Analysis
-
max time kernel
102s -
max time network
82s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
29-06-2024 06:02
General
-
Target
无害_protected.exe
-
Size
6.4MB
-
MD5
617d7e84ac9e7c4cbedba55ced5bb5a2
-
SHA1
2d9b72a58083cd74f4bd807d01cf184d65f07af7
-
SHA256
d034874dfb3d1ee5a2a8c7cff1959c9a02c5b3c812e9dba87690faee7a5205fa
-
SHA512
4dfe2970dc80d6f7bcbfa224403b688c6d01f5d72c898e601da95f1189b81451dac51d55842348286dd28c2058748eb3ed28c4ad0a60cf472c3ed71867fdea2e
-
SSDEEP
98304:NL3DiZ2oVX3iK62RPbT14vInBQ1kyToUa+iXX+XlkUiYFH//yfpoG87UeibVcgl:N822bzuvIngkyTdS+XQYp/Spn879Lg
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 17 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 58 IoCs
-
Suspicious use of SendNotifyMessage 54 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\无害_protected.exe"C:\Users\Admin\AppData\Local\Temp\无害_protected.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.0.1887867690\1216350239" -parentBuildID 20221007134813 -prefsHandle 1604 -prefMapHandle 1592 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {229f165b-9b78-4552-aeb6-69150adfd972} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 1696 1ae5b209e58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.1.574774266\1131527748" -parentBuildID 20221007134813 -prefsHandle 2028 -prefMapHandle 2024 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c08ead81-2afd-4700-a04f-5c900b663a36} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 2040 1ae47b72258 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.2.388132934\1495053902" -childID 1 -isForBrowser -prefsHandle 2584 -prefMapHandle 2504 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c2f397a-5406-4f56-9bbf-3b5ca1e700d8} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 2784 1ae59f62e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.3.530681886\492648318" -childID 2 -isForBrowser -prefsHandle 3128 -prefMapHandle 3124 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61aae806-21e7-4106-9699-7a3026c1ddb2} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 3140 1ae47b62858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1880.4.1825791666\1867484596" -childID 3 -isForBrowser -prefsHandle 3500 -prefMapHandle 3648 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {27acbd45-22bc-41af-aa52-d11a6611f974} 1880 "\\.\pipe\gecko-crash-server-pipe.1880" 3472 1ae5ffefc58 tab3⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3af8855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xb4,0xb8,0xbc,0x90,0xc0,0x7ffd9ea69758,0x7ffd9ea69768,0x7ffd9ea697782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1560,i,7624020715572983795,4010888235415189414,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1560,i,7624020715572983795,4010888235415189414,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3328 --field-trial-handle=1560,i,7624020715572983795,4010888235415189414,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1560,i,7624020715572983795,4010888235415189414,131072 /prefetch:82⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
512B
MD566815d80e8979d757a72be55e82c01e0
SHA18fc2783a89bbf9798943f3f5725d439662915e2c
SHA2567b006d98fd88431ed4dcf0a5673f6e3b7dd785fd462aad02b89026ef2f96f344
