Analysis Overview
SHA256
3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2
Threat Level: Known bad
The file 3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Command and Scripting Interpreter: PowerShell
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Checks computer location settings
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-12 02:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 02:07
Reported
2024-06-12 02:10
Platform
win10v2004-20240611-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 464 set thread context of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe | C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe
"C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NIOBaU.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NIOBaU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp56AB.tmp"
C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe
"C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.commtechtrading.com | udp |
| US | 173.236.63.6:587 | mail.commtechtrading.com | tcp |
| US | 8.8.8.8:53 | 6.63.236.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/464-0-0x000000007454E000-0x000000007454F000-memory.dmp
memory/464-1-0x0000000000A50000-0x0000000000B12000-memory.dmp
memory/464-2-0x0000000005A30000-0x0000000005FD4000-memory.dmp
memory/464-3-0x0000000005520000-0x00000000055B2000-memory.dmp
memory/464-5-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/464-4-0x00000000055C0000-0x00000000055CA000-memory.dmp
memory/464-6-0x0000000005A00000-0x0000000005A22000-memory.dmp
memory/464-7-0x0000000002D90000-0x0000000002DA0000-memory.dmp
memory/464-8-0x0000000006990000-0x0000000006A12000-memory.dmp
memory/464-9-0x000000000D940000-0x000000000D9DC000-memory.dmp
memory/5000-14-0x0000000002F30000-0x0000000002F66000-memory.dmp
memory/5000-15-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/5000-16-0x0000000005A10000-0x0000000006038000-memory.dmp
memory/5000-17-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/2312-18-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/5000-19-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/2312-20-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/2312-24-0x0000000004EC0000-0x0000000004F26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qmtviny3.q14.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2312-23-0x0000000004E50000-0x0000000004EB6000-memory.dmp
memory/1268-35-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2312-40-0x0000000005720000-0x0000000005A74000-memory.dmp
memory/464-46-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/2312-22-0x0000000004DB0000-0x0000000004DD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp56AB.tmp
| MD5 | 1090998018d59525dca6ab4153ba06a3 |
| SHA1 | 88977e2ef0fa7c03b39862a2087eeb50c87ff710 |
| SHA256 | b95e8818ac672b7294e43df228d7719074367e7c35860f3e700b2ac0af7c222d |
| SHA512 | b99eddf3b5472e68f436077af6cf855d441bf21bed20155f25df56ee8df46168ba992f582618f235ed2291f73b45de2ff4e435220a155a79bd2e07dd038b88bc |
memory/5000-47-0x00000000067E0000-0x00000000067FE000-memory.dmp
memory/5000-48-0x0000000006820000-0x000000000686C000-memory.dmp
memory/5000-50-0x0000000070CF0000-0x0000000070D3C000-memory.dmp
memory/5000-60-0x0000000007770000-0x000000000778E000-memory.dmp
memory/5000-49-0x00000000077B0000-0x00000000077E2000-memory.dmp
memory/5000-61-0x00000000079F0000-0x0000000007A93000-memory.dmp
memory/2312-62-0x0000000070CF0000-0x0000000070D3C000-memory.dmp
memory/5000-72-0x0000000008170000-0x00000000087EA000-memory.dmp
memory/2312-73-0x0000000007090000-0x00000000070AA000-memory.dmp
memory/5000-74-0x0000000007BA0000-0x0000000007BAA000-memory.dmp
memory/5000-75-0x0000000007DB0000-0x0000000007E46000-memory.dmp
memory/5000-76-0x0000000007D30000-0x0000000007D41000-memory.dmp
memory/5000-77-0x0000000007D60000-0x0000000007D6E000-memory.dmp
memory/2312-78-0x00000000072D0000-0x00000000072E4000-memory.dmp
memory/2312-79-0x00000000073D0000-0x00000000073EA000-memory.dmp
memory/2312-80-0x00000000073B0000-0x00000000073B8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a1fe0f27bd873f1f7317b724444483ea |
| SHA1 | e29fd62b19ad8c35eca655c42e436904fcfd13d1 |
| SHA256 | b1e0f6a3ff5654f180985f85c3c86ccabe7015537903d846833ea52089263150 |
| SHA512 | 4e483208e41996da848e624426fbe1f015882b51f182b03d6fd2c4483f58a927bfd0c0a8a241203d7b4dd1c0261832de064f6a9fb84f8852f1676e8351a2cd18 |
memory/2312-84-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/5000-85-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/1268-86-0x0000000006730000-0x0000000006780000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 02:07
Reported
2024-06-12 02:10
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1732 set thread context of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe | C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe
"C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NIOBaU.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NIOBaU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp"
C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe
"C:\Users\Admin\AppData\Local\Temp\3c6d4b1f44029528b67277bee75b7936c38481dcdcef4d4f383e7b467d017cc2.exe"
Network
Files
memory/1732-0-0x00000000741DE000-0x00000000741DF000-memory.dmp
memory/1732-1-0x0000000000210000-0x00000000002D2000-memory.dmp
memory/1732-2-0x00000000741D0000-0x00000000748BE000-memory.dmp
memory/1732-3-0x00000000005B0000-0x00000000005D2000-memory.dmp
memory/1732-4-0x0000000000520000-0x0000000000530000-memory.dmp
memory/1732-5-0x000000000A0E0000-0x000000000A162000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RNY90GBK4OQREEQTWHWD.temp
| MD5 | f058470de1ce0efaaaa554a19b625bb3 |
| SHA1 | 71356cebf192ed1a59e52b16edb906b1a66ac0f8 |
| SHA256 | ab79efdceb0327c29277b5a41a1957d84e54a144d598b6b227236a15f05e15fc |
| SHA512 | ba0a39f17505fcdea689e041d1c4baac59a5d94388895e35e614afd1f22a5b2096bc60ebd0b4a43f67b53132881776a5fe6045b5dc0c679df1df5f53c60ec4c4 |
C:\Users\Admin\AppData\Local\Temp\tmp3BE8.tmp
| MD5 | c8f60acdb840d2df4f147e48c1b89a57 |
| SHA1 | fdc923b7ef0df931e301f19956127a53c2f0451d |
| SHA256 | 330bc6e064c106f44f8b5fcfbbe171bea76af75ad2bf7a0badcc46c535ead043 |
| SHA512 | f91d3bb7b3c3581382d9d47d777ecca8481330acbd8eb3f01755cb8fd1413d1613f15c634296d3a4383a474c4f27e9d5b9bd5bef9279d8d303d0ba65e47ba07b |
memory/2600-29-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2600-28-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2600-27-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2600-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2600-24-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2600-22-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2600-20-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2600-18-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1732-30-0x00000000741D0000-0x00000000748BE000-memory.dmp