Analysis Overview
SHA256
53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485
Threat Level: Known bad
The file 53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Agenttesla family
Looks up external IP address via web service
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 02:32
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 02:32
Reported
2024-11-15 02:35
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
AgentTesla
Agenttesla family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2572 set thread context of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe
"C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\uppishly
| MD5 | 38f32ed0ac96cb9d6a3ee68ee2b6ece8 |
| SHA1 | a4ff8874c060347eb17afa37e645babd57757784 |
| SHA256 | 08574f71828bb98f99c15327ed1b8085dcf95f32d448ce34b2e85c34d782d2f3 |
| SHA512 | c9a1656e599e392d5da78ba87a5536ef9ccbde76a20a58497c2d3a8f2bb658f36c58add85288264537024e85b920ca8889f016a7b02874f62480bd06dc03c3a4 |
memory/2572-7-0x0000000000A30000-0x0000000000E30000-memory.dmp
memory/3024-8-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3024-10-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3024-11-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3024-12-0x000000007475E000-0x000000007475F000-memory.dmp
memory/3024-13-0x00000000002B0000-0x0000000000304000-memory.dmp
memory/3024-14-0x00000000006F0000-0x0000000000742000-memory.dmp
memory/3024-15-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/3024-16-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/3024-17-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/3024-19-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-18-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-77-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-63-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-54-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-43-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-41-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-35-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-33-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-31-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-29-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-27-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-25-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-23-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-21-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-75-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-73-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-71-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-69-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-67-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-65-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-61-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-59-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-57-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-55-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-51-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-49-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-47-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-45-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-39-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-37-0x00000000006F0000-0x000000000073C000-memory.dmp
memory/3024-1050-0x0000000074750000-0x0000000074E3E000-memory.dmp
memory/3024-1051-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3024-1052-0x000000007475E000-0x000000007475F000-memory.dmp
memory/3024-1053-0x0000000074750000-0x0000000074E3E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 02:32
Reported
2024-11-15 02:35
Platform
win10v2004-20241007-en
Max time kernel
105s
Max time network
137s
Command Line
Signatures
AgentTesla
Agenttesla family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3652 set thread context of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3652 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 3652 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 3652 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 3652 wrote to memory of 1788 | N/A | C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe
"C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aut86B4.tmp
| MD5 | 38f32ed0ac96cb9d6a3ee68ee2b6ece8 |
| SHA1 | a4ff8874c060347eb17afa37e645babd57757784 |
| SHA256 | 08574f71828bb98f99c15327ed1b8085dcf95f32d448ce34b2e85c34d782d2f3 |
| SHA512 | c9a1656e599e392d5da78ba87a5536ef9ccbde76a20a58497c2d3a8f2bb658f36c58add85288264537024e85b920ca8889f016a7b02874f62480bd06dc03c3a4 |
memory/3652-8-0x0000000001490000-0x0000000001890000-memory.dmp
memory/1788-9-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1788-11-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1788-10-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1788-12-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1788-13-0x0000000073FAE000-0x0000000073FAF000-memory.dmp
memory/1788-14-0x0000000004F90000-0x0000000004FE4000-memory.dmp
memory/1788-16-0x00000000055D0000-0x0000000005B74000-memory.dmp
memory/1788-17-0x0000000073FA0000-0x0000000074750000-memory.dmp
memory/1788-18-0x0000000005060000-0x00000000050B2000-memory.dmp
memory/1788-15-0x0000000073FA0000-0x0000000074750000-memory.dmp
memory/1788-47-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-56-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-78-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-212-0x0000000073FA0000-0x0000000074750000-memory.dmp
memory/1788-76-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-74-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-72-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-70-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-68-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-66-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-64-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-62-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-60-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-58-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-54-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-52-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-50-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-48-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-44-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-42-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-40-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-38-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-36-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-1053-0x0000000073FA0000-0x0000000074750000-memory.dmp
memory/1788-1052-0x0000000005240000-0x00000000052A6000-memory.dmp
memory/1788-34-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-30-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-28-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-26-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-24-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-23-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-19-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-20-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-32-0x0000000005060000-0x00000000050AC000-memory.dmp
memory/1788-1054-0x0000000006800000-0x0000000006850000-memory.dmp
memory/1788-1055-0x00000000068F0000-0x0000000006982000-memory.dmp
memory/1788-1056-0x0000000006860000-0x000000000686A000-memory.dmp
memory/1788-1057-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1788-1058-0x0000000073FAE000-0x0000000073FAF000-memory.dmp
memory/1788-1059-0x0000000073FA0000-0x0000000074750000-memory.dmp