Analysis Overview
SHA256
1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf
Threat Level: Known bad
The file 1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AgentTesla
Looks up external IP address via web service
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 02:15
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 02:15
Reported
2024-11-15 02:18
Platform
win7-20240903-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
AgentTesla
Agenttesla family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2400 set thread context of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe
"C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\proximobuccal
| MD5 | 37c8359babb5211ca2026d38a5de9d08 |
| SHA1 | 286adc5945eb69075f150a2c01d7c0e36d328dac |
| SHA256 | 5cad2ca441900ae49aaa98725d963993bec2389af749265bc804011d57aeb8fb |
| SHA512 | 1521e3ff9845061b9b7076ee3a32ff1a0b900abcb17b1d2d3d8a798473c70cde0208255f566378dc2b88d606fe40a7c58ceb931cb81a068792779e44482605d6 |
memory/2400-7-0x00000000006B0000-0x0000000000AB0000-memory.dmp
memory/2804-10-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2804-11-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2804-9-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2804-12-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/2804-13-0x0000000000550000-0x00000000005A4000-memory.dmp
memory/2804-14-0x00000000746D0000-0x0000000074DBE000-memory.dmp
memory/2804-15-0x0000000000AC0000-0x0000000000B12000-memory.dmp
memory/2804-16-0x00000000746D0000-0x0000000074DBE000-memory.dmp
memory/2804-17-0x00000000746D0000-0x0000000074DBE000-memory.dmp
memory/2804-18-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-43-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-73-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-77-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-71-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-69-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-67-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-65-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-63-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-61-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-59-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-57-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-55-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-53-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-51-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-49-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-47-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-45-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-75-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-41-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-39-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-37-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-35-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-33-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-31-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-29-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-27-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-25-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-23-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-21-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-19-0x0000000000AC0000-0x0000000000B0C000-memory.dmp
memory/2804-1050-0x00000000746D0000-0x0000000074DBE000-memory.dmp
memory/2804-1051-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2804-1052-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/2804-1053-0x00000000746D0000-0x0000000074DBE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 02:15
Reported
2024-11-15 02:18
Platform
win10v2004-20241007-en
Max time kernel
106s
Max time network
110s
Command Line
Signatures
AgentTesla
Agenttesla family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2056 set thread context of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2056 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2056 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2056 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2056 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe
"C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\1de2fa3a2ecc25fc9b28f0e4ba4156a89d2b536c04bafc7b83014a6c5dc9dfaf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aut8045.tmp
| MD5 | 37c8359babb5211ca2026d38a5de9d08 |
| SHA1 | 286adc5945eb69075f150a2c01d7c0e36d328dac |
| SHA256 | 5cad2ca441900ae49aaa98725d963993bec2389af749265bc804011d57aeb8fb |
| SHA512 | 1521e3ff9845061b9b7076ee3a32ff1a0b900abcb17b1d2d3d8a798473c70cde0208255f566378dc2b88d606fe40a7c58ceb931cb81a068792779e44482605d6 |
memory/2056-8-0x0000000000F30000-0x0000000001330000-memory.dmp
memory/2212-9-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2212-11-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2212-10-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2212-12-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2212-13-0x0000000074BCE000-0x0000000074BCF000-memory.dmp
memory/2212-14-0x0000000003310000-0x0000000003364000-memory.dmp
memory/2212-15-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/2212-16-0x0000000005F50000-0x00000000064F4000-memory.dmp
memory/2212-17-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/2212-18-0x00000000059E0000-0x0000000005A32000-memory.dmp
memory/2212-19-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/2212-23-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-33-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-79-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-77-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-75-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-73-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-71-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-69-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-67-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-65-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-63-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-61-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-59-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-57-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-55-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-53-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-51-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-49-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-47-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-45-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-43-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-41-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-39-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-37-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-35-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-31-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-29-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-27-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-25-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-21-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-20-0x00000000059E0000-0x0000000005A2C000-memory.dmp
memory/2212-1052-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/2212-1053-0x0000000005BE0000-0x0000000005C46000-memory.dmp
memory/2212-1054-0x0000000007060000-0x00000000070B0000-memory.dmp
memory/2212-1055-0x0000000007150000-0x00000000071E2000-memory.dmp
memory/2212-1056-0x00000000070C0000-0x00000000070CA000-memory.dmp
memory/2212-1057-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2212-1058-0x0000000074BCE000-0x0000000074BCF000-memory.dmp
memory/2212-1059-0x0000000074BC0000-0x0000000075370000-memory.dmp