Analysis Overview
SHA256
bd0328f6be16f7c73f39a16739960a069d4812943cfbc93000bbe2a3eed45039
Threat Level: Known bad
The file BL#TELEX-SHIPMENT-POC76120.exe was found to be: Known bad.
Malicious Activity Summary
Oski
AgentTesla
AgentTesla Payload
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-08-06 13:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-06 13:45
Reported
2021-08-06 13:48
Platform
win7v20210410
Max time kernel
150s
Max time network
135s
Command Line
Signatures
AgentTesla
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\apwxc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\FsYYqg = "C:\\Users\\Admin\\AppData\\Roaming\\FsYYqg\\FsYYqg.exe" | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1036 set thread context of 240 | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\apZSuwq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32B4.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"
C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"
C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\apwxc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | swsaseguranca.com.br | udp |
| N/A | 162.241.203.110:80 | swsaseguranca.com.br | tcp |
Files
memory/1036-59-0x0000000000110000-0x0000000000111000-memory.dmp
memory/1036-61-0x0000000002200000-0x0000000002201000-memory.dmp
memory/1036-62-0x0000000000370000-0x0000000000383000-memory.dmp
memory/1036-63-0x0000000005770000-0x0000000005802000-memory.dmp
memory/1036-64-0x0000000002180000-0x00000000021B9000-memory.dmp
memory/596-65-0x0000000000000000-mapping.dmp
memory/596-66-0x0000000075721000-0x0000000075723000-memory.dmp
memory/1148-67-0x0000000000000000-mapping.dmp
memory/972-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp32B4.tmp
| MD5 | 7af89b95f38444b1ea72a964db565e94 |
| SHA1 | 35aa04d761a970c49a39f686d17936cbe154bccf |
| SHA256 | d7d413cfa82023a736ef26a0792ee68fd9aa3537fde40fa24608a9b6eb1b6f33 |
| SHA512 | c418f8f3aaa4ba5a5f7725b4577b5a8d269a8c0b60b00f83a7e5baff1b98256e169937f49b5e89d0cbaa2c3219eb1cf682334240a801480e13b9ec908a6783e9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 948ad1f6822d7bb3d294ee157956aca2 |
| SHA1 | ff59dd6fd17c8e52c2deba4f900d4ca234639906 |
| SHA256 | 770a3659fa688b761178552aa5833dec59537515e11258326da32ef59d66ecf8 |
| SHA512 | a6aa13c52bae73a8a2766e87c7f5b313ed614b2c9996bbfeb975ae051e68165d0050a894d975dbf1b3bd6aae80b594cd841e00f835e362be0de7b386ada9584e |
memory/596-72-0x0000000001EB0000-0x0000000001EB1000-memory.dmp
memory/1148-74-0x00000000048F0000-0x00000000048F1000-memory.dmp
memory/836-76-0x0000000000000000-mapping.dmp
memory/240-77-0x0000000000400000-0x000000000043C000-memory.dmp
memory/240-79-0x000000000043782E-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 948ad1f6822d7bb3d294ee157956aca2 |
| SHA1 | ff59dd6fd17c8e52c2deba4f900d4ca234639906 |
| SHA256 | 770a3659fa688b761178552aa5833dec59537515e11258326da32ef59d66ecf8 |
| SHA512 | a6aa13c52bae73a8a2766e87c7f5b313ed614b2c9996bbfeb975ae051e68165d0050a894d975dbf1b3bd6aae80b594cd841e00f835e362be0de7b386ada9584e |
memory/240-80-0x0000000000400000-0x000000000043C000-memory.dmp
memory/596-84-0x00000000024E0000-0x00000000024E1000-memory.dmp
memory/1148-89-0x00000000048B0000-0x00000000048B1000-memory.dmp
memory/596-87-0x00000000047B0000-0x00000000047B1000-memory.dmp
memory/596-90-0x00000000047B2000-0x00000000047B3000-memory.dmp
memory/1148-91-0x00000000048B2000-0x00000000048B3000-memory.dmp
memory/836-93-0x0000000001EB0000-0x0000000002AFA000-memory.dmp
memory/240-92-0x0000000000460000-0x0000000000461000-memory.dmp
