Analysis Overview
SHA256
e493e598a17764043a1dc1600cb225aa2200db8f010473878f31934392f1d805
Threat Level: Known bad
The file e493e598a17764043a1dc1600cb225aa2200db8f010473878f31934392f1d805 was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AgentTesla
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Checks computer location settings
Reads user/profile data of local email clients
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 01:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 01:12
Reported
2024-11-15 01:14
Platform
win7-20240903-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
AgentTesla
Agenttesla family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2096 set thread context of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DZZQqzJzq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DZZQqzJzq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp473D.tmp"
C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | zqamcx.com | udp |
| GB | 78.110.166.82:587 | zqamcx.com | tcp |
Files
memory/2096-0-0x000000007458E000-0x000000007458F000-memory.dmp
memory/2096-1-0x0000000000A00000-0x0000000000AC4000-memory.dmp
memory/2096-2-0x0000000074580000-0x0000000074C6E000-memory.dmp
memory/2096-3-0x0000000000510000-0x0000000000522000-memory.dmp
memory/2096-4-0x0000000074580000-0x0000000074C6E000-memory.dmp
memory/2096-5-0x0000000005DA0000-0x0000000005E28000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | a08a7174b6be4ce286d3caff6010b304 |
| SHA1 | bfe51a2818b06a9126b0870725cf3b569da02308 |
| SHA256 | 14a309d35319c23d24ad191e9b479ec7b4f7c1065f2d4633bebed84d4835612a |
| SHA512 | 2a3ece418472e957de15ce9370637b94b3af6960ff89eca0df46f69f5bbbb808f4a67e4da7d735f37b6e7dc96e34134e521da57c3b42283ef3846b566800e4d2 |
C:\Users\Admin\AppData\Local\Temp\tmp473D.tmp
| MD5 | 8a0aef5fc0a384393e3f00e71454a907 |
| SHA1 | b925f161f9964b7c85d4e8951031a60e4c024df9 |
| SHA256 | c0b3009dbb03693fb0e24a09fbe20ee7ec76f5960175b39ba1389035ee27aaf2 |
| SHA512 | 0db7f7d5c5e6511e35613e29270e9e007b9c5c9fac431eb9290519aa8bf6e00241b2c57214f470a4b0a5655d3f772587518c7eaf7b4ed2ed9c0b12c95cbe0446 |
memory/2652-18-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2652-29-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2652-28-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2652-27-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2652-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2652-24-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2652-22-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2652-20-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2096-30-0x0000000074580000-0x0000000074C6E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 01:12
Reported
2024-11-15 01:14
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
AgentTesla
Agenttesla family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2156 set thread context of 4852 | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DZZQqzJzq.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DZZQqzJzq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF339.tmp"
C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"
C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe
"C:\Users\Admin\AppData\Local\Temp\PO NO170300999.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zqamcx.com | udp |
| GB | 78.110.166.82:587 | zqamcx.com | tcp |
| US | 8.8.8.8:53 | 82.166.110.78.in-addr.arpa | udp |
| GB | 78.110.166.82:587 | zqamcx.com | tcp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/2156-0-0x000000007445E000-0x000000007445F000-memory.dmp
memory/2156-1-0x0000000000790000-0x0000000000854000-memory.dmp
memory/2156-2-0x0000000005650000-0x0000000005BF4000-memory.dmp
memory/2156-3-0x0000000005140000-0x00000000051D2000-memory.dmp
memory/2156-4-0x0000000005280000-0x000000000531C000-memory.dmp
memory/2156-5-0x0000000005120000-0x000000000512A000-memory.dmp
memory/2156-6-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/2156-7-0x0000000005430000-0x0000000005442000-memory.dmp
memory/2156-8-0x000000007445E000-0x000000007445F000-memory.dmp
memory/2156-9-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/2156-10-0x00000000084D0000-0x0000000008558000-memory.dmp
memory/1940-15-0x0000000005340000-0x0000000005376000-memory.dmp
memory/1940-16-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/1940-17-0x0000000005B50000-0x0000000006178000-memory.dmp
memory/1940-18-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/4388-19-0x0000000074450000-0x0000000074C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF339.tmp
| MD5 | 2c878c6763cdac2da5471fc7889dbde4 |
| SHA1 | 5412132d10241e73f8985be6b74b21fe8caa78da |
| SHA256 | 04e27a2ff43b767781316d77568345ea0836562034376278f19d862a5ffc8203 |
| SHA512 | 579d39db3143c4ea17a2447bfd992e110091592f8faec32bd0082a9bb85e5b44c7730a2391082857abdda6b7d47a3a0c1627a82b511b257c0f81686faf40fce6 |
memory/1940-23-0x00000000061F0000-0x0000000006256000-memory.dmp
memory/1940-22-0x0000000005A60000-0x0000000005AC6000-memory.dmp
memory/1940-25-0x0000000006360000-0x00000000066B4000-memory.dmp
memory/1940-26-0x0000000074450000-0x0000000074C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tituqmtg.3ma.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4388-38-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/4852-27-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2156-39-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/4388-24-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/1940-21-0x0000000005940000-0x0000000005962000-memory.dmp
memory/4388-49-0x0000000006540000-0x000000000655E000-memory.dmp
memory/4388-50-0x00000000067C0000-0x000000000680C000-memory.dmp
memory/1940-51-0x0000000007AC0000-0x0000000007AF2000-memory.dmp
memory/4388-55-0x0000000070B20000-0x0000000070B6C000-memory.dmp
memory/1940-63-0x0000000006EB0000-0x0000000006ECE000-memory.dmp
memory/1940-52-0x0000000070B20000-0x0000000070B6C000-memory.dmp
memory/4388-73-0x0000000007540000-0x00000000075E3000-memory.dmp
memory/4388-74-0x0000000007ED0000-0x000000000854A000-memory.dmp
memory/4388-75-0x0000000007890000-0x00000000078AA000-memory.dmp
memory/4388-76-0x0000000007900000-0x000000000790A000-memory.dmp
memory/1940-77-0x0000000007EA0000-0x0000000007F36000-memory.dmp
memory/1940-78-0x0000000007E20000-0x0000000007E31000-memory.dmp
memory/1940-79-0x0000000007E50000-0x0000000007E5E000-memory.dmp
memory/4852-80-0x0000000005CF0000-0x0000000005D40000-memory.dmp
memory/1940-81-0x0000000007E60000-0x0000000007E74000-memory.dmp
memory/1940-82-0x0000000007F60000-0x0000000007F7A000-memory.dmp
memory/1940-83-0x0000000007F40000-0x0000000007F48000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 72a6c5ca118421ad17e5bc2ed5ac2860 |
| SHA1 | 7588cf921d10b7b2cc4348eea37055c2c374ed84 |
| SHA256 | a97b04361972ee1a0ab4d6bc310c3cf1a90dc681aa14f02a20d9ec1eabc6906d |
| SHA512 | 6b476228e017b4aca37527a2f520087ea417db6ce8da3c7d22d9abb6d11a33b2ead72b879e8483a365c0659e681792474b2ba30eeaa067b057b10b0084c03e34 |
memory/1940-89-0x0000000074450000-0x0000000074C00000-memory.dmp
memory/4388-90-0x0000000074450000-0x0000000074C00000-memory.dmp