agenttesla | a84902bbc64bef32a19bcbd8a67b8d80e00e26ddc1d38467e55461b419e56976

System Information Discovery

Processes:

KsoUkx8kQkhNBfv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	KsoUkx8kQkhNBfv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	KsoUkx8kQkhNBfv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

KsoUkx8kQkhNBfv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	KsoUkx8kQkhNBfv.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

KsoUkx8kQkhNBfv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	KsoUkx8kQkhNBfv.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	KsoUkx8kQkhNBfv.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

KsoUkx8kQkhNBfv.exe

description pid process target process

PID 4188 set thread context of 2528 4188 KsoUkx8kQkhNBfv.exe KsoUkx8kQkhNBfv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4776 schtasks.exe

description	pid	process	target process
PID 4188 set thread context of 2528	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe

pid	process
4776	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

KsoUkx8kQkhNBfv.exeKsoUkx8kQkhNBfv.exe

pid	process
4188	KsoUkx8kQkhNBfv.exe
4188	KsoUkx8kQkhNBfv.exe
4188	KsoUkx8kQkhNBfv.exe
4188	KsoUkx8kQkhNBfv.exe
4188	KsoUkx8kQkhNBfv.exe
4188	KsoUkx8kQkhNBfv.exe
4188	KsoUkx8kQkhNBfv.exe
4188	KsoUkx8kQkhNBfv.exe
2528	KsoUkx8kQkhNBfv.exe
2528	KsoUkx8kQkhNBfv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

KsoUkx8kQkhNBfv.exeKsoUkx8kQkhNBfv.exe

description pid process

Token: SeDebugPrivilege 4188 KsoUkx8kQkhNBfv.exe
Token: SeDebugPrivilege 2528 KsoUkx8kQkhNBfv.exe

description	pid	process
Token: SeDebugPrivilege	4188	KsoUkx8kQkhNBfv.exe
Token: SeDebugPrivilege	2528	KsoUkx8kQkhNBfv.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

KsoUkx8kQkhNBfv.exe

description	pid	process	target process
PID 4188 wrote to memory of 4776	4188	KsoUkx8kQkhNBfv.exe	schtasks.exe
PID 4188 wrote to memory of 4776	4188	KsoUkx8kQkhNBfv.exe	schtasks.exe
PID 4188 wrote to memory of 4776	4188	KsoUkx8kQkhNBfv.exe	schtasks.exe
PID 4188 wrote to memory of 3604	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 3604	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 3604	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 4956	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 4956	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 4956	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 2528	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 2528	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 2528	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 2528	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 2528	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 2528	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 2528	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe
PID 4188 wrote to memory of 2528	4188	KsoUkx8kQkhNBfv.exe	KsoUkx8kQkhNBfv.exe

C:\Users\Admin\AppData\Local\Temp\KsoUkx8kQkhNBfv.exe
"C:\Users\Admin\AppData\Local\Temp\KsoUkx8kQkhNBfv.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BXXwfEloUhOLj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp773E.tmp"
2⤵
- Creates scheduled task(s)
PID:4776

C:\Users\Admin\AppData\Local\Temp\KsoUkx8kQkhNBfv.exe
"{path}"
2⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\KsoUkx8kQkhNBfv.exe
"{path}"
2⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\KsoUkx8kQkhNBfv.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

5

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

4

Peripheral Device Discovery