Analysis Overview
SHA256
7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77
Threat Level: Known bad
The file 7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77 was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 02:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 02:31
Reported
2024-06-19 02:34
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe
"C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe"
Network
Files
memory/2988-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp
memory/2988-1-0x0000000001280000-0x0000000001890000-memory.dmp
memory/2988-2-0x000000001C520000-0x000000001C750000-memory.dmp
memory/2988-6-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-8-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-10-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-12-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-16-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-22-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-20-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-18-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-14-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-4-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-3-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-24-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-26-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-30-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-44-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-66-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-64-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-62-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-60-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-58-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-56-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-54-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-52-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-50-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-48-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-46-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-42-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-40-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-38-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-36-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-34-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-32-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-4890-0x00000000009D0000-0x0000000000A1C000-memory.dmp
memory/2988-4889-0x0000000000DF0000-0x0000000000E5C000-memory.dmp
memory/2988-28-0x000000001C520000-0x000000001C74A000-memory.dmp
memory/2988-4892-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp
memory/2988-4891-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp
memory/2988-4893-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp
memory/2988-4894-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp
memory/2988-4895-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp
memory/2988-4896-0x0000000000E60000-0x0000000000EB4000-memory.dmp
memory/2988-4897-0x0000000001060000-0x00000000010A0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 02:31
Reported
2024-06-19 02:34
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe
"C:\Users\Admin\AppData\Local\Temp\7170d54327613cb15b03425df3ddca43055f7ba40366eb67e1643fd306074c77.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mail.confidencegroup.co | udp |
Files
memory/1876-0-0x00007FFB55063000-0x00007FFB55065000-memory.dmp
memory/1876-1-0x000001EEA8820000-0x000001EEA8E30000-memory.dmp
memory/1876-2-0x000001EEC3370000-0x000001EEC35A0000-memory.dmp
memory/1876-6-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-8-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-4-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-14-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-12-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-24-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-10-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-3-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-46-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-56-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-66-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-64-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-62-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-60-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-58-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-54-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-53-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-50-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-48-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-44-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-42-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-40-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-38-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-36-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-34-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-32-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-30-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-28-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-26-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-22-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-20-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-18-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-16-0x000001EEC3370000-0x000001EEC359A000-memory.dmp
memory/1876-4889-0x00007FFB55060000-0x00007FFB55B21000-memory.dmp
memory/1876-4890-0x00007FFB55060000-0x00007FFB55B21000-memory.dmp
memory/1876-4891-0x000001EEC35A0000-0x000001EEC360C000-memory.dmp
memory/1876-4892-0x000001EEC3610000-0x000001EEC365C000-memory.dmp
memory/1876-4893-0x00007FFB55063000-0x00007FFB55065000-memory.dmp
memory/1876-4894-0x00007FFB55060000-0x00007FFB55B21000-memory.dmp
memory/1876-4895-0x000001EEC40E0000-0x000001EEC4134000-memory.dmp
memory/1876-4896-0x000001EEC4130000-0x000001EEC4170000-memory.dmp
memory/1876-4897-0x000001EEC41C0000-0x000001EEC4210000-memory.dmp