Analysis Overview
SHA256
8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186
Threat Level: Known bad
The file 8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Command and Scripting Interpreter: PowerShell
Reads WinSCP keys stored on the system
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 01:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 01:38
Reported
2024-06-12 01:40
Platform
win7-20240508-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2284 set thread context of 2608 | N/A | C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe | C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
"C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nsVJycmpjslUz.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nsVJycmpjslUz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F80.tmp"
C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
"C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"
Network
Files
memory/2284-0-0x00000000742DE000-0x00000000742DF000-memory.dmp
memory/2284-1-0x0000000000B10000-0x0000000000BC6000-memory.dmp
memory/2284-2-0x00000000742D0000-0x00000000749BE000-memory.dmp
memory/2284-3-0x0000000000A70000-0x0000000000A92000-memory.dmp
memory/2284-4-0x0000000000740000-0x0000000000750000-memory.dmp
memory/2284-5-0x0000000004E00000-0x0000000004E82000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DI5ZDK21JXCIMPCHQJ7L.temp
| MD5 | 7c5315d407c4d7122f9426f29c94f6a2 |
| SHA1 | a5355eb128ec520ae4b96a3dc9b03770b5668c6c |
| SHA256 | 661e45282867eb21efc9d8b99ff2060d182030098a418e7750c3b9ce70ee2f8f |
| SHA512 | dc10bb967d1b048d3163f83b18453d95cb68761cb1d432f7f9b14d3a1c2d5f71609b06c1ec0ba7408380092061b54353736588b1d3286513ae44e48e6bf0d142 |
C:\Users\Admin\AppData\Local\Temp\tmp3F80.tmp
| MD5 | 272687b57c8938211ea5e6c8378484fa |
| SHA1 | a37cfaeab031865ca30b89acede155b3d2295806 |
| SHA256 | 6919ebe25a12192042ce7309b7c8a56becf2c719f1b5694d0dba0af7a3c65fb4 |
| SHA512 | 2f70e73774d3b031c2c79900713b4a5ae6f4f53feff16ee56add77f3123fb111462d3b177d2a656e25ed6419e32fd22ef122f843f1d3352dcd9d23427d79b9d4 |
memory/2608-18-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2608-24-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2608-22-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2608-29-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2608-28-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2608-27-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2608-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2608-20-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2284-30-0x00000000742D0000-0x00000000749BE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 01:38
Reported
2024-06-12 01:40
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3780 set thread context of 4408 | N/A | C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe | C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
"C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nsVJycmpjslUz.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nsVJycmpjslUz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21CB.tmp"
C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe
"C:\Users\Admin\AppData\Local\Temp\8fa8baa69a115618025f4e426dca60191ba592af3ef3762a9dd711d0ae6b2186.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smtp.mail.ru | udp |
Files
memory/3780-0-0x000000007467E000-0x000000007467F000-memory.dmp
memory/3780-1-0x0000000000FC0000-0x0000000001076000-memory.dmp
memory/3780-2-0x0000000005FE0000-0x0000000006584000-memory.dmp
memory/3780-3-0x0000000005940000-0x00000000059D2000-memory.dmp
memory/3780-4-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/3780-5-0x0000000005930000-0x000000000593A000-memory.dmp
memory/3780-6-0x0000000005D00000-0x0000000005D22000-memory.dmp
memory/3780-7-0x0000000005BD0000-0x0000000005BE0000-memory.dmp
memory/3780-8-0x0000000006E40000-0x0000000006EC2000-memory.dmp
memory/3780-9-0x0000000008550000-0x00000000085EC000-memory.dmp
memory/5104-14-0x0000000002F80000-0x0000000002FB6000-memory.dmp
memory/5104-15-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/5104-16-0x00000000059E0000-0x0000000006008000-memory.dmp
memory/5104-17-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/3244-18-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/5104-19-0x0000000074670000-0x0000000074E20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp21CB.tmp
| MD5 | 63e241fd81fe33e85c491a8a7edbc60f |
| SHA1 | 36b8ae81b0d4efa294d3b44a58fde29d62878227 |
| SHA256 | aa7bec0cc99387f0a95da99e00f440826805547cabfe0e362d77c17102871553 |
| SHA512 | 0cd0a37eecc50bf6ba4ac7f3035aeb4346b310b7fc2a4c65f37d7efd61ec657bd7aaeec313b49280e45fd4b3191e19cbca92753e54b5c862f0d213f6110935ea |
memory/3244-24-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/5104-22-0x0000000006130000-0x0000000006196000-memory.dmp
memory/3244-44-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/5104-43-0x00000000062A0000-0x00000000065F4000-memory.dmp
memory/4408-45-0x0000000000400000-0x0000000000440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lzyd0av1.kc5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5104-21-0x0000000006010000-0x0000000006076000-memory.dmp
memory/5104-20-0x00000000058F0000-0x0000000005912000-memory.dmp
memory/3780-48-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/5104-49-0x0000000006D10000-0x0000000006D5C000-memory.dmp
memory/5104-47-0x00000000068B0000-0x00000000068CE000-memory.dmp
memory/5104-50-0x0000000006E70000-0x0000000006EA2000-memory.dmp
memory/5104-51-0x0000000074F20000-0x0000000074F6C000-memory.dmp
memory/5104-61-0x0000000007860000-0x000000000787E000-memory.dmp
memory/3244-63-0x0000000074F20000-0x0000000074F6C000-memory.dmp
memory/5104-62-0x0000000007890000-0x0000000007933000-memory.dmp
memory/5104-74-0x0000000007BD0000-0x0000000007BEA000-memory.dmp
memory/3244-73-0x0000000007D70000-0x00000000083EA000-memory.dmp
memory/5104-75-0x0000000007C40000-0x0000000007C4A000-memory.dmp
memory/5104-76-0x0000000007E50000-0x0000000007EE6000-memory.dmp
memory/3244-77-0x0000000007920000-0x0000000007931000-memory.dmp
memory/5104-78-0x0000000007E00000-0x0000000007E0E000-memory.dmp
memory/5104-79-0x0000000007E10000-0x0000000007E24000-memory.dmp
memory/5104-80-0x0000000007F10000-0x0000000007F2A000-memory.dmp
memory/5104-81-0x0000000007EF0000-0x0000000007EF8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/5104-87-0x0000000074670000-0x0000000074E20000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 39f0a887929792c946908657a6c02691 |
| SHA1 | 9b1272b5e5c702df9100da2e9b861b6fc916dfce |
| SHA256 | f09e5f5086163530c516d5b2513c798c6008600136582325af58809a0fa174a8 |
| SHA512 | 833d2407649b302f21d3df4d9a31e868ec6cc7043790f4427cce423fc928ee79bdae6e6c7740df58e761bf0875e0ac4259f7b935645b4e48c7001628e9228a84 |
memory/3244-88-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/4408-89-0x00000000066E0000-0x0000000006730000-memory.dmp