Analysis Overview
SHA256
03750c25185f729355e52cf86c433756997d72042bf3a705abf6a3e45e671012
Threat Level: Known bad
The file 03750c25185f729355e52cf86c433756997d72042bf3a705abf6a3e45e671012 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-15 10:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-15 10:36
Reported
2024-05-15 10:39
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2040 set thread context of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe
"C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ClBZCJCLlsf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ClBZCJCLlsf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
Files
memory/2040-0-0x000000007492E000-0x000000007492F000-memory.dmp
memory/2040-1-0x0000000000FA0000-0x0000000001058000-memory.dmp
memory/2040-2-0x0000000074920000-0x000000007500E000-memory.dmp
memory/2040-3-0x0000000000410000-0x0000000000430000-memory.dmp
memory/2040-4-0x0000000000450000-0x0000000000460000-memory.dmp
memory/2040-5-0x00000000004A0000-0x00000000004B6000-memory.dmp
memory/2040-6-0x0000000005230000-0x00000000052B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp
| MD5 | 8dc1a1bd72d86709333f810f4f37e95c |
| SHA1 | d53d43a0535beb5cba8ba9b70c072e7029b2fb55 |
| SHA256 | 67f99432463b533067b71fde430f30aedff1649592621a7024f3cadfe7346f57 |
| SHA512 | d3a359565d42a0821cffba882a80206a79c939fa9dca3d01619fece64ae39eb2ee75a5304477e189dddd09b9b345e286ab85ef8e4434c92b21f3974569d7f45a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\68FAN50BDL2CXVD7FVIM.temp
| MD5 | 54dbf2b7bfa0d8445c0ed04dcbd2e1cf |
| SHA1 | 4c74ae88ba7640cac8a7583496f18cbbf4978369 |
| SHA256 | 4e1cf062cd828af4367aa130e1235cdef7cf657be2e29ff1fdf63f08989e4045 |
| SHA512 | 983451675644561af3191bde7789189b36dcd7b09f052a64439f15670ecb33df085d30aeefa27bba625588ecb92556cdd1adbd7c615e0d0d7409c1d1f9e04c87 |
memory/2392-25-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2392-19-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2392-21-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2392-30-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2392-29-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2392-28-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2392-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2392-23-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2040-31-0x0000000074920000-0x000000007500E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-15 10:36
Reported
2024-05-15 10:39
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5096 set thread context of 4004 | N/A | C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe
"C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3cf1272bbb24cd63faf26b69ab0eaeec8ce789a9e59030cfa79e40150d8ae286.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ClBZCJCLlsf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ClBZCJCLlsf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
memory/5096-0-0x000000007465E000-0x000000007465F000-memory.dmp
memory/5096-1-0x0000000000B10000-0x0000000000BC8000-memory.dmp
memory/5096-2-0x0000000005BD0000-0x0000000006174000-memory.dmp
memory/5096-3-0x0000000005620000-0x00000000056B2000-memory.dmp
memory/5096-4-0x00000000055E0000-0x00000000055EA000-memory.dmp
memory/5096-6-0x0000000005850000-0x00000000058EC000-memory.dmp
memory/5096-5-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/5096-7-0x00000000069F0000-0x0000000006A10000-memory.dmp
memory/5096-8-0x0000000006A30000-0x0000000006A40000-memory.dmp
memory/5096-9-0x0000000006A40000-0x0000000006A56000-memory.dmp
memory/5096-10-0x0000000007100000-0x0000000007184000-memory.dmp
memory/4052-15-0x0000000002C40000-0x0000000002C76000-memory.dmp
memory/4052-17-0x0000000005740000-0x0000000005D68000-memory.dmp
memory/4052-16-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/4052-18-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/4052-19-0x0000000074650000-0x0000000074E00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp
| MD5 | 6dae49276286b3bf1a4eb0f559ce317a |
| SHA1 | ff1fee9349b4eefb1ecb6ae4239dc567818abe7c |
| SHA256 | d230ffeb0f9401a285a7b61f14553337063aca1a22a23bacac9b2cd534068e2a |
| SHA512 | 647b6405e368e5e6f17810cc4fd1a3bc2a1795402f8eb3fe923ed8b6b8a79edbbfb0393280a0cd34d86a2b558cc8fd10d666358958848dece714cddf3f02a950 |
memory/4796-21-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/4796-22-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/5096-23-0x000000007465E000-0x000000007465F000-memory.dmp
memory/4796-27-0x0000000005420000-0x0000000005486000-memory.dmp
memory/4796-26-0x0000000004C80000-0x0000000004CE6000-memory.dmp
memory/4004-28-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gso24qbg.5jp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4052-30-0x0000000005F60000-0x00000000062B4000-memory.dmp
memory/5096-41-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/5096-29-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/4796-25-0x0000000004BE0000-0x0000000004C02000-memory.dmp
memory/4796-24-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/4052-51-0x0000000006510000-0x000000000652E000-memory.dmp
memory/4052-52-0x0000000006540000-0x000000000658C000-memory.dmp
memory/4796-54-0x0000000070D20000-0x0000000070D6C000-memory.dmp
memory/4796-66-0x0000000006C60000-0x0000000006D03000-memory.dmp
memory/4052-65-0x0000000070D20000-0x0000000070D6C000-memory.dmp
memory/4796-64-0x0000000006BF0000-0x0000000006C0E000-memory.dmp
memory/4796-53-0x0000000006C10000-0x0000000006C42000-memory.dmp
memory/4052-76-0x0000000007E80000-0x00000000084FA000-memory.dmp
memory/4796-77-0x0000000006FC0000-0x0000000006FDA000-memory.dmp
memory/4052-78-0x00000000078B0000-0x00000000078BA000-memory.dmp
memory/4052-79-0x0000000007AC0000-0x0000000007B56000-memory.dmp
memory/4052-80-0x0000000007A40000-0x0000000007A51000-memory.dmp
memory/4052-82-0x0000000007A70000-0x0000000007A7E000-memory.dmp
memory/4052-83-0x0000000007A80000-0x0000000007A94000-memory.dmp
memory/4052-84-0x0000000007B80000-0x0000000007B9A000-memory.dmp
memory/4796-85-0x00000000072E0000-0x00000000072E8000-memory.dmp
memory/4052-89-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/4796-88-0x0000000074650000-0x0000000074E00000-memory.dmp
memory/4004-90-0x0000000006110000-0x0000000006160000-memory.dmp