Analysis Overview
SHA256
6633f19132821190e3fa92befd285f74556e9f8b1f29dc52baeed496a2049835
Threat Level: Known bad
The file 6633f19132821190e3fa92befd285f74556e9f8b1f29dc52baeed496a2049835.zip was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AgentTesla
AgentTesla payload
Reads data files stored by FTP clients
Checks computer location settings
Reads user/profile data of local email clients
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
outlook_win_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 02:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 02:27
Reported
2024-11-12 02:29
Platform
win7-20240903-en
Max time kernel
138s
Max time network
121s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2500 set thread context of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neHneiobyhcrJJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp"
C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"
Network
Files
memory/2500-0-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/2500-1-0x0000000000BF0000-0x0000000000CDE000-memory.dmp
memory/2500-2-0x0000000000520000-0x000000000052A000-memory.dmp
memory/2500-3-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2500-4-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/2500-5-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2500-6-0x0000000005050000-0x00000000050C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp8305.tmp
| MD5 | b6066ad35d085560b49adc64120cfa0a |
| SHA1 | 2149b223a5b6f304144fd9335b3e4abd58d3e4b0 |
| SHA256 | a3472e1ca85b9159a512f16b64368d83303e6ceaa96dcd5f839556568a34bb44 |
| SHA512 | 15822ce540f77cd4ec0bca2343ffee9523d1003fc40a6ac0600f8b884b76336d0e31b8a4b860cac51cd87718ff02baea87f1b3003b4b26e227a04393a5a3f5fd |
memory/2776-26-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2776-24-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2776-22-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2776-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2776-18-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2776-16-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2776-14-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2776-12-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2776-28-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2776-29-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2500-27-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2776-30-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2776-31-0x00000000745E0000-0x0000000074CCE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 02:27
Reported
2024-11-12 02:29
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
AgentTesla
Agenttesla family
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3180 set thread context of 3880 | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neHneiobyhcrJJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7971.tmp"
C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe
"C:\Users\Admin\AppData\Local\Temp\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/3180-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp
memory/3180-1-0x0000000000230000-0x000000000031E000-memory.dmp
memory/3180-2-0x0000000004D10000-0x0000000004DAC000-memory.dmp
memory/3180-3-0x00000000054A0000-0x0000000005A44000-memory.dmp
memory/3180-4-0x0000000004DB0000-0x0000000004E42000-memory.dmp
memory/3180-5-0x00000000029B0000-0x00000000029BA000-memory.dmp
memory/3180-6-0x0000000005040000-0x0000000005096000-memory.dmp
memory/3180-7-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3180-8-0x00000000050B0000-0x00000000050BA000-memory.dmp
memory/3180-9-0x0000000074D9E000-0x0000000074D9F000-memory.dmp
memory/3180-10-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3180-11-0x0000000005CC0000-0x0000000005D32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7971.tmp
| MD5 | 8c3b73542b88d482775be5a887c38c39 |
| SHA1 | 04005bf201a86cbbccac701d31aea845acc050df |
| SHA256 | e862deb166cd58d09efa709d1bcb89d0812229c7adc81af212512f3fef74c503 |
| SHA512 | bb53cc947364c15d293870d7eaac261873604446d431827bdb8bb0cd67d2ea2140bb3435fd896b15d4bed2a6c7fed5fd4f899d814fafb012166fe3e65261076a |
memory/3880-17-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089.exe.log
| MD5 | 17573558c4e714f606f997e5157afaac |
| SHA1 | 13e16e9415ceef429aaf124139671ebeca09ed23 |
| SHA256 | c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553 |
| SHA512 | f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc |
memory/3880-20-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3180-21-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3880-22-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3880-23-0x00000000054B0000-0x00000000054C8000-memory.dmp
memory/3880-24-0x0000000006100000-0x0000000006166000-memory.dmp
memory/3880-25-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3880-26-0x0000000074D90000-0x0000000075540000-memory.dmp
memory/3880-27-0x0000000006320000-0x0000000006370000-memory.dmp
memory/3880-28-0x0000000074D90000-0x0000000075540000-memory.dmp