Analysis Overview
SHA256
62deef167c5cb95c907dd65550e619ffc6dfa504cde7b4c1e6102bd48f800210
Threat Level: Known bad
The file 62deef167c5cb95c907dd65550e619ffc6dfa504cde7b4c1e6102bd48f800210 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Command and Scripting Interpreter: PowerShell
Reads data files stored by FTP clients
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-15 10:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-15 10:36
Reported
2024-05-15 10:39
Platform
win7-20240221-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2932 set thread context of 2024 | N/A | C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe | C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
"C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\isgjyvIx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\isgjyvIx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A71.tmp"
C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
"C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"
Network
Files
memory/2932-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp
memory/2932-1-0x0000000000D80000-0x0000000000E38000-memory.dmp
memory/2932-2-0x0000000074A50000-0x000000007513E000-memory.dmp
memory/2932-3-0x0000000000390000-0x00000000003AC000-memory.dmp
memory/2932-4-0x00000000003C0000-0x00000000003CE000-memory.dmp
memory/2932-5-0x00000000003E0000-0x00000000003F6000-memory.dmp
memory/2932-6-0x0000000004CC0000-0x0000000004D42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp3A71.tmp
| MD5 | ed389962ae3e4b99bd023bccd88b239d |
| SHA1 | b7a88925d8bca29133a5d4556abea796d70a612e |
| SHA256 | 49777157ad04bfb29ca21688f56d3e288cfaf047cb1d8e0a6094e4ad50b4838b |
| SHA512 | 1dbb68a9a53a4d49adcb23e4105aaed64edb8ceb835da5791014ce8fc4bec3dca42f0375dd84dcfaabffad6f9e2a18df5aa7b02c1c53c4cc055214f5d88a62aa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 29b35910405a9c15379d786092756924 |
| SHA1 | d5abd3223592f3975eab8e3843a8ff836ea6773c |
| SHA256 | 32a4e6e649c04d5c2ea7049768d5423adfc3bc6fd15289816be6e50ebbad47b1 |
| SHA512 | 2ea48f3a3f3514c397c44527f3dbc399bd761420acdbe131042d1f9748175296247691c83e67107f6b0bd48aa9e6f36d98ec6129b4f2fab8a7033a44f0374c84 |
memory/2024-19-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2024-29-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2024-31-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2024-28-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2024-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2024-25-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2024-23-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2024-21-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2932-32-0x0000000074A50000-0x000000007513E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-15 10:36
Reported
2024-05-15 10:39
Platform
win10v2004-20240426-en
Max time kernel
133s
Max time network
104s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1420 set thread context of 4060 | N/A | C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe | C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
"C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\isgjyvIx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\isgjyvIx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp59D8.tmp"
C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe
"C:\Users\Admin\AppData\Local\Temp\55ca6e3bbf1d36f43fb873b3956d9e9ede7586eed508551d463aef4b56ed709f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.114:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | us2.smtp.mailhostbox.com | udp |
| US | 208.91.198.143:587 | us2.smtp.mailhostbox.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 208.91.199.224:587 | us2.smtp.mailhostbox.com | tcp |
| US | 208.91.199.223:587 | us2.smtp.mailhostbox.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 208.91.199.225:587 | us2.smtp.mailhostbox.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/1420-0-0x00000000747CE000-0x00000000747CF000-memory.dmp
memory/1420-1-0x0000000000D20000-0x0000000000DD8000-memory.dmp
memory/1420-2-0x0000000005E30000-0x00000000063D4000-memory.dmp
memory/1420-3-0x00000000057C0000-0x0000000005852000-memory.dmp
memory/1420-4-0x0000000005970000-0x000000000597A000-memory.dmp
memory/1420-5-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/1420-6-0x0000000005A60000-0x0000000005AFC000-memory.dmp
memory/1420-7-0x0000000005E10000-0x0000000005E2C000-memory.dmp
memory/1420-8-0x0000000006A00000-0x0000000006A0E000-memory.dmp
memory/1420-9-0x0000000006B30000-0x0000000006B46000-memory.dmp
memory/1420-10-0x0000000007040000-0x00000000070C2000-memory.dmp
memory/2972-15-0x0000000002300000-0x0000000002336000-memory.dmp
memory/2972-16-0x0000000004D00000-0x0000000005328000-memory.dmp
memory/2972-17-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/2972-18-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/2972-19-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/2972-23-0x0000000005550000-0x00000000055B6000-memory.dmp
memory/2972-22-0x0000000005430000-0x0000000005496000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp59D8.tmp
| MD5 | 60f233802fd12e526c4bc002ae4a26fb |
| SHA1 | 53c6052d10bf5f067f6b7ded2b0b32f0c2abc11e |
| SHA256 | 61422ef1eb0f120e02ee950c98ce90d2e90731a82e7e6cba0e2c2a6e8f8869c9 |
| SHA512 | 8d681696bc73e8c9879ebf544d8f14b51db924ec26416542ffa3b3525fc7fa70af23c7b46a2eb4aed7fda5dc6a51eeb034103f304d9cdbd90ac6dbb7cb77be75 |
memory/5008-24-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/2972-20-0x0000000004C60000-0x0000000004C82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1yiwqyco.y25.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2972-34-0x0000000005600000-0x0000000005954000-memory.dmp
memory/5008-38-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/4060-36-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5008-35-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/1420-39-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/2972-49-0x0000000005C00000-0x0000000005C1E000-memory.dmp
memory/2972-50-0x0000000005CB0000-0x0000000005CFC000-memory.dmp
memory/2972-51-0x0000000006C00000-0x0000000006C32000-memory.dmp
memory/5008-58-0x0000000070EB0000-0x0000000070EFC000-memory.dmp
memory/2972-73-0x0000000006E40000-0x0000000006EE3000-memory.dmp
memory/2972-52-0x0000000070EB0000-0x0000000070EFC000-memory.dmp
memory/2972-63-0x00000000061F0000-0x000000000620E000-memory.dmp
memory/5008-74-0x0000000008210000-0x000000000888A000-memory.dmp
memory/5008-75-0x0000000007BD0000-0x0000000007BEA000-memory.dmp
memory/2972-76-0x0000000006FC0000-0x0000000006FCA000-memory.dmp
memory/5008-77-0x0000000007E50000-0x0000000007EE6000-memory.dmp
memory/2972-78-0x0000000007150000-0x0000000007161000-memory.dmp
memory/5008-79-0x0000000007E00000-0x0000000007E0E000-memory.dmp
memory/2972-80-0x0000000007190000-0x00000000071A4000-memory.dmp
memory/2972-81-0x0000000007290000-0x00000000072AA000-memory.dmp
memory/5008-82-0x0000000007EF0000-0x0000000007EF8000-memory.dmp
memory/2972-85-0x00000000747C0000-0x0000000074F70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 94fb35345af29db03fe090e25efc881a |
| SHA1 | 0665b8c6c3e4938624c7a6a9ef84cd7265021cdb |
| SHA256 | 9a14b1a255eeb0deb3bca64ce116dfcb8b839699ceeee4fcc171c216f1aab818 |
| SHA512 | 06b81c842bdb07a8d7bb6fe8ae1bf6e352a96fbbe37ea1237a5becc067a99b7a3a0a0965b8ac27dc74c6fe66d71edaab104fc0d7d860bf7958ab26cb8c0e4399 |
memory/5008-89-0x00000000747C0000-0x0000000074F70000-memory.dmp
memory/4060-90-0x0000000006640000-0x0000000006690000-memory.dmp