agenttesla | abbcbdace318afff0408188e4e1025ebc49c3157838066d775b5e70a5c8c2620

General

Target

znol5gxxtd2gytr.msi
Size

492KB
MD5

3108d539e45f8a66f4ab8b2c5e20497f
SHA1

a514c5f3d637dd86af5d32ccf55bd7df2a3abec1
SHA256

abbcbdace318afff0408188e4e1025ebc49c3157838066d775b5e70a5c8c2620
SHA512

3da9c92951e893d2e8c3ac05b042580ffb693159d9b5536525e9bbdac39c6a14b577d23b5ff0ab5fd4b70a3f3dd7c0a98a383a191067a03910597b5c55dd9908

Score

10^/10

agenttesla keylogger rezer0 spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.eljsn.website
Port:
587
Username:
infotect@eljsn.website
Password:
5C%+1~13zgdJ**

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2288-18-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral2/memory/2288-19-0x00000000004470BE-mapping.dmp	family_agenttesla

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral2/memory/520-14-0x0000000006060000-0x00000000060AD000-memory.dmp	rezer0

Executes dropped EXE 2 IoCs

Processes:

MSI6A89.tmpMSI6A89.tmp

pid process

520 MSI6A89.tmp
2288 MSI6A89.tmp
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
520	MSI6A89.tmp
2288	MSI6A89.tmp

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

MSI6A89.tmp

description pid process target process

PID 520 set thread context of 2288 520 MSI6A89.tmp MSI6A89.tmp

description	pid	process	target process
PID 520 set thread context of 2288	520	MSI6A89.tmp	MSI6A89.tmp

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A1A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A89.tmp	msiexec.exe
File created	C:\Windows\Installer\f7467d8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7467d8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1900 schtasks.exe

pid	process
1900	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exeMSI6A89.tmp

pid process

4892 msiexec.exe
4892 msiexec.exe
2288 MSI6A89.tmp
2288 MSI6A89.tmp

pid	process
4892	msiexec.exe
4892	msiexec.exe
2288	MSI6A89.tmp
2288	MSI6A89.tmp

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exeMSI6A89.tmp

description	pid	process
Token: SeShutdownPrivilege	4680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4680	msiexec.exe
Token: SeSecurityPrivilege	4892	msiexec.exe
Token: SeCreateTokenPrivilege	4680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4680	msiexec.exe
Token: SeLockMemoryPrivilege	4680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4680	msiexec.exe
Token: SeMachineAccountPrivilege	4680	msiexec.exe
Token: SeTcbPrivilege	4680	msiexec.exe
Token: SeSecurityPrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeLoadDriverPrivilege	4680	msiexec.exe
Token: SeSystemProfilePrivilege	4680	msiexec.exe
Token: SeSystemtimePrivilege	4680	msiexec.exe
Token: SeProfSingleProcessPrivilege	4680	msiexec.exe
Token: SeIncBasePriorityPrivilege	4680	msiexec.exe
Token: SeCreatePagefilePrivilege	4680	msiexec.exe
Token: SeCreatePermanentPrivilege	4680	msiexec.exe
Token: SeBackupPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeShutdownPrivilege	4680	msiexec.exe
Token: SeDebugPrivilege	4680	msiexec.exe
Token: SeAuditPrivilege	4680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4680	msiexec.exe
Token: SeChangeNotifyPrivilege	4680	msiexec.exe
Token: SeRemoteShutdownPrivilege	4680	msiexec.exe
Token: SeUndockPrivilege	4680	msiexec.exe
Token: SeSyncAgentPrivilege	4680	msiexec.exe
Token: SeEnableDelegationPrivilege	4680	msiexec.exe
Token: SeManageVolumePrivilege	4680	msiexec.exe
Token: SeImpersonatePrivilege	4680	msiexec.exe
Token: SeCreateGlobalPrivilege	4680	msiexec.exe
Token: SeBackupPrivilege	2952	vssvc.exe
Token: SeRestorePrivilege	2952	vssvc.exe
Token: SeAuditPrivilege	2952	vssvc.exe
Token: SeBackupPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeBackupPrivilege	528	srtasks.exe
Token: SeRestorePrivilege	528	srtasks.exe
Token: SeSecurityPrivilege	528	srtasks.exe
Token: SeTakeOwnershipPrivilege	528	srtasks.exe
Token: SeBackupPrivilege	528	srtasks.exe
Token: SeRestorePrivilege	528	srtasks.exe
Token: SeSecurityPrivilege	528	srtasks.exe
Token: SeTakeOwnershipPrivilege	528	srtasks.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeDebugPrivilege	2288	MSI6A89.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4680 msiexec.exe
4680 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSI6A89.tmp

