Analysis Overview
SHA256
3d6012eb13b5a891571ea2d7c7bf120b9c12d479e5cb2c6ffc7e515e14c46866
Threat Level: Known bad
The file kYyBuIFRcL6U7Fl.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Checks computer location settings
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-26 10:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-26 10:30
Reported
2024-03-26 10:32
Platform
win7-20240319-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe
"C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UoqhCzdpcgs.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UoqhCzdpcgs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65E4.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
Files
memory/2368-0-0x0000000000E30000-0x0000000000ECE000-memory.dmp
memory/2368-1-0x0000000074220000-0x000000007490E000-memory.dmp
memory/2368-2-0x0000000004BC0000-0x0000000004C00000-memory.dmp
memory/2368-3-0x00000000004B0000-0x00000000004C2000-memory.dmp
memory/2368-4-0x00000000004C0000-0x00000000004CC000-memory.dmp
memory/2368-5-0x00000000052C0000-0x0000000005342000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp65E4.tmp
| MD5 | 635e5ec0a1742350a15b82ac5ff8b1d7 |
| SHA1 | 69a9d1a99145e38aa2298c5a24d1cefd1b57a1a5 |
| SHA256 | ad58f19ce256d91b97b0fd681a8c0db8bb1ae8386c6685a98d952abcfbc1e5e2 |
| SHA512 | 67b4571648e81b348bd60417acba4e790412bc1a3425c8a34e37821a6c2a140ef6e9e9aa2f1e3ab970c6a17177babc3dda7d562f7a8cab58b5103db341a21985 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AZG0E59A9RMS5HDO2ZG6.temp
| MD5 | 21f2d8b447a917dd9a61add5b8f7f5fc |
| SHA1 | 932ac06e063e40318e7b801e141621b1108fe47a |
| SHA256 | 46634759882b90861ef52025afa5a4c30ecba346a540fced504c17c390ce0ffc |
| SHA512 | cf4f6836959e16c254735ed3238f743dc38c934c9e615772e52d6181edb453be9d6a6b3e4945778a5ebbd0aa3fa9eb9b0e674cee890a3df688a15e0bd21ea335 |
memory/2980-18-0x000000006DEE0000-0x000000006E48B000-memory.dmp
memory/2616-19-0x000000006DEE0000-0x000000006E48B000-memory.dmp
memory/2980-20-0x0000000002650000-0x0000000002690000-memory.dmp
memory/2980-21-0x000000006DEE0000-0x000000006E48B000-memory.dmp
memory/2980-22-0x0000000002650000-0x0000000002690000-memory.dmp
memory/2616-25-0x00000000024A0000-0x00000000024E0000-memory.dmp
memory/2980-26-0x0000000002650000-0x0000000002690000-memory.dmp
memory/2616-24-0x00000000024A0000-0x00000000024E0000-memory.dmp
memory/2408-23-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2408-29-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2616-28-0x000000006DEE0000-0x000000006E48B000-memory.dmp
memory/2616-31-0x000000006DEE0000-0x000000006E48B000-memory.dmp
memory/2368-32-0x0000000074220000-0x000000007490E000-memory.dmp
memory/2980-33-0x000000006DEE0000-0x000000006E48B000-memory.dmp
memory/2368-34-0x0000000004BC0000-0x0000000004C00000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-26 10:30
Reported
2024-03-26 10:32
Platform
win10v2004-20231215-en
Max time kernel
115s
Max time network
121s
Command Line
Signatures
AgentTesla
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 436 set thread context of 2860 | N/A | C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe
"C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UoqhCzdpcgs.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UoqhCzdpcgs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp72FD.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
Files
memory/436-0-0x0000000000FF0000-0x000000000108E000-memory.dmp
memory/436-1-0x0000000074730000-0x0000000074EE0000-memory.dmp
memory/436-2-0x0000000006060000-0x0000000006604000-memory.dmp
memory/436-3-0x0000000005AB0000-0x0000000005B42000-memory.dmp
memory/436-4-0x0000000005C30000-0x0000000005C40000-memory.dmp
