Analysis Overview
SHA256
c6472372e0ffdda068d7bf22a49003ead236fed99bc302a5afeb02372c75f918
Threat Level: Known bad
The file c6472372e0ffdda068d7bf22a49003ead236fed99bc302a5afeb02372c75f918 was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AgentTesla
Looks up external IP address via web service
Suspicious use of SetThreadContext
AutoIT Executable
Program crash
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-15 02:17
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 02:17
Reported
2024-11-15 02:20
Platform
win7-20241010-en
Max time kernel
17s
Max time network
116s
Command Line
Signatures
AgentTesla
Agenttesla family
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2536 set thread context of 1272 | N/A | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\uppishly
| MD5 | 38f32ed0ac96cb9d6a3ee68ee2b6ece8 |
| SHA1 | a4ff8874c060347eb17afa37e645babd57757784 |
| SHA256 | 08574f71828bb98f99c15327ed1b8085dcf95f32d448ce34b2e85c34d782d2f3 |
| SHA512 | c9a1656e599e392d5da78ba87a5536ef9ccbde76a20a58497c2d3a8f2bb658f36c58add85288264537024e85b920ca8889f016a7b02874f62480bd06dc03c3a4 |
memory/2536-7-0x00000000006F0000-0x0000000000AF0000-memory.dmp
memory/1272-8-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1272-10-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1272-11-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1272-12-0x000000007491E000-0x000000007491F000-memory.dmp
memory/1272-13-0x0000000000920000-0x0000000000974000-memory.dmp
memory/1272-14-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1272-15-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1272-16-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1272-17-0x0000000000C60000-0x0000000000CB2000-memory.dmp
memory/1272-37-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-18-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-49-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-77-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-75-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-73-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-72-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-69-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-67-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-65-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-63-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-61-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-59-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-55-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-53-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-51-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-57-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-47-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-45-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-43-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-41-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-39-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-35-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-33-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-31-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-29-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-27-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-25-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-23-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-21-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-19-0x0000000000C60000-0x0000000000CAC000-memory.dmp
memory/1272-1050-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1272-1051-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1272-1052-0x000000007491E000-0x000000007491F000-memory.dmp
memory/1272-1053-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1272-1054-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/1272-1055-0x0000000074910000-0x0000000074FFE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 02:17
Reported
2024-11-15 02:20
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3156 wrote to memory of 1048 | N/A | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 3156 wrote to memory of 1048 | N/A | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 3156 wrote to memory of 1048 | N/A | C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe
"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3156 -ip 3156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 628
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aut701F.tmp
| MD5 | 38f32ed0ac96cb9d6a3ee68ee2b6ece8 |
| SHA1 | a4ff8874c060347eb17afa37e645babd57757784 |
| SHA256 | 08574f71828bb98f99c15327ed1b8085dcf95f32d448ce34b2e85c34d782d2f3 |
| SHA512 | c9a1656e599e392d5da78ba87a5536ef9ccbde76a20a58497c2d3a8f2bb658f36c58add85288264537024e85b920ca8889f016a7b02874f62480bd06dc03c3a4 |
memory/3156-8-0x0000000000DB0000-0x00000000011B0000-memory.dmp