Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe
Resource
win10v2004-20240508-en
General
-
Target
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe
-
Size
2.1MB
-
MD5
1c9f943770d01b27a7ad4aba8dcf5f0f
-
SHA1
c9717cb6ba6103c89a1882e37703bc92ca38216a
-
SHA256
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b
-
SHA512
075ca73736d75850e53fb9a2bca25916f969127715ded3b7d343eba76a590cf8fc7bbfa88ccd08e8b77650b471acef668958d79307aa41c027ea70e992bade5a
-
SSDEEP
12288:6OhZ7ZSC4QmM3n95wjgo4RN89l8+8b/QKWBu9H2WWZFHuUdt:6OhZ7wmpragzRN89lz8b7WB0WZFHNt
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.oserfech.eu - Port:
587 - Username:
[email protected] - Password:
Epicoffice@2024 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe -
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe = "0" 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe -
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe = "0" 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
installutil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plQRnonsft = "C:\\Users\\Admin\\AppData\\Roaming\\plQRnonsft\\plQRnonsft.exe" installutil.exe -
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription pid process target process PID 4996 set thread context of 432 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeinstallutil.exepid process 5048 powershell.exe 5048 powershell.exe 432 installutil.exe 432 installutil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeinstallutil.exedescription pid process Token: SeDebugPrivilege 5048 powershell.exe Token: SeDebugPrivilege 432 installutil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
installutil.exepid process 432 installutil.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription pid process target process PID 4996 wrote to memory of 5048 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe powershell.exe PID 4996 wrote to memory of 5048 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe powershell.exe PID 4996 wrote to memory of 4952 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe jsc.exe PID 4996 wrote to memory of 4952 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe jsc.exe PID 4996 wrote to memory of 4952 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe jsc.exe PID 4996 wrote to memory of 432 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe PID 4996 wrote to memory of 432 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe PID 4996 wrote to memory of 432 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe PID 4996 wrote to memory of 432 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe PID 4996 wrote to memory of 432 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe PID 4996 wrote to memory of 432 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe PID 4996 wrote to memory of 432 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe PID 4996 wrote to memory of 432 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe PID 4996 wrote to memory of 4496 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe PID 4996 wrote to memory of 4496 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe PID 4996 wrote to memory of 4496 4996 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe installutil.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe"C:\Users\Admin\AppData\Local\Temp\56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\56d3e2d71ab7af3d617a30d6df87099ed4c93e4beb86a20d4f90f90bf6cfc25b.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2jmvpke.n25.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/432-26-0x0000000006C60000-0x0000000006CB0000-memory.dmpFilesize
320KB
-
memory/432-29-0x0000000006D40000-0x0000000006D4A000-memory.dmpFilesize
40KB
-
memory/432-28-0x0000000006E90000-0x0000000006F22000-memory.dmpFilesize
584KB
-
memory/432-27-0x0000000006D50000-0x0000000006DEC000-memory.dmpFilesize
624KB
-
memory/432-23-0x00000000057D0000-0x0000000005836000-memory.dmpFilesize
408KB
-
memory/432-19-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/432-22-0x0000000005C80000-0x0000000006224000-memory.dmpFilesize
5.6MB
-
memory/4996-0-0x00000245743E0000-0x00000245743E8000-memory.dmpFilesize
32KB
-
memory/4996-3-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmpFilesize
10.8MB
-
memory/4996-1-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmpFilesize
8KB
-
memory/4996-2-0x00000245767A0000-0x0000024576836000-memory.dmpFilesize
600KB
-
memory/4996-24-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmpFilesize
10.8MB
-
memory/5048-4-0x00000269B9080000-0x00000269B90A2000-memory.dmpFilesize
136KB
-
memory/5048-20-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmpFilesize
10.8MB
-
memory/5048-21-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmpFilesize
10.8MB
-
memory/5048-16-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmpFilesize
10.8MB
-
memory/5048-15-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmpFilesize
10.8MB
-
memory/5048-14-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmpFilesize
10.8MB