memory/1148-94-0x0000000004790000-0x0000000004791000-memory.dmp
memory/1148-99-0x00000000056B0000-0x00000000056B1000-memory.dmp
memory/1148-104-0x00000000056F0000-0x00000000056F1000-memory.dmp
memory/1148-105-0x00000000060E0000-0x00000000060E1000-memory.dmp
memory/1148-112-0x0000000006200000-0x0000000006201000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 0de64a9c72cbd034b7647aaed8c9e42c |
| SHA1 | 82862ee4e5c020af42c34cf429687171cf84d8ce |
| SHA256 | db9dc774a671107df22dad7b5419e356d799f3b3e4e98bc33da3a80b4f1f4ab5 |
| SHA512 | e80e4b130bb62511ed6cc4351d85779f20b5e00c531a625dcfdf8f25a3a9958a54cff81123340b807ce5fb08d7b97ba7b89a63d2e0d1bcee3a899c0e053ffbee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9
| MD5 | b6d38f250ccc9003dd70efd3b778117f |
| SHA1 | d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a |
| SHA256 | 4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265 |
| SHA512 | 67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba
| MD5 | 75a8da7754349b38d64c87c938545b1b |
| SHA1 | 5c28c257d51f1c1587e29164cc03ea880c21b417 |
| SHA256 | bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96 |
| SHA512 | 798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5
| MD5 | 02ff38ac870de39782aeee04d7b48231 |
| SHA1 | 0390d39fa216c9b0ecdb38238304e518fb2b5095 |
| SHA256 | fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876 |
| SHA512 | 24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b
| MD5 | df44874327d79bd75e4264cb8dc01811 |
| SHA1 | 1396b06debed65ea93c24998d244edebd3c0209d |
| SHA256 | 55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181 |
| SHA512 | 95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598
| MD5 | 5e3c7184a75d42dda1a83606a45001d8 |
| SHA1 | 94ca15637721d88f30eb4b6220b805c5be0360ed |
| SHA256 | 8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59 |
| SHA512 | fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b |
memory/1148-119-0x00000000061A0000-0x00000000061A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370
| MD5 | be4d72095faf84233ac17b94744f7084 |
| SHA1 | cc78ce5b9c57573bd214a8f423ee622b00ebb1ec |
| SHA256 | b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc |
| SHA512 | 43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097 |
memory/1148-134-0x0000000006300000-0x0000000006301000-memory.dmp
memory/1148-135-0x0000000006310000-0x0000000006311000-memory.dmp
memory/1148-136-0x000000007EF30000-0x000000007EF31000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
| MD5 | a725bb9fafcf91f3c6b7861a2bde6db2 |
| SHA1 | 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114 |
| SHA256 | 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431 |
| SHA512 | 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | b4d7ee94429419f75655f4cc5a75b7d9 |
| SHA1 | 29beb6812cbc71f1cf7044801b3ad3850705de06 |
| SHA256 | 85811f0b4c7828e7379994ffe1fc153fc0d10b2d8ad34664116f1d87780df736 |
| SHA512 | 929af1807ab14e6699c6ec19a8f9e4a00beec0c4b5927e022c9c6bbd051eafb0ef7d938af1a695785183df60e1b406e486dacb6995df3af1de697be4d1c9fa46 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | b4d7ee94429419f75655f4cc5a75b7d9 |
| SHA1 | 29beb6812cbc71f1cf7044801b3ad3850705de06 |
| SHA256 | 85811f0b4c7828e7379994ffe1fc153fc0d10b2d8ad34664116f1d87780df736 |
| SHA512 | 929af1807ab14e6699c6ec19a8f9e4a00beec0c4b5927e022c9c6bbd051eafb0ef7d938af1a695785183df60e1b406e486dacb6995df3af1de697be4d1c9fa46 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
| MD5 | a725bb9fafcf91f3c6b7861a2bde6db2 |
| SHA1 | 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114 |
