Analysis Overview
SHA256
f894fa54f71bd0db52bdaf11c509a604e2247b36aec512d3456b96119e477d33
Threat Level: Known bad
The file Aluminium_Oxide00980000.pdf.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 03:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 03:46
Reported
2024-05-21 03:48
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
107s
Command Line
Signatures
AgentTesla
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plQRn12hj21nbv = "C:\\Users\\Admin\\AppData\\Roaming\\plQRn12hj21nbv\\plQRn12hj21nbv.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2252 set thread context of 4836 | N/A | C:\Users\Admin\AppData\Local\Temp\Aluminium_Oxide00980000.pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Aluminium_Oxide00980000.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Aluminium_Oxide00980000.pdf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.brusln.com | udp |
| RO | 91.235.116.231:587 | mail.brusln.com | tcp |
| US | 8.8.8.8:53 | 231.116.235.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/2252-0-0x00007FFD5B973000-0x00007FFD5B975000-memory.dmp
memory/2252-1-0x0000026AF7280000-0x0000026AF728A000-memory.dmp
memory/2252-2-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/2252-3-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/2252-4-0x0000026AF7D30000-0x0000026AF7DC6000-memory.dmp
memory/4836-5-0x0000000000400000-0x0000000000444000-memory.dmp
memory/4836-6-0x0000000074E6E000-0x0000000074E6F000-memory.dmp
memory/4836-7-0x0000000005700000-0x0000000005CA4000-memory.dmp
memory/4836-8-0x00000000052C0000-0x0000000005326000-memory.dmp
memory/4836-9-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/2252-10-0x00007FFD5B970000-0x00007FFD5C431000-memory.dmp
memory/4836-12-0x0000000006670000-0x00000000066C0000-memory.dmp
memory/4836-13-0x0000000006760000-0x00000000067FC000-memory.dmp
memory/4836-14-0x00000000068A0000-0x0000000006932000-memory.dmp
memory/4836-15-0x0000000006860000-0x000000000686A000-memory.dmp
memory/4836-16-0x0000000074E6E000-0x0000000074E6F000-memory.dmp
memory/4836-17-0x0000000074E60000-0x0000000075610000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 03:46
Reported
2024-05-21 03:48
Platform
win7-20240215-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
AgentTesla
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\plQRn12hj21nbv = "C:\\Users\\Admin\\AppData\\Roaming\\plQRn12hj21nbv\\plQRn12hj21nbv.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2320 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\Aluminium_Oxide00980000.pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Aluminium_Oxide00980000.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Aluminium_Oxide00980000.pdf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | mail.brusln.com | udp |
| RO | 91.235.116.231:587 | mail.brusln.com | tcp |
Files
memory/2320-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp
memory/2320-1-0x0000000000430000-0x000000000043A000-memory.dmp
memory/2320-2-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp
memory/2320-3-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp
memory/2320-4-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp
memory/2320-5-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp
memory/2320-6-0x0000000002180000-0x0000000002216000-memory.dmp
memory/2572-7-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2572-12-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2572-9-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2572-8-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2648-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2648-20-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2648-24-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2648-22-0x0000000000400000-0x0000000000444000-memory.dmp
memory/2648-26-0x0000000074A7E000-0x0000000074A7F000-memory.dmp
memory/2320-25-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp
memory/2648-27-0x0000000074A70000-0x000000007515E000-memory.dmp
memory/2648-29-0x0000000074A7E000-0x0000000074A7F000-memory.dmp
memory/2648-30-0x0000000074A70000-0x000000007515E000-memory.dmp