Analysis Overview
SHA256
491cc00851fdc3f1571385772b0c488901e3472b0f683a018ba9973c204d1faa
Threat Level: Known bad
The file 491cc00851fdc3f1571385772b0c488901e3472b0f683a018ba9973c204d1faa was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:21
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:21
Reported
2024-06-04 01:23
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
AgentTesla
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Apps = "C:\\Users\\Admin\\AppData\\Roaming\\Apps\\Apps.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1676 set thread context of 2324 | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe
"C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/1676-10-0x0000000000460000-0x0000000000464000-memory.dmp
memory/2324-11-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2324-15-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2324-14-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2324-16-0x000000007409E000-0x000000007409F000-memory.dmp
memory/2324-17-0x0000000074090000-0x000000007477E000-memory.dmp
memory/2324-20-0x000000007409E000-0x000000007409F000-memory.dmp
memory/2324-21-0x0000000074090000-0x000000007477E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:21
Reported
2024-06-04 01:23
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
AgentTesla
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Apps = "C:\\Users\\Admin\\AppData\\Roaming\\Apps\\Apps.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4464 set thread context of 3268 | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4464 wrote to memory of 3268 | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4464 wrote to memory of 3268 | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4464 wrote to memory of 3268 | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 4464 wrote to memory of 3268 | N/A | C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe
"C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\KJL Group Order Invoice 06032432pdf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/4464-10-0x0000000001890000-0x0000000001894000-memory.dmp
memory/3268-11-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3268-12-0x000000007463E000-0x000000007463F000-memory.dmp
memory/3268-13-0x0000000005DB0000-0x0000000006354000-memory.dmp
memory/3268-14-0x0000000005900000-0x0000000005966000-memory.dmp
memory/3268-15-0x0000000074630000-0x0000000074DE0000-memory.dmp
memory/3268-18-0x0000000006C50000-0x0000000006CA0000-memory.dmp
memory/3268-19-0x0000000006D40000-0x0000000006DD2000-memory.dmp
memory/3268-20-0x0000000006CE0000-0x0000000006CEA000-memory.dmp
memory/3268-21-0x000000007463E000-0x000000007463F000-memory.dmp
memory/3268-22-0x0000000074630000-0x0000000074DE0000-memory.dmp