Analysis Overview
SHA256
631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522
Threat Level: Known bad
The file Purchase order (2).exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Loads dropped DLL
Drops startup file
Executes dropped EXE
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-18 07:22
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 07:22
Reported
2024-06-18 07:25
Platform
win7-20240419-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
AgentTesla
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2092 set thread context of 2616 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
Network
Files
memory/2276-10-0x00000000001A0000-0x00000000001A4000-memory.dmp
\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 968e02a095413348de99f2044213505a |
| SHA1 | 1c181d224fb48a7351370c525bbff9cca0380200 |
| SHA256 | 631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522 |
| SHA512 | fca992251073d992f93ef5da97b048d9e2fb8473fc0306d9e735e52a7ee852b4f1547acdb576ea26b85cdc623aed8807295095da18a211f747f637b33e25bd77 |
C:\Users\Admin\AppData\Local\Temp\tapestring
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\holloing
| MD5 | 37d004d0812c87ff4ac152c4fbb44eb5 |
| SHA1 | 624baa6221603385ef086689b18ba3e7fcf87511 |
| SHA256 | 808c22e2a18e0e47b3e02edb6659cfbad7c842e3152a812f7504fe3af9ce5551 |
| SHA512 | 6905f9d1245d2b2b7c30e32763890fa3fb06acbb1d1a6fb5d70fc597c02754c3f9c3ec979ba5b2ecb333fe7b1b65cd9725f69d98ac52474b894bafb5aadc796e |
memory/2616-30-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2616-34-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2616-33-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2616-35-0x0000000073C5E000-0x0000000073C5F000-memory.dmp
memory/2616-36-0x0000000073C50000-0x000000007433E000-memory.dmp
memory/2616-37-0x0000000073C5E000-0x0000000073C5F000-memory.dmp
memory/2616-38-0x0000000073C50000-0x000000007433E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 07:22
Reported
2024-06-18 07:25
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
51s
Command Line
Signatures
AgentTesla
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4928 set thread context of 4088 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
Network
Files
memory/2968-10-0x0000000000C60000-0x0000000000C64000-memory.dmp
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 968e02a095413348de99f2044213505a |
| SHA1 | 1c181d224fb48a7351370c525bbff9cca0380200 |
| SHA256 | 631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522 |
| SHA512 | fca992251073d992f93ef5da97b048d9e2fb8473fc0306d9e735e52a7ee852b4f1547acdb576ea26b85cdc623aed8807295095da18a211f747f637b33e25bd77 |
C:\Users\Admin\AppData\Local\Temp\tapestring
| MD5 | 8b20cb2646439c7f18e57136aae5bac3 |
| SHA1 | fa9f00c44d1b7d3208d276ef901dd4b2be492182 |
| SHA256 | 34ab7d1ee752ed88d892b69a21a38ec0ad54362a0349c9a19fdac6f4bf373615 |
| SHA512 | 6a0edf66b072153d0758201067c84c31151942f773997c07403cee4dc9f0548d5db0c133db2f2bf80c0140012a385b80efcaacd14ab3f36b94e31b65e6bc772e |
C:\Users\Admin\AppData\Local\Temp\holloing
| MD5 | 37d004d0812c87ff4ac152c4fbb44eb5 |
| SHA1 | 624baa6221603385ef086689b18ba3e7fcf87511 |
| SHA256 | 808c22e2a18e0e47b3e02edb6659cfbad7c842e3152a812f7504fe3af9ce5551 |
| SHA512 | 6905f9d1245d2b2b7c30e32763890fa3fb06acbb1d1a6fb5d70fc597c02754c3f9c3ec979ba5b2ecb333fe7b1b65cd9725f69d98ac52474b894bafb5aadc796e |
memory/4088-28-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4088-29-0x0000000074C9E000-0x0000000074C9F000-memory.dmp
memory/4088-30-0x0000000005B30000-0x00000000060D4000-memory.dmp
memory/4088-31-0x00000000054B0000-0x0000000005516000-memory.dmp
memory/4088-32-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/4088-33-0x0000000006390000-0x00000000063E0000-memory.dmp
memory/4088-34-0x0000000006480000-0x0000000006512000-memory.dmp
memory/4088-35-0x0000000006420000-0x000000000642A000-memory.dmp
memory/4088-36-0x0000000074C9E000-0x0000000074C9F000-memory.dmp
memory/4088-37-0x0000000074C90000-0x0000000075440000-memory.dmp