Analysis Overview
SHA256
087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e
Threat Level: Known bad
The file 087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Agenttesla family
Looks up external IP address via web service
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 01:54
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 01:54
Reported
2024-11-15 01:56
Platform
win7-20241023-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
AgentTesla
Agenttesla family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2316 set thread context of 2992 | N/A | C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe
"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\arrogatingly
| MD5 | 66e2ff4ee8e4c8fce64a49545ccc80e0 |
| SHA1 | 642c25c9e8d5477558cbe46159cf30f5b22584ae |
| SHA256 | bf436a28d6e7785c0b79e938009684385562c157aa6e1fd47780b3fdea569b91 |
| SHA512 | 4318467eec66e123863a7e98aa848c203cd3029bde65bfc89653884e05bfbe52ae5d95dc0e040d053533ebd4abb99e852d4cc06f28f4d1a65bb4f588d4b32541 |
memory/2316-12-0x00000000024B0000-0x00000000025B0000-memory.dmp
memory/2992-13-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2992-15-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2992-16-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2992-17-0x000000007450E000-0x000000007450F000-memory.dmp
memory/2992-18-0x0000000000BE0000-0x0000000000C36000-memory.dmp
memory/2992-19-0x0000000000E20000-0x0000000000E74000-memory.dmp
memory/2992-20-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2992-21-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2992-22-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2992-74-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-82-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-80-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-78-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-76-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-72-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-70-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-68-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-66-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-64-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-62-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-60-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-58-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-56-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-54-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-50-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-48-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-46-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-44-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-43-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-40-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-38-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-36-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-34-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-32-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-30-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-28-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-26-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-24-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-23-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-52-0x0000000000E20000-0x0000000000E6E000-memory.dmp
memory/2992-1091-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2992-1092-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2992-1093-0x000000007450E000-0x000000007450F000-memory.dmp
memory/2992-1094-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2992-1095-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2992-1096-0x0000000074500000-0x0000000074BEE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 01:54
Reported
2024-11-15 01:56
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
154s
Command Line
Signatures
AgentTesla
Agenttesla family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3980 set thread context of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe
"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"
C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe
"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"
C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe
"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\087dc1c2cc13ba7c5c4f9708d64e8c254be1b485d782ffd39b9598d06252248e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aut8E46.tmp
| MD5 | 66e2ff4ee8e4c8fce64a49545ccc80e0 |
| SHA1 | 642c25c9e8d5477558cbe46159cf30f5b22584ae |
| SHA256 | bf436a28d6e7785c0b79e938009684385562c157aa6e1fd47780b3fdea569b91 |
| SHA512 | 4318467eec66e123863a7e98aa848c203cd3029bde65bfc89653884e05bfbe52ae5d95dc0e040d053533ebd4abb99e852d4cc06f28f4d1a65bb4f588d4b32541 |
memory/3004-13-0x0000000004060000-0x0000000004260000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pluffer
| MD5 | a4ad54949137c49124a192254e71347e |
| SHA1 | 6ca7b8a0b804a066e5c4658403da6872b8fc4639 |
| SHA256 | f64094b1952ee6a3b15d3d17740be0ff2095f37dc1fd988e4c27782d6b1059d6 |
| SHA512 | 0ef9a7fdd2453667a5a2f7e297ac73d3b4a404d912a1bfa2274d62f78e752cfcc3df840ca9f4daaac699f81796b14814b460644b1bb9920cd80cef7444b5d78b |
memory/1808-29-0x0000000003C30000-0x0000000003E30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aut9461.tmp
| MD5 | e31b6fe982af4e4ba9042112c1e4b393 |
| SHA1 | 587b516e465dccdedc39b215a662c414bfaf92b2 |
| SHA256 | 65aaad3f6357a34d7b83ed971ee79cd3e130484398388f54ca53cb4213b13e6d |
| SHA512 | 9009b6042a7cc331b5af3cc80edee0218d9106675b03551a1712aa68cb2eceb85f191e85ad281b0e2e3699f971ada498b40615831555e5f950dd66da28d3532c |
memory/3980-45-0x0000000003C60000-0x0000000003E60000-memory.dmp
memory/5040-46-0x0000000000400000-0x0000000000446000-memory.dmp
memory/5040-49-0x0000000000400000-0x0000000000446000-memory.dmp
memory/5040-48-0x0000000000400000-0x0000000000446000-memory.dmp
memory/5040-47-0x0000000000400000-0x0000000000446000-memory.dmp
memory/5040-50-0x0000000005220000-0x0000000005276000-memory.dmp
memory/5040-51-0x0000000005890000-0x0000000005E34000-memory.dmp
memory/5040-52-0x00000000052E0000-0x0000000005334000-memory.dmp
memory/5040-53-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-78-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-112-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-110-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-108-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-105-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-102-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-100-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-98-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-96-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-94-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-92-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-90-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-86-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-84-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-82-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-80-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-76-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-74-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-72-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-70-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-68-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-66-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-64-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-62-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-60-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-58-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-56-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-54-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-106-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-88-0x00000000052E0000-0x000000000532E000-memory.dmp
memory/5040-1121-0x00000000054E0000-0x0000000005546000-memory.dmp
memory/5040-1122-0x0000000006800000-0x0000000006850000-memory.dmp
memory/5040-1123-0x00000000068F0000-0x0000000006982000-memory.dmp
memory/5040-1124-0x0000000006890000-0x000000000689A000-memory.dmp
memory/5040-1125-0x0000000000400000-0x0000000000446000-memory.dmp