agenttesla | 145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa

Virtualization/Sandbox Evasion

Processes:

AWB DHL 7214306201 Shipment_pdf.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	AWB DHL 7214306201 Shipment_pdf.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

svchost.exeAWB DHL 7214306201 Shipment_pdf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	AWB DHL 7214306201 Shipment_pdf.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

Processes:

AWB DHL 7214306201 Shipment_pdf.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AWB DHL 7214306201 Shipment_pdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AWB DHL 7214306201 Shipment_pdf.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

608 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

564 cmd.exe
564 cmd.exe

pid	process
608	svchost.exe

pid	process
564	cmd.exe
564	cmd.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AWB DHL 7214306201 Shipment_pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	AWB DHL 7214306201 Shipment_pdf.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AWB DHL 7214306201 Shipment_pdf.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	AWB DHL 7214306201 Shipment_pdf.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	AWB DHL 7214306201 Shipment_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 608 set thread context of 1628 608 svchost.exe jsc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1332 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1544 timeout.exe

description	pid	process	target process
PID 608 set thread context of 1628	608	svchost.exe	jsc.exe

pid	process
1332	schtasks.exe

pid	process
1544	timeout.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

AWB DHL 7214306201 Shipment_pdf.exesvchost.exejsc.exe

pid	process
288	AWB DHL 7214306201 Shipment_pdf.exe
608	svchost.exe
608	svchost.exe
608	svchost.exe
608	svchost.exe
608	svchost.exe
608	svchost.exe
608	svchost.exe
608	svchost.exe
608	svchost.exe
608	svchost.exe
608	svchost.exe
608	svchost.exe
1628	jsc.exe
1628	jsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AWB DHL 7214306201 Shipment_pdf.exesvchost.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	288	AWB DHL 7214306201 Shipment_pdf.exe
Token: SeDebugPrivilege	608	svchost.exe
Token: SeDebugPrivilege	1628	jsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jsc.exe

pid process

1628 jsc.exe

pid	process
1628	jsc.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

AWB DHL 7214306201 Shipment_pdf.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 288 wrote to memory of 1756	288	AWB DHL 7214306201 Shipment_pdf.exe	cmd.exe
PID 288 wrote to memory of 1756	288	AWB DHL 7214306201 Shipment_pdf.exe	cmd.exe
PID 288 wrote to memory of 1756	288	AWB DHL 7214306201 Shipment_pdf.exe	cmd.exe
PID 288 wrote to memory of 564	288	AWB DHL 7214306201 Shipment_pdf.exe	cmd.exe
PID 288 wrote to memory of 564	288	AWB DHL 7214306201 Shipment_pdf.exe	cmd.exe
PID 288 wrote to memory of 564	288	AWB DHL 7214306201 Shipment_pdf.exe	cmd.exe
PID 1756 wrote to memory of 1332	1756	cmd.exe	schtasks.exe
PID 1756 wrote to memory of 1332	1756	cmd.exe	schtasks.exe
PID 1756 wrote to memory of 1332	1756	cmd.exe	schtasks.exe
PID 564 wrote to memory of 1544	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 1544	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 1544	564	cmd.exe	timeout.exe
PID 564 wrote to memory of 608	564	cmd.exe	svchost.exe
PID 564 wrote to memory of 608	564	cmd.exe	svchost.exe
PID 564 wrote to memory of 608	564	cmd.exe	svchost.exe
PID 608 wrote to memory of 1940	608	svchost.exe	aspnet_regsql.exe
PID 608 wrote to memory of 1940	608	svchost.exe	aspnet_regsql.exe
PID 608 wrote to memory of 1940	608	svchost.exe	aspnet_regsql.exe
PID 608 wrote to memory of 1096	608	svchost.exe	ilasm.exe
PID 608 wrote to memory of 1096	608	svchost.exe	ilasm.exe
PID 608 wrote to memory of 1096	608	svchost.exe	ilasm.exe
PID 608 wrote to memory of 1532	608	svchost.exe	aspnet_compiler.exe
PID 608 wrote to memory of 1532	608	svchost.exe	aspnet_compiler.exe
PID 608 wrote to memory of 1532	608	svchost.exe	aspnet_compiler.exe
PID 608 wrote to memory of 964	608	svchost.exe	regtlibv12.exe
PID 608 wrote to memory of 964	608	svchost.exe	regtlibv12.exe
PID 608 wrote to memory of 964	608	svchost.exe	regtlibv12.exe
PID 608 wrote to memory of 1388	608	svchost.exe	ServiceModelReg.exe
PID 608 wrote to memory of 1388	608	svchost.exe	ServiceModelReg.exe
PID 608 wrote to memory of 1388	608	svchost.exe	ServiceModelReg.exe
PID 608 wrote to memory of 1884	608	svchost.exe	csc.exe
PID 608 wrote to memory of 1884	608	svchost.exe	csc.exe
PID 608 wrote to memory of 1884	608	svchost.exe	csc.exe
PID 608 wrote to memory of 1628	608	svchost.exe	jsc.exe
PID 608 wrote to memory of 1628	608	svchost.exe	jsc.exe
PID 608 wrote to memory of 1628	608	svchost.exe	jsc.exe
PID 608 wrote to memory of 1628	608	svchost.exe	jsc.exe
PID 608 wrote to memory of 1628	608	svchost.exe	jsc.exe
PID 608 wrote to memory of 1628	608	svchost.exe	jsc.exe
PID 608 wrote to memory of 1628	608	svchost.exe	jsc.exe
PID 608 wrote to memory of 1628	608	svchost.exe	jsc.exe
PID 608 wrote to memory of 1628	608	svchost.exe	jsc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Users\Admin\AppData\Local\Temp\AWB DHL 7214306201 Shipment_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\AWB DHL 7214306201 Shipment_pdf.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1E6A.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1544

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
4⤵
PID:1940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
4⤵
PID:1096

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
4⤵
PID:1532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
4⤵
PID:964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
4⤵
PID:1388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
4⤵
PID:1884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

Modify Registry

T1112

Credential Access

Discovery

Query Registry

5

Virtualization/Sandbox Evasion

2

System Information Discovery

3

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Email Collection