
-
memory/1064-15-0x0000000000400000-0x000000000130A000-memory.dmpFilesize
15.0MB
-
memory/1064-16-0x0000000005C70000-0x0000000006214000-memory.dmpFilesize
5.6MB
-
memory/1064-38-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/1064-18-0x0000000006390000-0x000000000639A000-memory.dmpFilesize
40KB
-
memory/1064-3-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/1064-21-0x0000000000400000-0x000000000130A000-memory.dmpFilesize
15.0MB
-
memory/1064-23-0x00000000766F0000-0x00000000766F1000-memory.dmpFilesize
4KB
-
memory/1064-24-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/1064-0-0x0000000000400000-0x000000000130A000-memory.dmpFilesize
15.0MB
-
memory/1064-4-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/1064-5-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/1064-2-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/1064-44-0x0000000000400000-0x000000000130A000-memory.dmpFilesize
15.0MB
-
memory/1064-43-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/1064-40-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/1064-39-0x00000000766D0000-0x00000000767C0000-memory.dmpFilesize
960KB
-
memory/4424-25-0x00000120CFD40000-0x00000120CFD41000-memory.dmpFilesize
4KB
-
memory/4424-33-0x00000120CFD40000-0x00000120CFD41000-memory.dmpFilesize
4KB
-
memory/4424-34-0x00000120CFD40000-0x00000120CFD41000-memory.dmpFilesize
4KB
-
memory/4424-35-0x00000120CFD40000-0x00000120CFD41000-memory.dmpFilesize
4KB
-
memory/4424-36-0x00000120CFD40000-0x00000120CFD41000-memory.dmpFilesize
4KB
-
memory/4424-37-0x00000120CFD40000-0x00000120CFD41000-memory.dmpFilesize
4KB
-
memory/4424-31-0x00000120CFD40000-0x00000120CFD41000-memory.dmpFilesize
4KB
-
memory/4424-32-0x00000120CFD40000-0x00000120CFD41000-memory.dmpFilesize
4KB
-
memory/4424-27-0x00000120CFD40000-0x00000120CFD41000-memory.dmpFilesize
4KB
-
memory/4424-26-0x00000120CFD40000-0x00000120CFD41000-memory.dmpFilesize
4KB