agenttesla | efa6869eaa796429cbd684b030cb6873262f6009997fe6f4c20ebd69b4ad54b6

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	DHL Original Document.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	DHL Original Document.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	svchost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DHL Original Document.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DHL Original Document.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	DHL Original Document.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1840	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 3 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	DHL Original Document.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	api.ipify.org
28	api.ipify.org

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	DHL Original Document.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	DHL Original Document.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1840 set thread context of 4376	1840	svchost.exe	117

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4748	schtasks.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
1228	timeout.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1604	DHL Original Document.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
3716	powershell.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
3716	powershell.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe
1840	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1840	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	DHL Original Document.exe
Token: SeDebugPrivilege	1840	svchost.exe
Token: SeDebugPrivilege	1840	svchost.exe
Token: SeLoadDriverPrivilege	1840	svchost.exe
Token: SeDebugPrivilege	3716	powershell.exe
Token: SeDebugPrivilege	4376	jsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4376	jsc.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 3252	1604	DHL Original Document.exe	86
PID 1604 wrote to memory of 3252	1604	DHL Original Document.exe	86
PID 1604 wrote to memory of 3804	1604	DHL Original Document.exe	88
PID 1604 wrote to memory of 3804	1604	DHL Original Document.exe	88
PID 3252 wrote to memory of 4748	3252	cmd.exe	90
PID 3252 wrote to memory of 4748	3252	cmd.exe	90
PID 3804 wrote to memory of 1228	3804	cmd.exe	91
PID 3804 wrote to memory of 1228	3804	cmd.exe	91
PID 3804 wrote to memory of 1840	3804	cmd.exe	95
PID 3804 wrote to memory of 1840	3804	cmd.exe	95
PID 1840 wrote to memory of 3716	1840	svchost.exe	97
PID 1840 wrote to memory of 3716	1840	svchost.exe	97
PID 1840 wrote to memory of 2112	1840	svchost.exe	99
PID 1840 wrote to memory of 2112	1840	svchost.exe	99
PID 1840 wrote to memory of 1452	1840	svchost.exe	100
PID 1840 wrote to memory of 1452	1840	svchost.exe	100
PID 1840 wrote to memory of 3960	1840	svchost.exe	101
PID 1840 wrote to memory of 3960	1840	svchost.exe	101
PID 1840 wrote to memory of 4840	1840	svchost.exe	103
PID 1840 wrote to memory of 4840	1840	svchost.exe	103
PID 1840 wrote to memory of 5116	1840	svchost.exe	102
PID 1840 wrote to memory of 5116	1840	svchost.exe	102
PID 1840 wrote to memory of 4292	1840	svchost.exe	104
PID 1840 wrote to memory of 4292	1840	svchost.exe	104
PID 1840 wrote to memory of 1344	1840	svchost.exe	105
PID 1840 wrote to memory of 1344	1840	svchost.exe	105
PID 1840 wrote to memory of 1344	1840	svchost.exe	105
PID 1840 wrote to memory of 816	1840	svchost.exe	106
PID 1840 wrote to memory of 816	1840	svchost.exe	106
PID 1840 wrote to memory of 4448	1840	svchost.exe	107
PID 1840 wrote to memory of 4448	1840	svchost.exe	107
PID 1840 wrote to memory of 2800	1840	svchost.exe	108
PID 1840 wrote to memory of 2800	1840	svchost.exe	108
PID 1840 wrote to memory of 1068	1840	svchost.exe	109
PID 1840 wrote to memory of 1068	1840	svchost.exe	109
PID 1840 wrote to memory of 2596	1840	svchost.exe	110
PID 1840 wrote to memory of 2596	1840	svchost.exe	110
PID 1840 wrote to memory of 1508	1840	svchost.exe	111
PID 1840 wrote to memory of 1508	1840	svchost.exe	111
PID 1840 wrote to memory of 4900	1840	svchost.exe	112
PID 1840 wrote to memory of 4900	1840	svchost.exe	112
PID 1840 wrote to memory of 1696	1840	svchost.exe	113
PID 1840 wrote to memory of 1696	1840	svchost.exe	113
PID 1840 wrote to memory of 2988	1840	svchost.exe	114
PID 1840 wrote to memory of 2988	1840	svchost.exe	114
PID 1840 wrote to memory of 4316	1840	svchost.exe	115
PID 1840 wrote to memory of 4316	1840	svchost.exe	115
PID 1840 wrote to memory of 1340	1840	svchost.exe	116
PID 1840 wrote to memory of 1340	1840	svchost.exe	116
PID 1840 wrote to memory of 4376	1840	svchost.exe	117
PID 1840 wrote to memory of 4376	1840	svchost.exe	117
PID 1840 wrote to memory of 4376	1840	svchost.exe	117
PID 1840 wrote to memory of 4376	1840	svchost.exe	117
PID 1840 wrote to memory of 4376	1840	svchost.exe	117
PID 1840 wrote to memory of 4376	1840	svchost.exe	117
PID 1840 wrote to memory of 4376	1840	svchost.exe	117
PID 1840 wrote to memory of 4376	1840	svchost.exe	117

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Users\Admin\AppData\Local\Temp\DHL Original Document.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Original Document.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:4748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB105.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1228
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Sets service image path in registry
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3716
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
      4⤵
      PID:2112
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
      4⤵
      PID:1452
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
      4⤵
      PID:3960
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
      4⤵
      PID:5116
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
      4⤵
      PID:4840
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
      4⤵
      PID:4292
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:1344
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:816
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
      4⤵
      PID:4448
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
      4⤵
      PID:2800
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1068
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:2596
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1508
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
      4⤵
      PID:4900
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
      4⤵
      PID:1696
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
      4⤵
      PID:2988
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
      4⤵
      PID:4316
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
      4⤵
      PID:1340
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:4376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Scripting

T1064

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion