Analysis Overview
SHA256
207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9
Threat Level: Known bad
The file 207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9 was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AgentTesla
Command and Scripting Interpreter: PowerShell
Reads user/profile data of local email clients
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 01:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 01:33
Reported
2024-11-10 01:35
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
150s
Command Line
Signatures
AgentTesla
Agenttesla family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2248 set thread context of 5116 | N/A | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
"C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bqkYjAmCJyUE.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bqkYjAmCJyUE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp"
C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
"C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.fosna.net | udp |
| US | 173.254.31.34:21 | ftp.fosna.net | tcp |
| US | 8.8.8.8:53 | 34.31.254.173.in-addr.arpa | udp |
| US | 173.254.31.34:31320 | ftp.fosna.net | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/2248-0-0x000000007483E000-0x000000007483F000-memory.dmp
memory/2248-1-0x0000000000B90000-0x0000000000C34000-memory.dmp
memory/2248-2-0x0000000005C10000-0x00000000061B4000-memory.dmp
memory/2248-3-0x0000000005660000-0x00000000056F2000-memory.dmp
memory/2248-4-0x0000000005620000-0x000000000562A000-memory.dmp
memory/2248-5-0x00000000058C0000-0x000000000595C000-memory.dmp
memory/2248-6-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/2248-7-0x0000000005BE0000-0x0000000005BF2000-memory.dmp
memory/2248-8-0x000000007483E000-0x000000007483F000-memory.dmp
memory/2248-9-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/2248-10-0x00000000074D0000-0x0000000007554000-memory.dmp
memory/4080-15-0x00000000025B0000-0x00000000025E6000-memory.dmp
memory/4080-17-0x0000000005010000-0x0000000005638000-memory.dmp
memory/4080-16-0x0000000074830000-0x0000000074FE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE2BF.tmp
| MD5 | 86d942e6c43bf77d7b0669d164faaa2c |
| SHA1 | 16a3a5f0fbb9afdfe98c57d120da5afbc2328f0c |
| SHA256 | 070f04785b38a7a7ffaef1b407d38b042580728e3a82a6c9eb791c583c444aad |
| SHA512 | 26cb5d983b468f135558311ca9387fe467b1622ba1ce88814461987e140e96f4dcb9ecf24070f23a4559d3b5404875894ccc361f24357b468c09dd926662bde7 |
memory/4080-22-0x00000000056B0000-0x0000000005716000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgk2b2kt.dsh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4080-33-0x0000000005890000-0x0000000005BE4000-memory.dmp
memory/4080-21-0x0000000005640000-0x00000000056A6000-memory.dmp
memory/4080-20-0x0000000004F30000-0x0000000004F52000-memory.dmp
memory/5116-32-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4080-19-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/4080-34-0x0000000074830000-0x0000000074FE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/5116-37-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/2248-38-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/4080-39-0x0000000005EF0000-0x0000000005F0E000-memory.dmp
memory/4080-40-0x0000000005F70000-0x0000000005FBC000-memory.dmp
memory/4080-41-0x0000000006EB0000-0x0000000006EE2000-memory.dmp
memory/4080-42-0x0000000075090000-0x00000000750DC000-memory.dmp
memory/4080-52-0x00000000064B0000-0x00000000064CE000-memory.dmp
memory/4080-53-0x00000000070F0000-0x0000000007193000-memory.dmp
memory/4080-55-0x0000000007200000-0x000000000721A000-memory.dmp
memory/4080-54-0x0000000007840000-0x0000000007EBA000-memory.dmp
memory/4080-56-0x0000000007270000-0x000000000727A000-memory.dmp
memory/4080-57-0x0000000007480000-0x0000000007516000-memory.dmp
memory/4080-58-0x0000000007400000-0x0000000007411000-memory.dmp
memory/5116-59-0x0000000006BE0000-0x0000000006C30000-memory.dmp
memory/4080-60-0x0000000007430000-0x000000000743E000-memory.dmp
memory/4080-61-0x0000000007440000-0x0000000007454000-memory.dmp
memory/4080-62-0x0000000007540000-0x000000000755A000-memory.dmp
memory/4080-63-0x0000000007520000-0x0000000007528000-memory.dmp
memory/4080-66-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/5116-67-0x0000000074830000-0x0000000074FE0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 01:33
Reported
2024-11-10 01:35
Platform
win7-20241023-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
AgentTesla
Agenttesla family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1388 set thread context of 2796 | N/A | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
"C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bqkYjAmCJyUE.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bqkYjAmCJyUE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD22D.tmp"
C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe
"C:\Users\Admin\AppData\Local\Temp\207e04af47f9cac9d45b03271eab3f3bf5a46daadc597f1d81e33b78fbb7e1b9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
memory/1388-0-0x00000000748AE000-0x00000000748AF000-memory.dmp
memory/1388-1-0x0000000001320000-0x00000000013C4000-memory.dmp
memory/1388-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp
memory/1388-3-0x0000000000520000-0x0000000000532000-memory.dmp
memory/1388-4-0x00000000748AE000-0x00000000748AF000-memory.dmp
memory/1388-5-0x00000000748A0000-0x0000000074F8E000-memory.dmp
memory/1388-6-0x0000000005AB0000-0x0000000005B34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD22D.tmp
| MD5 | d3b007d63b2088c4adde09b27b4ca8b5 |
| SHA1 | 90423b66c44437b82f108fe131e18da4c0e52c5c |
| SHA256 | 88d3ac5ff585bffca15f0bb8c88e17a8298e67a58587ec8a081d82d7b10dd30f |
| SHA512 | 231140a69c1fbeef96f722e9cd0b8f294632aae171a687094fb5a0bdbc379b56ee49ecccc6b162f11d077177c1bb78e8619116ee65ec614c4d69bf04c17022eb |
memory/2796-16-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2796-23-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2796-26-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2796-24-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2796-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2796-20-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2796-18-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2796-14-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1388-27-0x00000000748A0000-0x0000000074F8E000-memory.dmp