SHA512ee3ac8f3e4d7c5a83cbb0d5666c35fc9bdf973afee93891e68961d79df5e619c9113caa704039bd51c217d4148bec856a51e55f031ab48db276228bc88d4123c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD59882a8e87dca46762e2cf2574b521eae
SHA111c826b9d802acb7457744fdabd2ea48faad5739
SHA256161f5670f0fc6370e2105ba592279e3a8b5daf9af3baf51471098a1dd52cf886
SHA5121c031316aea9559ebcf52d4f0c9fcb877bf42e72dd0695dcfda558cbf9a78f9dc0fbed28b3d5dc4cd1b8f24fe1c85704b91eb6952234a8e240ac3518b17a2240
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
10KB
MD5253ec54e91bf5c27beb3359260fcbd8c
SHA1da175468eef0eea682c84fc3798ae6b6091cbb31
SHA256cd07b4b911313bafbff8c1679ce1df9fdf2a69f2d5d182e3ae8ae75d8d3c3e46
SHA512f156b5f753d154d79f1bf45ef3e30bb954107d418ccb67fd63875fe6ba1b03e72bd3c078bf51c251f8d6620e846dcc29d1ff0dd6f7c858b332fb147a1271301a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
136KB
MD5f19f6b7406d42f8171600104db412794
SHA1f27c6482096029c23a3707fe084fa61fcf9a6e50
SHA2569265a2c31225a0eb511475ba9a002134e5e4a0c946bf9aa7211e6683855418fe
SHA512f917a2e4085f0e0ffc7cbc1a4cada079bc1cca557133cc4c50db17f59618cf4fbc2bd5b4a3c951cdf3e950daf8580d5cc56e85e4d7e32a0694ad2998054e461d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD5a600df4f61349951ad23f65edc7e5cea
SHA116c48cb5493dff9700893ce0f28bed49c88b17bc
SHA25624ad4757429f4f61808af50081ffd326041e2bab08b9e2ca5c498895bfd7d226
SHA512dd982fcf29de87eefe9b323d2714b15e2d226879e9eb0b64ab0f27f5eb919f73ff68a05c44d494b4b284759af95605bcf9bc09083d0b30b574de1b6d50ea92e1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\548f1524-3401-41e8-b8b8-0cf0493622bdFilesize
11KB
MD5fcaa6cbe5cb8d86bf7271d07bd5244c4
SHA138dc512bcd26cc6715110ad4327274a8ff8589a2
SHA256bceb3afc80a297282811d03485a97e2415b07f6f91d49c3d8847ffbbc262afcd
SHA512c46ab19155d2623c44f7a7f0cf69a5085a86eca9eddd3cdd1d3cd76dd21e955a4c4a09a843e7b4ff00e26e4ec67c7089fd029b27351f03d900d944daf9531d75
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\6c5b018f-2145-4f84-81bd-c338c771c210Filesize
746B
MD5651346541ec4d52a74163368ad4422e1
SHA11d0041b4f242fc308eaeb7b2e977d44fab6d2b3f
SHA256ed3d27777d3f1f91d38fc1110ee0ecf5d176b8e8c02ff8d56edaf879411eb888
SHA512e688d9d765c9c84287d5277d1c83b9e9cbebde4e0263323ffaf9aa7780fd26579edd7e68f9c3c3d42670db857dd5ac7144a8ad4eb125d4fc927cef69c9cc5042
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.jsFilesize
6KB
MD5e9c28b20d3c5974722e8644fc49253ac
SHA157d45635bc77de93176c2855b79e235420935538
SHA2566dc030dbbe58d829c8530fda61796ade2c58a4b1ac1f3c14fe0a9177d6135677
SHA512e446a5f8f6928d385eb8a036ad0e4c20519ce95b398c748e3a7433baf7dfb9d6da80b4266177b4b6d1c58f2ac153bdd40832b7f0deb1dc04acf6a6c7caf018fa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.jsFilesize
6KB
MD5c90b8498e3c39547d9304ce1f69ad6d6
SHA1a24ef99d4d13fce0166dc10ca00d778fcba6d1c1
SHA2568ccf4be22c2555836b82c80bf3a076ffc172e7dbb088ee5fbd68ab61f2cc40ad
SHA5123562df62a1c174b069040f1e7a9bd7dac71736c71568466baa41a1927c37e086c2ed7675df8c39fd760e25d0a40f2188a3f812bc9daefec6b534c100b5dee984
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.jsonFilesize
181B
MD52d87ba02e79c11351c1d478b06ca9b29
SHA14b0fb1927ca869256e9e2e2d480c3feb8e67e6f1
SHA25616b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524
SHA512be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4Filesize
831B
MD51b7b0fa3d06d27ecd42d58f11085b56e
SHA192698db64171ce52a99937546725b5297068f4b3
SHA2567d4757b549bdbb45eda9b07a66b34a9083ee40c9aa8a8436a67a8f9ef545ba32
