Analysis Overview
SHA256
431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee
Threat Level: Known bad
The file 431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Checks computer location settings
Reads data files stored by FTP clients
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 01:49
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 01:49
Reported
2024-05-21 01:52
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
118s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1424 set thread context of 2488 | N/A | C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe | C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
"C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qDfIBEcYE.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qDfIBEcYE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp16DE.tmp"
C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
"C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | premium162.web-hosting.com | udp |
| US | 162.0.235.253:587 | premium162.web-hosting.com | tcp |
| US | 8.8.8.8:53 | 253.235.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/1424-0-0x00000000746FE000-0x00000000746FF000-memory.dmp
memory/1424-1-0x00000000009D0000-0x0000000000A9A000-memory.dmp
memory/1424-2-0x0000000005AD0000-0x0000000006074000-memory.dmp
memory/1424-3-0x0000000005470000-0x0000000005502000-memory.dmp
memory/1424-5-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/1424-4-0x0000000005640000-0x000000000564A000-memory.dmp
memory/1424-6-0x0000000007E70000-0x0000000007E92000-memory.dmp
memory/1424-7-0x00000000057D0000-0x00000000057DC000-memory.dmp
memory/1424-8-0x0000000002CE0000-0x0000000002CF0000-memory.dmp
memory/1424-9-0x0000000008280000-0x0000000008304000-memory.dmp
memory/1424-10-0x00000000083A0000-0x000000000843C000-memory.dmp
memory/1424-11-0x00000000746FE000-0x00000000746FF000-memory.dmp
memory/1424-12-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/3932-17-0x0000000002920000-0x0000000002956000-memory.dmp
memory/3932-18-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/4044-19-0x00000000050B0000-0x00000000056D8000-memory.dmp
memory/4044-20-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/4044-21-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/3932-24-0x0000000005A30000-0x0000000005A96000-memory.dmp
memory/3932-25-0x0000000005B10000-0x0000000005B76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp16DE.tmp
| MD5 | f0389c32545828d5fc081d54ed249919 |
| SHA1 | dcd9a82802f25031782c77ff5f2c3a6759831b4a |
| SHA256 | 5c7c320019f4ba505749c5e0ab1ca14bbae6c6712c2e572014a1eff46f08724c |
| SHA512 | 3714f596804e79c268baec0e38d02bb1aed2b2be9b800d509f90f168488ba8e69196d67c11af186ecc1369c78cba2f1f6c48b136a2af1f6e7a077edb815a2c5b |
memory/4044-36-0x0000000005920000-0x0000000005C74000-memory.dmp
memory/4044-35-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/2488-47-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3932-46-0x00000000746F0000-0x0000000074EA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xbbals0.l24.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3932-23-0x0000000005190000-0x00000000051B2000-memory.dmp
memory/1424-49-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/4044-50-0x0000000005EC0000-0x0000000005EDE000-memory.dmp
memory/4044-51-0x0000000005FF0000-0x000000000603C000-memory.dmp
memory/4044-52-0x0000000006E40000-0x0000000006E72000-memory.dmp
memory/4044-53-0x0000000074FA0000-0x0000000074FEC000-memory.dmp
memory/3932-64-0x0000000074FA0000-0x0000000074FEC000-memory.dmp
memory/4044-63-0x0000000007080000-0x000000000709E000-memory.dmp
memory/3932-74-0x0000000007430000-0x00000000074D3000-memory.dmp
memory/3932-75-0x0000000007BA0000-0x000000000821A000-memory.dmp
memory/3932-76-0x0000000007560000-0x000000000757A000-memory.dmp
memory/3932-77-0x00000000075D0000-0x00000000075DA000-memory.dmp
memory/3932-78-0x00000000077E0000-0x0000000007876000-memory.dmp
memory/4044-79-0x00000000073E0000-0x00000000073F1000-memory.dmp
memory/3932-80-0x0000000007790000-0x000000000779E000-memory.dmp
memory/3932-81-0x00000000077A0000-0x00000000077B4000-memory.dmp
memory/3932-82-0x00000000078A0000-0x00000000078BA000-memory.dmp
memory/4044-83-0x0000000007500000-0x0000000007508000-memory.dmp
memory/2488-84-0x00000000065F0000-0x0000000006640000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d913d428c05c6e110838d1d03eabd8de |
| SHA1 | f1d0f2bde80488df20d2dd477c292f81f9bf8979 |
| SHA256 | 323da5d5d9bad5326755aa68b647a9436e1149d227d9e9067409aeb245df1961 |
| SHA512 | a91ead2d73b31355b03740355e236abbdeea80b40ed2bca019ef2994814f9f65e62b324c2a3d0270a722167e658efb7ad761a423f9847f7ba8c1f41b988f4997 |
memory/4044-90-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/3932-91-0x00000000746F0000-0x0000000074EA0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 01:49
Reported
2024-05-21 01:52
Platform
win7-20240508-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2204 set thread context of 1356 | N/A | C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe | C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
"C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qDfIBEcYE.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qDfIBEcYE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp"
C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe
"C:\Users\Admin\AppData\Local\Temp\431d88693bfa9779b1ee70c50c74ef961ae9a96d1fb50f6e2bc203a3bd2852ee.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/2204-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp
memory/2204-1-0x00000000012A0000-0x000000000136A000-memory.dmp
memory/2204-2-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/2204-3-0x0000000000A40000-0x0000000000A62000-memory.dmp
memory/2204-4-0x00000000008F0000-0x00000000008FC000-memory.dmp
memory/2204-5-0x00000000007E0000-0x00000000007F0000-memory.dmp
memory/2204-6-0x0000000005D80000-0x0000000005E04000-memory.dmp
memory/2204-7-0x0000000074B1E000-0x0000000074B1F000-memory.dmp
memory/2204-8-0x0000000074B10000-0x00000000751FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCDF9.tmp
| MD5 | 76b316a1aad2eac0dd8b412955c248ad |
| SHA1 | 191dd93ae43ee246d3e5374dfa6bf5bb685706c6 |
| SHA256 | ccc42319201a2491180ef0225b87be008bf28e19fffb731afb49f0e1622db1cf |
| SHA512 | 4b7bcf90099ca48e2e060dd46d3b401cd8536e25b34bce63a9613df4daaff19470d1cb57c6bc577559277688992175283b9ce6466b7b567a950e76e51b69a8f3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 4c2052a2acccf7db1171701e084e39d5 |
| SHA1 | de2bb547021fad9cb568dbb1817372a27a277a1b |
| SHA256 | 00b2dfbe8f4690d91b674c2772cf3754defe383f329b14a5d6922ab08575ba8b |
| SHA512 | d4b534d560fe002497707334d9eb96aec33c8f63b38b85ed4bc718b79569ae29c35198d01bed0309680e216dd69b4f4e84aa3f2f0585ab171c461f38424e887e |
memory/1356-20-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1356-29-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1356-30-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1356-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1356-32-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2204-33-0x0000000074B10000-0x00000000751FE000-memory.dmp
memory/1356-26-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1356-24-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1356-22-0x0000000000400000-0x0000000000442000-memory.dmp