Analysis Overview
SHA256
81e7f043e097b36a44fc8c534af6aab20f121fc387bd229bc7ae04057badaee3
Threat Level: Known bad
The file 81e7f043e097b36a44fc8c534af6aab20f121fc387bd229bc7ae04057badaee3.rar was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AgentTesla
Command and Scripting Interpreter: PowerShell
Reads user/profile data of local email clients
Checks computer location settings
Reads WinSCP keys stored on the system
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 02:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 02:35
Reported
2024-11-12 02:38
Platform
win10v2004-20241007-en
Max time kernel
128s
Max time network
148s
Command Line
Signatures
AgentTesla
Agenttesla family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4612 set thread context of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe
"C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oYeNbxyP.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oYeNbxyP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1DF.tmp"
C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe
"C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.pgsu.co.id | udp |
| US | 107.178.108.41:587 | mail.pgsu.co.id | tcp |
| US | 8.8.8.8:53 | 41.108.178.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
Files
memory/4612-0-0x000000007440E000-0x000000007440F000-memory.dmp
memory/4612-1-0x0000000000220000-0x00000000002F2000-memory.dmp
memory/4612-2-0x00000000053E0000-0x0000000005984000-memory.dmp
memory/4612-3-0x0000000004D20000-0x0000000004DB2000-memory.dmp
memory/4612-4-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/4612-5-0x0000000004CE0000-0x0000000004CEA000-memory.dmp
memory/4612-6-0x0000000005050000-0x00000000050EC000-memory.dmp
memory/4612-7-0x0000000004ED0000-0x0000000004EE2000-memory.dmp
memory/4612-8-0x000000007440E000-0x000000007440F000-memory.dmp
memory/4612-9-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/4612-10-0x00000000063C0000-0x0000000006446000-memory.dmp
memory/984-15-0x0000000004E60000-0x0000000004E96000-memory.dmp
memory/984-17-0x0000000074400000-0x0000000074BB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1DF.tmp
| MD5 | 2294782f4cb88024c062f66f14b60c42 |
| SHA1 | 43d3fdc48ae96c46d6a355ebcb5254c25b718636 |
| SHA256 | 82e778b1628fdd68e26b97ae6b243a6d4e3126017e61872f46b7a3c8bbbbf9fa |
| SHA512 | 606e5cabf24ef23612efac751e1d809efbb9d8a51fffb6696d976ec46858a5e2f2c31866404dd0e21b21f78251d65684e6f2c4df9c6c810cca457f687a578b6f |
memory/984-18-0x00000000055D0000-0x0000000005BF8000-memory.dmp
memory/984-19-0x0000000074400000-0x0000000074BB0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q2EoNFhO7QQHxgS.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/5060-20-0x0000000000400000-0x0000000000440000-memory.dmp
memory/5060-24-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/4612-23-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/984-26-0x0000000005510000-0x0000000005576000-memory.dmp
memory/984-25-0x0000000005470000-0x0000000005492000-memory.dmp
memory/5060-33-0x0000000074400000-0x0000000074BB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lft21u14.eyj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/984-27-0x0000000005C00000-0x0000000005C66000-memory.dmp
memory/984-34-0x0000000005DB0000-0x0000000006104000-memory.dmp
memory/984-39-0x0000000006410000-0x000000000642E000-memory.dmp
memory/984-40-0x00000000064A0000-0x00000000064EC000-memory.dmp
memory/984-41-0x00000000069E0000-0x0000000006A12000-memory.dmp
memory/984-42-0x0000000070080000-0x00000000700CC000-memory.dmp
memory/984-52-0x00000000069C0000-0x00000000069DE000-memory.dmp
memory/984-53-0x00000000073F0000-0x0000000007493000-memory.dmp
memory/984-55-0x0000000007730000-0x000000000774A000-memory.dmp
memory/984-54-0x0000000007D80000-0x00000000083FA000-memory.dmp
memory/984-56-0x00000000077A0000-0x00000000077AA000-memory.dmp
memory/984-57-0x00000000079B0000-0x0000000007A46000-memory.dmp
memory/984-58-0x0000000007930000-0x0000000007941000-memory.dmp
memory/984-59-0x0000000007960000-0x000000000796E000-memory.dmp
memory/984-60-0x0000000007970000-0x0000000007984000-memory.dmp
memory/984-61-0x0000000007A70000-0x0000000007A8A000-memory.dmp
memory/984-62-0x0000000007A50000-0x0000000007A58000-memory.dmp
memory/5060-63-0x0000000006590000-0x00000000065E0000-memory.dmp
memory/984-66-0x0000000074400000-0x0000000074BB0000-memory.dmp
memory/5060-67-0x0000000074400000-0x0000000074BB0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 02:35
Reported
2024-11-12 02:38
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
AgentTesla
Agenttesla family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1860 set thread context of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe
"C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oYeNbxyP.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oYeNbxyP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED7A.tmp"
C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe
"C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe"
C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe
"C:\Users\Admin\AppData\Local\Temp\Q2EoNFhO7QQHxgS.exe"
Network
Files
memory/1860-0-0x000000007475E000-0x000000007475F000-memory.dmp
memory/1860-1-0x00000000009B0000-0x0000000000A82000-memory.dmp
memory/1860-2-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/1860-3-0x0000000000490000-0x00000000004A2000-memory.dmp
memory/1860-4-0x000000007475E000-0x000000007475F000-memory.dmp
memory/1860-5-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/1860-6-0x0000000005230000-0x00000000052B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpED7A.tmp
| MD5 | cbf2f0c5799b77ff0f2377ac9fd6e862 |
| SHA1 | 9e72e7607bce668ae94007697960c3245420410e |
| SHA256 | d5f7ede7beb7aaf0327dc91871f9509170763f2a16a79bb237cb3954fd36e58b |
| SHA512 | 0dbea62b8704649860c33364bd29cdbd4b53391fc9700de4a2329f73ebcaa8453d036800c9751cdffdc4645027fb4d7c60040aefe179b3d4d10af36a85437995 |
memory/2628-14-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2628-23-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1860-26-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/2628-25-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2628-24-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2628-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2628-16-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2628-20-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2628-19-0x0000000000400000-0x0000000000440000-memory.dmp