Analysis Overview
SHA256
53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485
Threat Level: Known bad
The file 01. MT JS JIANGYIN Ship Particulars.xlsx.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Agenttesla family
Looks up external IP address via web service
AutoIT Executable
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 06:18
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 06:18
Reported
2024-11-14 06:20
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
AgentTesla
Agenttesla family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3048 set thread context of 1040 | N/A | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\uppishly
| MD5 | 38f32ed0ac96cb9d6a3ee68ee2b6ece8 |
| SHA1 | a4ff8874c060347eb17afa37e645babd57757784 |
| SHA256 | 08574f71828bb98f99c15327ed1b8085dcf95f32d448ce34b2e85c34d782d2f3 |
| SHA512 | c9a1656e599e392d5da78ba87a5536ef9ccbde76a20a58497c2d3a8f2bb658f36c58add85288264537024e85b920ca8889f016a7b02874f62480bd06dc03c3a4 |
memory/3048-7-0x00000000010F0000-0x00000000014F0000-memory.dmp
memory/1040-8-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1040-10-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1040-11-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1040-12-0x00000000746AE000-0x00000000746AF000-memory.dmp
memory/1040-13-0x0000000000E00000-0x0000000000E54000-memory.dmp
memory/1040-14-0x00000000746A0000-0x0000000074D8E000-memory.dmp
memory/1040-15-0x00000000746A0000-0x0000000074D8E000-memory.dmp
memory/1040-16-0x00000000022B0000-0x0000000002302000-memory.dmp
memory/1040-30-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-76-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-74-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-72-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-70-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-68-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-66-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-64-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-62-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-60-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-56-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-54-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-52-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-50-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-48-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-46-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-44-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-42-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-40-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-38-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-36-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-32-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-28-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-26-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-24-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-22-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-58-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-20-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-18-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-34-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-17-0x00000000022B0000-0x00000000022FC000-memory.dmp
memory/1040-1049-0x00000000746A0000-0x0000000074D8E000-memory.dmp
memory/1040-1050-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1040-1051-0x00000000746AE000-0x00000000746AF000-memory.dmp
memory/1040-1052-0x00000000746A0000-0x0000000074D8E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 06:18
Reported
2024-11-14 06:20
Platform
win10v2004-20241007-en
Max time kernel
106s
Max time network
139s
Command Line
Signatures
AgentTesla
Agenttesla family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2316 set thread context of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"
C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2316 -ip 2316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aut8628.tmp
| MD5 | 38f32ed0ac96cb9d6a3ee68ee2b6ece8 |
| SHA1 | a4ff8874c060347eb17afa37e645babd57757784 |
| SHA256 | 08574f71828bb98f99c15327ed1b8085dcf95f32d448ce34b2e85c34d782d2f3 |
| SHA512 | c9a1656e599e392d5da78ba87a5536ef9ccbde76a20a58497c2d3a8f2bb658f36c58add85288264537024e85b920ca8889f016a7b02874f62480bd06dc03c3a4 |
memory/3904-8-0x00000000013C0000-0x00000000017C0000-memory.dmp
memory/2316-18-0x0000000001340000-0x0000000001740000-memory.dmp
memory/2444-19-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2444-21-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2444-22-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2444-20-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2444-23-0x000000007451E000-0x000000007451F000-memory.dmp
memory/2444-24-0x00000000053C0000-0x0000000005414000-memory.dmp
memory/2444-25-0x0000000074510000-0x0000000074CC0000-memory.dmp
memory/2444-27-0x00000000059C0000-0x0000000005F64000-memory.dmp
memory/2444-26-0x0000000074510000-0x0000000074CC0000-memory.dmp
memory/2444-28-0x0000000074510000-0x0000000074CC0000-memory.dmp
memory/2444-29-0x0000000005460000-0x00000000054B2000-memory.dmp
memory/2444-51-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-61-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-89-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-87-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-85-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-83-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-81-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-79-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-77-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-75-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-73-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-71-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-67-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-65-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-63-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-59-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-57-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-55-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-53-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-49-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-47-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-45-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-43-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-42-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-37-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-35-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-33-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-31-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-30-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-69-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-39-0x0000000005460000-0x00000000054AC000-memory.dmp
memory/2444-1062-0x0000000005660000-0x00000000056C6000-memory.dmp
memory/2444-1063-0x0000000074510000-0x0000000074CC0000-memory.dmp
memory/2444-1064-0x0000000006AE0000-0x0000000006B30000-memory.dmp
memory/2444-1065-0x0000000006BD0000-0x0000000006C62000-memory.dmp
memory/2444-1066-0x0000000006B40000-0x0000000006B4A000-memory.dmp
memory/2444-1067-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2444-1068-0x000000007451E000-0x000000007451F000-memory.dmp
memory/2444-1069-0x0000000074510000-0x0000000074CC0000-memory.dmp