| SHA256 | 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431 |
| SHA512 | 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb
| MD5 | 597009ea0430a463753e0f5b1d1a249e |
| SHA1 | 4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62 |
| SHA256 | 3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d |
| SHA512 | 5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85476360-8cea-42c3-ad65-564b0710de6f
| MD5 | a70ee38af4bb2b5ed3eeb7cbd1a12fa3 |
| SHA1 | 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9 |
| SHA256 | dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d |
| SHA512 | 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_813ec99d-515c-41a4-8d23-a21962538a25
| MD5 | 354b8209f647a42e2ce36d8cf326cc92 |
| SHA1 | 98c3117f797df69935f8b09fc9e95accfe3d8346 |
| SHA256 | feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239 |
| SHA512 | 420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_06809adb-70aa-468c-9fe6-22560a97035c
| MD5 | d89968acfbd0cd60b51df04860d99896 |
| SHA1 | b3c29916ccb81ce98f95bbf3aa8a73de16298b29 |
| SHA256 | 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9 |
| SHA512 | b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c442ad28-c044-49ec-9c30-60178334033b
| MD5 | 7f79b990cb5ed648f9e583fe35527aa7 |
| SHA1 | 71b177b48c8bd745ef02c2affad79ca222da7c33 |
| SHA256 | 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683 |
| SHA512 | 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda |
\Users\Admin\AppData\Local\Temp\apwxc.exe
| MD5 | 8663ed0caec9adcb980a4a7ea23e7984 |
| SHA1 | e6dcb19362e88b50ab1990e7032437072f104e98 |
| SHA256 | bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750 |
| SHA512 | fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9 |
memory/1648-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
| MD5 | 8663ed0caec9adcb980a4a7ea23e7984 |
| SHA1 | e6dcb19362e88b50ab1990e7032437072f104e98 |
| SHA256 | bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750 |
| SHA512 | fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9 |
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
| MD5 | 8663ed0caec9adcb980a4a7ea23e7984 |
| SHA1 | e6dcb19362e88b50ab1990e7032437072f104e98 |
| SHA256 | bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750 |
| SHA512 | fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9 |
memory/1648-150-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1648-152-0x0000000004D00000-0x0000000004D01000-memory.dmp
memory/1648-153-0x0000000000390000-0x000000000039D000-memory.dmp
memory/1648-154-0x0000000009290000-0x000000000932A000-memory.dmp
memory/1648-155-0x0000000001F60000-0x0000000001F93000-memory.dmp
memory/332-156-0x0000000000000000-mapping.dmp
memory/396-159-0x0000000000000000-mapping.dmp
memory/1056-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 948ad1f6822d7bb3d294ee157956aca2 |
| SHA1 | ff59dd6fd17c8e52c2deba4f900d4ca234639906 |
| SHA256 | 770a3659fa688b761178552aa5833dec59537515e11258326da32ef59d66ecf8 |
| SHA512 | a6aa13c52bae73a8a2766e87c7f5b313ed614b2c9996bbfeb975ae051e68165d0050a894d975dbf1b3bd6aae80b594cd841e00f835e362be0de7b386ada9584e |
memory/332-162-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 948ad1f6822d7bb3d294ee157956aca2 |
| SHA1 | ff59dd6fd17c8e52c2deba4f900d4ca234639906 |
| SHA256 | 770a3659fa688b761178552aa5833dec59537515e11258326da32ef59d66ecf8 |
| SHA512 | a6aa13c52bae73a8a2766e87c7f5b313ed614b2c9996bbfeb975ae051e68165d0050a894d975dbf1b3bd6aae80b594cd841e00f835e362be0de7b386ada9584e |
memory/1056-166-0x0000000004840000-0x0000000004841000-memory.dmp