SHA512617ce285aea2e2d813d88f40810f7c9dc6c27c3f45d17ac4f1de7d378be349b8f89471734674fa6c7cdeb3731c712661c5c09b4ea9c36081a978786fb9ad89f0
-
C:\Windows\System32\CatRoot2\dberr.txtFilesize
101KB
MD561a1079ea1f01cd959c036d0434b065a
SHA1e2530afcf0ba7a9bc061122607df170ab0ba8d0f
SHA256d8cd977e67a6e4a9e14af26c880f70b394938f7b2251cb349a4c79a0cd91a7a6
SHA512faadf9b4963b151b111572e5566b38329ddf7fab7a464655120602ddf73442fe29e6901152bd3eb5efc3ba79b65a60a26f6effeab8f77b192e0a912a43eba9e1
-
C:\Windows\System32\catroot2\dberr.txtFilesize
94KB
MD575d69c5905d2674bbcbcee4868894c30
SHA16a414025e479f065c0dc1923cb5e6f7040941163
SHA2569462ffa43822ffedebb27f9a41f1db88f215ca78fa19a96511894b78bd2ab110
SHA512ddabf6d4d562fbc09340ac2afcd47718958f821a35440b890e5eada9c6558c32f723fa5546889efd707ed4a5da5430e2a5c81b14c796b2901a77821ed551bc34
-
C:\Windows\System32\catroot2\dberr.txtFilesize
2KB
MD58dde23a8e1695980dd5d9e2686ee3e42
SHA1a16183a42d6c98a900d2350351e36a385390e814
SHA256eac73dbd0af8357b89c9db6a32d6fbc0622ff49cf262673e579bae1e6e2a5cfa
SHA5120a14aa24917efb48270d0f5bd67c763a482fad675991657da598b3cc6be7162d468c8efbce9b871ce17dfb5c6cae167659d66a4e003dbd4cdae73cc4feac87d4
-
C:\Windows\System32\catroot2\dberr.txtFilesize
4KB
MD58e8dfd9fcdaf2243a0349e8963d62885
SHA1d933eadfcbdbd3685569a2a548867baaf39e1033
SHA2568314a6fb83cc294c81af8309d5f5c029b41d5f0614f1ad6cf95dc481d0ae8e1e
SHA51248ce603a08ce48b6e020525d8fe44c7ca06eeef15cb50087a472c1c14cddd84f48312228c29fa6771a41dc8d7c7215ae87e50bd2382fd9333e4367410fe18dae
-
C:\Windows\System32\catroot2\dberr.txtFilesize
9KB
MD575baaa7e9bb026f48660bc2107504906
SHA1d5b5a31444586590d3cf78b3fdbbfff7bd0a59ab
SHA256ea35eb7b36734928c55afea98bae9850df3eb864c18c73c730fa28de6830eb30
SHA512ff95487f0a31863b8635bc9ca7b0ef262bb3a16204db012376308b3cfd6d8463a775a1558a3b4d07648cac2a621d0d19369a0791aa8402d2368711682da4f4ca
-
\??\pipe\crashpad_4464_TVVTCCYZVKXEOREYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3648-15-0x0000000005C60000-0x000000000615E000-memory.dmpFilesize
5.0MB
-
memory/3648-17-0x0000000006180000-0x000000000618A000-memory.dmpFilesize
40KB
-
memory/3648-14-0x0000000000400000-0x000000000145E000-memory.dmpFilesize
16.4MB
-
memory/3648-13-0x0000000000400000-0x000000000145E000-memory.dmpFilesize
16.4MB
-
memory/3648-12-0x0000000075990000-0x0000000075B52000-memory.dmpFilesize
1.8MB
-
memory/3648-224-0x0000000075A86000-0x0000000075A87000-memory.dmpFilesize
4KB
-
memory/3648-16-0x0000000005B30000-0x0000000005BC2000-memory.dmpFilesize
584KB
-
memory/3648-10-0x0000000075990000-0x0000000075B52000-memory.dmpFilesize
1.8MB
-
memory/3648-0-0x0000000000400000-0x000000000145E000-memory.dmpFilesize
16.4MB
-
memory/3648-32-0x0000000000400000-0x000000000145E000-memory.dmpFilesize
16.4MB
-
memory/3648-18-0x0000000010000000-0x0000000010214000-memory.dmpFilesize
2.1MB
-
memory/3648-84-0x0000000075990000-0x0000000075B52000-memory.dmpFilesize
1.8MB
-
memory/3648-2-0x0000000075990000-0x0000000075B52000-memory.dmpFilesize
1.8MB
-
memory/3648-4-0x0000000075990000-0x0000000075B52000-memory.dmpFilesize
1.8MB
-
memory/3648-5-0x0000000075990000-0x0000000075B52000-memory.dmpFilesize
1.8MB
-
memory/3648-3-0x0000000075990000-0x0000000075B52000-memory.dmpFilesize
1.8MB
-
memory/3648-1-0x0000000075A86000-0x0000000075A87000-memory.dmpFilesize
4KB