Analysis Overview
SHA256
a705803d36a853fea252b00451b392245ee4d66f9c830778d021cdefaf252136
Threat Level: Known bad
The file IMG_160750_311608.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Reads user/profile data of local email clients
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Gathers network information
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-19 15:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 15:11
Reported
2024-06-19 15:14
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
AgentTesla
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IMG10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IMG10.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IMG10.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\lojziw = "C:\\Users\\Admin\\AppData\\Roaming\\lojziw.exe" | C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IMG10.exe\" .." | C:\Users\Admin\AppData\Local\Temp\IMG10.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1556 set thread context of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe | C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe |
| PID 1960 set thread context of 3576 | N/A | C:\Users\Admin\AppData\Local\Temp\IMG10.exe | C:\Users\Admin\AppData\Local\Temp\IMG10.exe |
Enumerates physical storage devices
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMG10.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMG10.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Users\Admin\AppData\Local\Temp\IMG10.exe
"C:\Users\Admin\AppData\Local\Temp\IMG10.exe"
C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
C:\Users\Admin\AppData\Local\Temp\IMG10.exe
"C:\Users\Admin\AppData\Local\Temp\IMG10.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
Network
| Country | Destination | Domain | Proto |
| DE | 78.111.67.189:80 | 78.111.67.189 | tcp |
| DE | 78.111.67.189:80 | 78.111.67.189 | tcp |
| US | 8.8.8.8:53 | zqamcx.com | udp |
| GB | 78.110.166.82:587 | zqamcx.com | tcp |
Files
memory/1556-0-0x000000007491E000-0x000000007491F000-memory.dmp
memory/1556-1-0x00000000013E0000-0x00000000015CC000-memory.dmp
memory/1556-2-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1556-3-0x0000000007610000-0x00000000078EC000-memory.dmp
memory/1556-4-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-17-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-21-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-5-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-45-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-49-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-7-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-59-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-9-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-13-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-15-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-23-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-27-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-31-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-35-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-41-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-43-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-39-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-37-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-33-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-29-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-25-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-19-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-11-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-47-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-51-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-61-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-57-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-55-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-53-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-65-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-63-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-67-0x0000000007610000-0x00000000078E5000-memory.dmp
memory/1556-4890-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1556-4892-0x0000000000E00000-0x0000000000E4C000-memory.dmp
memory/1556-4891-0x0000000008CA0000-0x0000000008DB6000-memory.dmp
memory/1556-4893-0x000000007491E000-0x000000007491F000-memory.dmp
memory/1556-4894-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1556-4895-0x0000000074910000-0x0000000074FFE000-memory.dmp
\Users\Admin\AppData\Local\Temp\IMG10.exe
| MD5 | 83dea7a1bff3c0606fa9700b811feb81 |
| SHA1 | 3bef939c9d351ef4cb01b9fb115e8a75b32c643c |
| SHA256 | 5d6246c1a67038c308228bb3b07c59073af9ec393b8961f0df397622fe3d364d |
| SHA512 | 8883aac7cc117961a44c203c8e615a71b90da4e239b3bd03bbee925969ea43347b7a2f4f041c912bd71c350c44e8dcbb80688f732254f2f09ea1df957a62880a |
memory/1556-4902-0x0000000004F80000-0x0000000004FD4000-memory.dmp
memory/1960-4905-0x0000000000D80000-0x0000000000F6A000-memory.dmp
memory/1728-4918-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1556-4919-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1960-4920-0x0000000007990000-0x0000000007BB6000-memory.dmp
memory/1960-9807-0x0000000005420000-0x0000000005480000-memory.dmp
memory/1960-9808-0x0000000005380000-0x00000000053D4000-memory.dmp
memory/3576-9823-0x0000000000400000-0x0000000000418000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 15:11
Reported
2024-06-19 15:14
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_160750_311608.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 78.111.67.189:80 | tcp | |
| DE | 78.111.67.189:80 | tcp | |
| DE | 78.111.67.189:80 | tcp | |
| DE | 78.111.67.189:80 | tcp | |
| DE | 78.111.67.189:80 | tcp | |
| DE | 78.111.67.189:80 | tcp | |
| DE | 78.111.67.189:80 | tcp | |
| DE | 78.111.67.189:80 | tcp |
Files
memory/1932-0-0x00000000752DE000-0x00000000752DF000-memory.dmp
memory/1932-1-0x00000000009A0000-0x0000000000B8C000-memory.dmp
memory/1932-2-0x00000000752D0000-0x0000000075A80000-memory.dmp
memory/1932-3-0x00000000752DE000-0x00000000752DF000-memory.dmp
memory/1932-4-0x00000000752D0000-0x0000000075A80000-memory.dmp