memory/1056-168-0x0000000004842000-0x0000000004843000-memory.dmp
memory/332-163-0x0000000004A60000-0x0000000004A61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpC9D4.tmp
| MD5 | bf64d4a655b245b1bd560dc86f73e713 |
| SHA1 | 1d4f7d13342afec5792fc9b185b61bed22e2ac0a |
| SHA256 | 300263401335f862275dbb971f8b50f9b4c6bbb7cc6059363d333755861b9050 |
| SHA512 | f063c9b7fd140d7a8807e5d10042f5136283db4f3d7e40089b3345b4ea9a818e01aab53ab09f23efd0cf1f120667010dcec41762eb0d5923928fa4147124b931 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-08-06 13:45
Reported
2021-08-06 13:47
Platform
win10v20210408
Max time kernel
150s
Max time network
113s
Command Line
Signatures
AgentTesla
Oski
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\apwxc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\FsYYqg = "C:\\Users\\Admin\\AppData\\Roaming\\FsYYqg\\FsYYqg.exe" | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 664 set thread context of 3932 | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\apZSuwq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3AD7.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apZSuwq.exe"
C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe
"C:\Users\Admin\AppData\Local\Temp\BL#TELEX-SHIPMENT-POC76120.exe"
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\apwxc.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImauUieIe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF62.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ImauUieIe.exe"
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
"C:\Users\Admin\AppData\Local\Temp\apwxc.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | swsaseguranca.com.br | udp |
| N/A | 162.241.203.110:80 | swsaseguranca.com.br | tcp |
Files
memory/664-114-0x0000000000850000-0x0000000000851000-memory.dmp
memory/664-116-0x00000000057F0000-0x00000000057F1000-memory.dmp
memory/664-117-0x00000000051C0000-0x00000000051C1000-memory.dmp
memory/664-118-0x0000000005160000-0x0000000005161000-memory.dmp
memory/664-119-0x00000000052F0000-0x00000000057EE000-memory.dmp
memory/664-120-0x0000000007690000-0x0000000007691000-memory.dmp
memory/664-121-0x00000000053D0000-0x00000000053E3000-memory.dmp
memory/664-122-0x00000000075F0000-0x0000000007682000-memory.dmp
memory/664-123-0x0000000009E70000-0x0000000009EA9000-memory.dmp
memory/1820-124-0x0000000000000000-mapping.dmp
memory/2088-126-0x0000000000000000-mapping.dmp
memory/2112-128-0x0000000000000000-mapping.dmp
memory/1820-129-0x00000000044B0000-0x00000000044B1000-memory.dmp
memory/1820-131-0x0000000007170000-0x0000000007171000-memory.dmp
memory/1820-136-0x00000000045D2000-0x00000000045D3000-memory.dmp
memory/1820-135-0x00000000045D0000-0x00000000045D1000-memory.dmp
memory/2088-137-0x00000000041A0000-0x00000000041A1000-memory.dmp
memory/2088-138-0x00000000041A2000-0x00000000041A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3AD7.tmp
| MD5 | 71690438d71ee055dd3e790174dc4a43 |
| SHA1 | 805809667652c49aa87c9a8f51c5209072070fed |
| SHA256 | b5887274341e365dcf4a30aac82e57d2ea4a7fa8a12ce7e0faf2dc77828e4315 |
| SHA512 | 2912ba30feae1bf83732fd671a1a3c884f7d32ef11c38e7b715eb5fa549df306a596717b557aca2ab5fb97a7a9d5f494fb951dfdf050c4128d94a38678c5fa89 |
memory/3848-140-0x0000000000000000-mapping.dmp
memory/3932-141-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3932-142-0x000000000043782E-mapping.dmp
memory/3848-151-0x00000000079E0000-0x00000000079E1000-memory.dmp
memory/3932-154-0x00000000053B0000-0x00000000058AE000-memory.dmp
memory/2088-155-0x0000000007420000-0x0000000007421000-memory.dmp
memory/3848-158-0x00000000050B0000-0x00000000050B1000-memory.dmp
