Analysis
-
max time kernel
142s -
max time network
136s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
01-07-2024 03:05
General
-
Target
无害.exe
-
Size
5.6MB
-
MD5
eb08619ed85a31118a80ce0a2f73f25f
-
SHA1
4289df26068458def91c876933e0483867625b2b
-
SHA256
f775611b5d45d3c13217c30f3792963894ecf0726a554188e5e2ee72077e6939
-
SHA512
b8f32587867025e11c6af73c8c3c7ba8f0ec2966cbd2a702240ab26c789ff791475d753ce53114d4c07dc0e2b2c79deba7ae1752d8ccca1ba6337d4a468e3fb0
-
SSDEEP
98304:F3AszIKgNQbnhi1ZKUZWFCGFR62sn+s0eFyVJPJuyacAlKWjR9qw4H9U:F3jzIRi1S+LFR6DZwrPJuplKWvgW
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\无害.exe"C:\Users\Admin\AppData\Local\Temp\无害.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xb4,0xb8,0xbc,0x90,0xc0,0x7ffa1af99758,0x7ffa1af99768,0x7ffa1af997782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1500,i,14189446686816062217,6699503910852010660,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1500,i,14189446686816062217,6699503910852010660,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 --field-trial-handle=1500,i,14189446686816062217,6699503910852010660,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 --field-trial-handle=1500,i,14189446686816062217,6699503910852010660,131072 /prefetch:82⤵
- Drops file in System32 directory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\hotpfp.jpg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3af3055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3af3855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
512B
MD57646d932995445eafa0e7e4cf026eb7f
SHA1eb180dfe5e71c71e00f48e7b32c365e604d1011a
SHA256782e7e57935e39a845b71e6bd51981431faa47e2eca0b3bf90a3b5fcd4940635
SHA512b90797d05139e916e1840d3c6230bd4f85f58a7e0424639ea1989fbf1a59dea50e8afe7d3971a0aec3ff776aa10ee194cb08e4e812ab146106da3bab4e139ec1
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD54ca2240e59f006a8ed074cad2cc9bfef
SHA1a1afe7e38ef5311b9d74d28224aaece929781c6a
SHA2567944058891a4a8f2e2d4a560baf03fd18a154565094e8162f3f6ee7691548c67
SHA512b5757b009585e733d0cfaebfcbbd34cc2e00764b54ffd9475ead6c064ef9e1f5f1f7e08f55aeca0803b3ddf0176ac9af1ad0e3cac0bd6b38997c70a9852e10ea
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
10KB
MD5bca673c4fe69b162ece43414f4f5f785
SHA1cfcfb0ead788487bf5937b000a957080243b7d6f
SHA2566c339589f932f08e90a3a76b57f859b877858f245c3db503f11e51c3aa209610
SHA51265ad4c21955d4f73767ad59bc3e6a55deb9e0a2d2297d7f610656501caa9ca15140e52a4ef787aa8478b92e5d8eb273763fd29b3f9d441b2ad38cec33f0126cb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
136KB
MD5fe4991fd465bf289066caf4d8a68b312
SHA10505e2713b1c55d9a0882c47139afbc83d42b350
SHA256c9393fe56979f609ddbe71fd1533db4a4f5badf5e8ec830298610c4f596ad291
SHA5129523885f41e0d4aa645cdc8ea224c2b2dab644dabe0e93b14a2b5924dab4386cd13c5e105c2ce0b1462262f234cac45884fb0b99f9e9d1e2644556d237ea9318
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Windows\System32\catroot2\dberr.txtFilesize
96KB
MD54370215e46d6ff86b0930f547bcd5df2
SHA118cc69339b08665b4b86081a6f23b77bf0d4c841
SHA2566b94d0c97829d3188b3a2ac421a66310ce1725e4929e93df9d9dc81dc07791f6
SHA512ac4f94e34670c8249f0198e8459e5375439532186a3f7d0234bd58ec3c546edb3803db3dae1eea4677b3bfe9dbcf59f6c6c2f08b2c996af8a7725d61685e8ba9
-
C:\hotpfp.jpgFilesize
7KB
MD55d57fd1f5fc71fe54a5e75a0d99a1d57
SHA19a98a626640bf6a72bbae38cab1cb77cb9b5c0e4
SHA256cf29608cb0fcc665b7ce2dd5f89ec8a0708e47387334a1e634f3d27d3e73e485
SHA5123516320550a93c9ce49d28a5c51911452785f4cc6e0e892cf4cce34a24b1d53cde40d94579ecfea7c8e59946cf320eee26fb4ad433d7c0c9f71b89ec067bc3ca
-
\??\pipe\crashpad_1512_AGSKMFGGVCLFZIJOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4424-7-0x00000000749C0000-0x0000000074B82000-memory.dmpFilesize
1.8MB
-
memory/4424-25-0x0000000074AB6000-0x0000000074AB7000-memory.dmpFilesize
4KB
-
memory/4424-16-0x0000000000400000-0x00000000013D0000-memory.dmpFilesize
15.8MB
-
memory/4424-17-0x0000000005A40000-0x0000000005F3E000-memory.dmpFilesize
5.0MB
-
memory/4424-18-0x0000000005FA0000-0x0000000006032000-memory.dmpFilesize
584KB
-
memory/4424-19-0x00000000061A0000-0x00000000061AA000-memory.dmpFilesize
40KB
-
memory/4424-20-0x0000000010000000-0x0000000010214000-memory.dmpFilesize
2.1MB
-
memory/4424-22-0x00000000749C0000-0x0000000074B82000-memory.dmpFilesize
1.8MB
-
memory/4424-23-0x0000000000400000-0x00000000013D0000-memory.dmpFilesize
15.8MB
-
memory/4424-15-0x0000000000400000-0x00000000013D0000-memory.dmpFilesize
15.8MB
-
memory/4424-14-0x00000000749C0000-0x0000000074B82000-memory.dmpFilesize
1.8MB
-
memory/4424-12-0x00000000749C0000-0x0000000074B82000-memory.dmpFilesize
1.8MB
-
memory/4424-0-0x0000000000400000-0x00000000013D0000-memory.dmpFilesize
15.8MB
-
memory/4424-2-0x00000000749C0000-0x0000000074B82000-memory.dmpFilesize
1.8MB
-
memory/4424-5-0x00000000749C0000-0x0000000074B82000-memory.dmpFilesize
1.8MB
-
memory/4424-6-0x00000000749C0000-0x0000000074B82000-memory.dmpFilesize
1.8MB
-
memory/4424-3-0x00000000749C0000-0x0000000074B82000-memory.dmpFilesize
1.8MB
-
memory/4424-4-0x00000000749C0000-0x0000000074B82000-memory.dmpFilesize
1.8MB
-
memory/4424-1-0x0000000074AB6000-0x0000000074AB7000-memory.dmpFilesize
4KB
