Analysis Overview
SHA256
631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522
Threat Level: Known bad
The file Purchase order (2).exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Drops startup file
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Program crash
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-18 07:28
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 07:28
Reported
2024-06-18 07:30
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
AgentTesla
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2428 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\directory\name.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 320
Network
Files
memory/3008-10-0x0000000000260000-0x0000000000264000-memory.dmp
\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 968e02a095413348de99f2044213505a |
| SHA1 | 1c181d224fb48a7351370c525bbff9cca0380200 |
| SHA256 | 631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522 |
| SHA512 | fca992251073d992f93ef5da97b048d9e2fb8473fc0306d9e735e52a7ee852b4f1547acdb576ea26b85cdc623aed8807295095da18a211f747f637b33e25bd77 |
C:\Users\Admin\AppData\Local\Temp\tapestring
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2668-30-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2668-33-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2668-34-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2668-37-0x0000000073E1E000-0x0000000073E1F000-memory.dmp
memory/2668-41-0x0000000073E10000-0x00000000744FE000-memory.dmp
memory/2668-42-0x0000000073E1E000-0x0000000073E1F000-memory.dmp
memory/2668-43-0x0000000073E10000-0x00000000744FE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 07:28
Reported
2024-06-18 07:30
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
159s
Command Line
Signatures
AgentTesla
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3432 set thread context of 4560 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase order (2).exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3684 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
Files
memory/4076-10-0x0000000000F40000-0x0000000000F44000-memory.dmp
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 968e02a095413348de99f2044213505a |
| SHA1 | 1c181d224fb48a7351370c525bbff9cca0380200 |
| SHA256 | 631d62fd42b300f67847a6de30a21a7821abdc328491e0565f67bd1f879f9522 |
| SHA512 | fca992251073d992f93ef5da97b048d9e2fb8473fc0306d9e735e52a7ee852b4f1547acdb576ea26b85cdc623aed8807295095da18a211f747f637b33e25bd77 |
C:\Users\Admin\AppData\Local\Temp\tapestring
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/4560-28-0x0000000000400000-0x0000000000440000-memory.dmp
memory/4560-29-0x0000000074E3E000-0x0000000074E3F000-memory.dmp
memory/4560-30-0x00000000059A0000-0x0000000005F44000-memory.dmp
memory/4560-31-0x0000000074E30000-0x00000000755E0000-memory.dmp
memory/4560-32-0x0000000005560000-0x00000000055C6000-memory.dmp
memory/4560-33-0x00000000062A0000-0x00000000062F0000-memory.dmp
memory/4560-34-0x0000000006390000-0x0000000006422000-memory.dmp
memory/4560-35-0x0000000006340000-0x000000000634A000-memory.dmp
memory/4560-36-0x0000000074E3E000-0x0000000074E3F000-memory.dmp
memory/4560-37-0x0000000074E30000-0x00000000755E0000-memory.dmp