memory/2088-159-0x0000000006D80000-0x0000000006D81000-memory.dmp
memory/3848-162-0x00000000050B2000-0x00000000050B3000-memory.dmp
memory/3848-163-0x00000000083B0000-0x00000000083B1000-memory.dmp
memory/3848-166-0x00000000075F0000-0x00000000075F1000-memory.dmp
memory/2088-169-0x0000000007A00000-0x0000000007A01000-memory.dmp
memory/2088-172-0x0000000007C60000-0x0000000007C61000-memory.dmp
memory/3848-197-0x0000000009A50000-0x0000000009A83000-memory.dmp
memory/3848-235-0x000000007EF60000-0x000000007EF61000-memory.dmp
memory/2088-236-0x000000007F770000-0x000000007F771000-memory.dmp
memory/1820-237-0x000000007E700000-0x000000007E701000-memory.dmp
memory/3848-260-0x00000000050B3000-0x00000000050B4000-memory.dmp
memory/1820-266-0x00000000045D3000-0x00000000045D4000-memory.dmp
memory/2088-262-0x00000000041A3000-0x00000000041A4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f3fcc6c9bac7d4151817db32e729fe8 |
| SHA1 | 9fcd413798488dc4c6b90d7ca8855c57e39f7fa7 |
| SHA256 | 78d9b56329dbafdf4dff62f87d49a2ce9bb340d938ff80e87bcb46568b50fa5d |
| SHA512 | 1bad783500ee6905b255d7548eafb51ef185dfd6b87b10571721f1f03d95d187abcd389880381314fae2d578486627d797633165ce9bb44df58085f962d7039c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
memory/3016-885-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
| MD5 | 8663ed0caec9adcb980a4a7ea23e7984 |
| SHA1 | e6dcb19362e88b50ab1990e7032437072f104e98 |
| SHA256 | bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750 |
| SHA512 | fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9 |
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
| MD5 | 8663ed0caec9adcb980a4a7ea23e7984 |
| SHA1 | e6dcb19362e88b50ab1990e7032437072f104e98 |
| SHA256 | bbe006688e5f74473a5e248bc83651cbb7e9efbe8410abb8d8b84b4a59ed7750 |
| SHA512 | fd75e6bde035e103e84322411ca7b4107f1673d03170b940af3066f9f4eb58b063ec244302c8dccab87f5816e2b55a177dc1c1d7f498742fd8e0f24fb64317a9 |
memory/3016-894-0x0000000004BE0000-0x00000000050DE000-memory.dmp
memory/2540-898-0x0000000000000000-mapping.dmp
memory/1280-899-0x0000000000000000-mapping.dmp
memory/1708-900-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCF62.tmp
| MD5 | 8229b450d30b9d1b14c3febe972026ee |
| SHA1 | 5fb031ef7f2918ab3bb7d51f3d7dbfab50d22964 |
| SHA256 | 919eb7c6840a70e585157ad93d71b380a7a1c4061ec866369fcb4c3f0b957b24 |
| SHA512 | 23e9f915169808457005f7f6610c893245f223370edc4339893c5e3863bff015cec71617d905746ca15cfc7a23478e21f3bbf0448e8713f053126d7ff8b58153 |
memory/4000-914-0x0000000000000000-mapping.dmp
memory/2540-916-0x00000000042A0000-0x00000000042A1000-memory.dmp
memory/2540-917-0x00000000042A2000-0x00000000042A3000-memory.dmp
memory/2940-920-0x000000000040717B-mapping.dmp
memory/1280-919-0x0000000006A40000-0x0000000006A41000-memory.dmp
memory/1280-921-0x0000000006A42000-0x0000000006A43000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\apwxc.exe
| MD5 | e138bafdec89ef959a18b71e01334883 |
| SHA1 | 233ddf6a55ddc5199254fc536dd6dcd91425289d |
| SHA256 | 4e8a77666313dc3c5aeaa4c302e07282914e67940952e43ca740f9ff20c3131c |
| SHA512 | 41c4a7dfeb32112fb29222c8a40f16d7135febfa441ef48f83bf5bb1deb8b7af5343e12c73246ac0936a50af892603fe21a90e12fb6c1fdc98d5536b273f902f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5f3fcc6c9bac7d4151817db32e729fe8 |
| SHA1 | 9fcd413798488dc4c6b90d7ca8855c57e39f7fa7 |
| SHA256 | 78d9b56329dbafdf4dff62f87d49a2ce9bb340d938ff80e87bcb46568b50fa5d |
| SHA512 | 1bad783500ee6905b255d7548eafb51ef185dfd6b87b10571721f1f03d95d187abcd389880381314fae2d578486627d797633165ce9bb44df58085f962d7039c |