Analysis Overview
SHA256
0ec17a88232be3356c93b0b0eae5acf6a53332fe13e6881d627bea4f2963e6d6
Threat Level: Known bad
The file INVOICE PAYMENT_Scan0016.scr.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Looks up external IP address via web service
Suspicious use of SetThreadContext
Unsigned PE
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 13:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 13:38
Reported
2024-06-18 13:40
Platform
win7-20231129-en
Max time kernel
118s
Max time network
129s
Command Line
Signatures
AgentTesla
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2212 set thread context of 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 188.114.97.2:80 | filetransfer.io | tcp |
| US | 188.114.97.2:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| BE | 23.14.90.74:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | s25.filetransfer.io | udp |
| US | 104.21.13.139:443 | s25.filetransfer.io | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/2212-0-0x000000007498E000-0x000000007498F000-memory.dmp
memory/2212-1-0x0000000001300000-0x000000000138E000-memory.dmp
memory/2212-2-0x0000000074980000-0x000000007506E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar35C5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 631a6633633574a048d2ecd02c957db6 |
| SHA1 | 30fbfce72cbcc9af288014b136e82d4dba8c0537 |
| SHA256 | 78d2a5cee2e4a071800f790ba12b58424d093949175528ea8ba7c5b105af1ff7 |
| SHA512 | 5341a4f4a331dddc857ca64d8af4f943095a42921673eb2f4653a03a2e90c7913b68a9c57202beeb874b7cfa934f03f2d928e5aa57a5a8c738022abc2ac46431 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f122f8217f67166620521848998f091c |
| SHA1 | d3b65475be2dcf4870808504629bf5bf6c273163 |
| SHA256 | 501e4f3ebe937fc2f1b212fdd138b349180d546c55d4f18ba434bbeb14a21e02 |
| SHA512 | a6106cbd044fa9ce0cd58d4c582f207bf3758c04857ea0e44bc3d4072319e8efdfc0a1d246b82a813b8af77fe33ff0e7c038147cd000d12289d5247d322edc5a |
memory/2212-113-0x0000000007F30000-0x0000000008160000-memory.dmp
memory/2212-115-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-121-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-125-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-119-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-129-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-127-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-123-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-117-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-114-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-131-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-133-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-159-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-135-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-137-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-141-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-145-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-149-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-147-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-143-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-139-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-151-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-153-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-155-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-157-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-177-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-175-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-173-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-171-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-169-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-167-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-165-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-163-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-161-0x0000000007F30000-0x000000000815A000-memory.dmp
memory/2212-5000-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2212-5001-0x0000000000E20000-0x0000000000E26000-memory.dmp
memory/2212-5003-0x0000000000F50000-0x0000000000F9C000-memory.dmp
memory/2212-5002-0x0000000005A70000-0x0000000005ADC000-memory.dmp
memory/2212-5004-0x000000007498E000-0x000000007498F000-memory.dmp
memory/2212-5005-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2212-5006-0x0000000074980000-0x000000007506E000-memory.dmp
memory/2212-5007-0x0000000005700000-0x0000000005754000-memory.dmp
memory/3444-5023-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2212-5024-0x0000000074980000-0x000000007506E000-memory.dmp
memory/3444-5025-0x0000000074980000-0x000000007506E000-memory.dmp
memory/3444-5026-0x0000000074980000-0x000000007506E000-memory.dmp
memory/3444-5027-0x0000000074980000-0x000000007506E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 13:38
Reported
2024-06-18 13:40
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
AgentTesla
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1596 set thread context of 1540 | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE PAYMENT_Scan0016.scr.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 104.21.13.139:80 | filetransfer.io | tcp |
| US | 104.21.13.139:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | s25.filetransfer.io | udp |
| US | 172.67.200.96:443 | s25.filetransfer.io | tcp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 139.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.200.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/1596-0-0x000000007484E000-0x000000007484F000-memory.dmp
memory/1596-1-0x0000000000650000-0x00000000006DE000-memory.dmp
memory/1596-2-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1596-3-0x0000000007490000-0x00000000076C0000-memory.dmp
memory/1596-4-0x0000000007C70000-0x0000000008214000-memory.dmp
memory/1596-5-0x0000000007870000-0x0000000007902000-memory.dmp
memory/1596-7-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-6-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-17-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-47-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-57-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-51-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-49-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-45-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-43-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-41-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-39-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-37-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-35-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-31-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-29-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-27-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-33-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-25-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-21-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-19-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-15-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-13-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-11-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-9-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-23-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-70-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-67-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-65-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-63-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-61-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-59-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-55-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-53-0x0000000007490000-0x00000000076BA000-memory.dmp
memory/1596-4892-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1596-4893-0x0000000005760000-0x0000000005766000-memory.dmp
memory/1596-4894-0x0000000005800000-0x000000000586C000-memory.dmp
memory/1596-4895-0x0000000005870000-0x00000000058BC000-memory.dmp
memory/1596-4896-0x0000000005990000-0x00000000059F6000-memory.dmp
memory/1596-4897-0x000000007484E000-0x000000007484F000-memory.dmp
memory/1596-4898-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1596-4899-0x0000000000C10000-0x0000000000C64000-memory.dmp
memory/1596-4902-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1540-4903-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1540-4904-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1540-4905-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1540-4906-0x0000000006280000-0x00000000062D0000-memory.dmp
memory/1540-4907-0x0000000006500000-0x000000000650A000-memory.dmp
memory/1540-4908-0x0000000074840000-0x0000000074FF0000-memory.dmp