memory/436-5-0x0000000005A80000-0x0000000005A8A000-memory.dmp
memory/436-6-0x0000000005C00000-0x0000000005C12000-memory.dmp
memory/436-7-0x0000000005C20000-0x0000000005C2C000-memory.dmp
memory/436-8-0x0000000007450000-0x00000000074D2000-memory.dmp
memory/436-9-0x0000000009AC0000-0x0000000009B5C000-memory.dmp
memory/452-14-0x0000000002790000-0x00000000027C6000-memory.dmp
memory/452-15-0x0000000074730000-0x0000000074EE0000-memory.dmp
memory/452-16-0x00000000052C0000-0x00000000058E8000-memory.dmp
memory/452-17-0x0000000004C80000-0x0000000004C90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp72FD.tmp
| MD5 | be8f93de5f1d1839387007ab939d0230 |
| SHA1 | 3e6243566e045e7fe44ad8604208ad32507d658d |
| SHA256 | b8d975d50a0a4ec0bea2d730b1f47d483f53f512d83fb17c7b0bd315e0a761a6 |
| SHA512 | d24fe1bc34c2611eeedacfcb422b91e601e9dda89b4f744e63dabb5f7e2869e1a0e485d033676b33d0026cb553cf7c1394362a9c4b47d87bd09158a3a6e4a072 |
memory/4036-21-0x0000000074730000-0x0000000074EE0000-memory.dmp
memory/452-20-0x00000000058F0000-0x0000000005956000-memory.dmp
memory/4036-19-0x0000000005330000-0x0000000005352000-memory.dmp
memory/452-22-0x0000000005A50000-0x0000000005AB6000-memory.dmp
memory/4036-23-0x00000000028D0000-0x00000000028E0000-memory.dmp
memory/452-30-0x0000000005AC0000-0x0000000005E14000-memory.dmp
memory/4036-32-0x00000000028D0000-0x00000000028E0000-memory.dmp
memory/2860-31-0x0000000000400000-0x0000000000442000-memory.dmp
memory/452-29-0x0000000004C80000-0x0000000004C90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ie2jw4md.tqy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/436-48-0x0000000074730000-0x0000000074EE0000-memory.dmp
memory/2860-47-0x0000000074730000-0x0000000074EE0000-memory.dmp
memory/2860-49-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/4036-50-0x0000000006310000-0x000000000632E000-memory.dmp
memory/4036-51-0x0000000006340000-0x000000000638C000-memory.dmp
memory/4036-52-0x00000000068C0000-0x00000000068F2000-memory.dmp
memory/4036-53-0x000000007FBB0000-0x000000007FBC0000-memory.dmp
memory/4036-54-0x0000000070E00000-0x0000000070E4C000-memory.dmp
memory/4036-64-0x00000000068A0000-0x00000000068BE000-memory.dmp
memory/4036-66-0x0000000007510000-0x00000000075B3000-memory.dmp
memory/4036-65-0x00000000028D0000-0x00000000028E0000-memory.dmp
memory/452-78-0x0000000004C80000-0x0000000004C90000-memory.dmp
memory/452-68-0x000000007F870000-0x000000007F880000-memory.dmp
memory/452-67-0x0000000070E00000-0x0000000070E4C000-memory.dmp
memory/4036-79-0x0000000007C70000-0x00000000082EA000-memory.dmp
memory/4036-80-0x0000000007630000-0x000000000764A000-memory.dmp
memory/4036-81-0x00000000076A0000-0x00000000076AA000-memory.dmp
memory/452-82-0x0000000007650000-0x00000000076E6000-memory.dmp
memory/4036-83-0x0000000007830000-0x0000000007841000-memory.dmp
memory/4036-84-0x0000000007860000-0x000000000786E000-memory.dmp
memory/452-85-0x0000000007610000-0x0000000007624000-memory.dmp
memory/452-86-0x0000000007710000-0x000000000772A000-memory.dmp
memory/452-87-0x00000000076F0000-0x00000000076F8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1538960cbc4608606d9f16e2f2101d96 |
| SHA1 | c37faea70aab7ccba3dea0410878d1e9c1a889be |
| SHA256 | b66f3f87d74a3be2825c056f4f066f06e904dcf0fc17d2dca12ac7a67de53cde |
| SHA512 | 82aabe2f4578ac4aaed906eabc9b225a98af41a5807a9d87eee7bb3532d82544a0e3c4411bcc1b2569374b3b911c857607ce2af42447bb57da13413241fd8972 |
memory/452-93-0x0000000074730000-0x0000000074EE0000-memory.dmp
memory/4036-94-0x0000000074730000-0x0000000074EE0000-memory.dmp
memory/2860-95-0x0000000006490000-0x00000000064E0000-memory.dmp
memory/2860-96-0x0000000074730000-0x0000000074EE0000-memory.dmp