agenttesla | 145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa

Virtualization/Sandbox Evasion

Processes:

AWB DHL 7214306201 Shipment_pdf.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	AWB DHL 7214306201 Shipment_pdf.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

AWB DHL 7214306201 Shipment_pdf.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	AWB DHL 7214306201 Shipment_pdf.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

AWB DHL 7214306201 Shipment_pdf.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AWB DHL 7214306201 Shipment_pdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AWB DHL 7214306201 Shipment_pdf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

AWB DHL 7214306201 Shipment_pdf.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	AWB DHL 7214306201 Shipment_pdf.exe

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

4012 svchost.exe

pid	process
4012	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AWB DHL 7214306201 Shipment_pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	AWB DHL 7214306201 Shipment_pdf.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

AWB DHL 7214306201 Shipment_pdf.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	AWB DHL 7214306201 Shipment_pdf.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	AWB DHL 7214306201 Shipment_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4012 set thread context of 1668 4012 svchost.exe jsc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1964 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4608 timeout.exe

description	pid	process	target process
PID 4012 set thread context of 1668	4012	svchost.exe	jsc.exe

pid	process
1964	schtasks.exe

pid	process
4608	timeout.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

AWB DHL 7214306201 Shipment_pdf.exesvchost.exejsc.exe

pid	process
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
1548	AWB DHL 7214306201 Shipment_pdf.exe
4012	svchost.exe
4012	svchost.exe
1668	jsc.exe
1668	jsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AWB DHL 7214306201 Shipment_pdf.exesvchost.exejsc.exe

description	pid	process
Token: SeDebugPrivilege	1548	AWB DHL 7214306201 Shipment_pdf.exe
Token: SeDebugPrivilege	4012	svchost.exe
Token: SeDebugPrivilege	1668	jsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

jsc.exe

pid process

1668 jsc.exe

pid	process
1668	jsc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

AWB DHL 7214306201 Shipment_pdf.execmd.execmd.exesvchost.exe

description	pid	process	target process
PID 1548 wrote to memory of 248	1548	AWB DHL 7214306201 Shipment_pdf.exe	cmd.exe
PID 1548 wrote to memory of 248	1548	AWB DHL 7214306201 Shipment_pdf.exe	cmd.exe
PID 1548 wrote to memory of 4952	1548	AWB DHL 7214306201 Shipment_pdf.exe	cmd.exe
PID 1548 wrote to memory of 4952	1548	AWB DHL 7214306201 Shipment_pdf.exe	cmd.exe
PID 248 wrote to memory of 1964	248	cmd.exe	schtasks.exe
PID 248 wrote to memory of 1964	248	cmd.exe	schtasks.exe
PID 4952 wrote to memory of 4608	4952	cmd.exe	timeout.exe
PID 4952 wrote to memory of 4608	4952	cmd.exe	timeout.exe
PID 4952 wrote to memory of 4012	4952	cmd.exe	svchost.exe
PID 4952 wrote to memory of 4012	4952	cmd.exe	svchost.exe
PID 4012 wrote to memory of 1908	4012	svchost.exe	EdmGen.exe
PID 4012 wrote to memory of 1908	4012	svchost.exe	EdmGen.exe
PID 4012 wrote to memory of 1668	4012	svchost.exe	jsc.exe
PID 4012 wrote to memory of 1668	4012	svchost.exe	jsc.exe
PID 4012 wrote to memory of 1668	4012	svchost.exe	jsc.exe
PID 4012 wrote to memory of 1668	4012	svchost.exe	jsc.exe
PID 4012 wrote to memory of 1668	4012	svchost.exe	jsc.exe
PID 4012 wrote to memory of 1668	4012	svchost.exe	jsc.exe
PID 4012 wrote to memory of 1668	4012	svchost.exe	jsc.exe
PID 4012 wrote to memory of 1668	4012	svchost.exe	jsc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

outlook_win_path 1 IoCs

Processes:

jsc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	jsc.exe

C:\Users\Admin\AppData\Local\Temp\AWB DHL 7214306201 Shipment_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\AWB DHL 7214306201 Shipment_pdf.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:248

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
3⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7AF1.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4608

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
4⤵
PID:1908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

Modify Registry

T1112

Credential Access

Discovery

Query Registry

6

Virtualization/Sandbox Evasion

2

System Information Discovery

4

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Email Collection