pid process

2288 MSI6A89.tmp

pid	process
4680	msiexec.exe
4680	msiexec.exe

pid	process
2288	MSI6A89.tmp

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

msiexec.exeMSI6A89.tmp

description	pid	process	target process
PID 4892 wrote to memory of 528	4892	msiexec.exe	srtasks.exe
PID 4892 wrote to memory of 528	4892	msiexec.exe	srtasks.exe
PID 4892 wrote to memory of 520	4892	msiexec.exe	MSI6A89.tmp
PID 4892 wrote to memory of 520	4892	msiexec.exe	MSI6A89.tmp
PID 4892 wrote to memory of 520	4892	msiexec.exe	MSI6A89.tmp
PID 520 wrote to memory of 1900	520	MSI6A89.tmp	schtasks.exe
PID 520 wrote to memory of 1900	520	MSI6A89.tmp	schtasks.exe
PID 520 wrote to memory of 1900	520	MSI6A89.tmp	schtasks.exe
PID 520 wrote to memory of 2288	520	MSI6A89.tmp	MSI6A89.tmp
PID 520 wrote to memory of 2288	520	MSI6A89.tmp	MSI6A89.tmp
PID 520 wrote to memory of 2288	520	MSI6A89.tmp	MSI6A89.tmp
PID 520 wrote to memory of 2288	520	MSI6A89.tmp	MSI6A89.tmp
PID 520 wrote to memory of 2288	520	MSI6A89.tmp	MSI6A89.tmp
PID 520 wrote to memory of 2288	520	MSI6A89.tmp	MSI6A89.tmp
PID 520 wrote to memory of 2288	520	MSI6A89.tmp	MSI6A89.tmp
PID 520 wrote to memory of 2288	520	MSI6A89.tmp	MSI6A89.tmp

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\znol5gxxtd2gytr.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\Installer\MSI6A89.tmp
"C:\Windows\Installer\MSI6A89.tmp"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RfjXgrDPBFsZY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF39D.tmp"
3⤵
- Creates scheduled task(s)
PID:1900

C:\Windows\Installer\MSI6A89.tmp
"{path}"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSI6A89.tmp.log
MD5
8088a978a15ef9d85ddf98584f54de96

SHA1
d7ba55faff1ca42d7b702c94b5ed46ef0f9b9dbe

SHA256
5879b074b6c57e4f0316edd0edec7f64324dcd2df84bde00fd90409bde579304

SHA512
be87735be40efffa1053f1d99eb1923790368e3e7a2ddb7d740385b319ec6bfa410964486ab35a7e99ab6f312d204af9924c50c4e587aa127690e21940a72252

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF39D.tmp
MD5
3fbd532ffc7e0758549126137f7ce410

SHA1
3845a732f0e60ae0925853268e9189f118785784

SHA256
538e8e3460fbdf57ebb254f8bc1d2dfc81f0064fe0cc017048c2038d3e3dd37d

SHA512
34a9a6ade54b9ff2d75a2827062ec16f12070655a1e472cb607444c68a63fdd7d5ce1ea0260639774ea512a1adb52b1dd74d4367f1d53fbd43a1c2cc225eea59

Download Submit
C:\Windows\Installer\MSI6A89.tmp
MD5
31310b7aaf4c734c755f9af5fdb21735

SHA1
d684dff80d9c49019decb0c9c1c613aa525b0f37

SHA256
a7e3766ef281daddb6fbdd9af745b0776abb319b7485ecec75160c3368827254

SHA512
4f1998a78f4f23b242dbfb61376941930dbfb6304296740eefb898127df486a4cc09a6ad95ab5f87a157a018d35691d8733a9e9a6f17973edf3801aa613ad45d

Download Submit
C:\Windows\Installer\MSI6A89.tmp
MD5
31310b7aaf4c734c755f9af5fdb21735

SHA1
d684dff80d9c49019decb0c9c1c613aa525b0f37

SHA256
a7e3766ef281daddb6fbdd9af745b0776abb319b7485ecec75160c3368827254

SHA512
4f1998a78f4f23b242dbfb61376941930dbfb6304296740eefb898127df486a4cc09a6ad95ab5f87a157a018d35691d8733a9e9a6f17973edf3801aa613ad45d

Download Submit
C:\Windows\Installer\MSI6A89.tmp
MD5
31310b7aaf4c734c755f9af5fdb21735

SHA1
d684dff80d9c49019decb0c9c1c613aa525b0f37

SHA256
a7e3766ef281daddb6fbdd9af745b0776abb319b7485ecec75160c3368827254

SHA512
4f1998a78f4f23b242dbfb61376941930dbfb6304296740eefb898127df486a4cc09a6ad95ab5f87a157a018d35691d8733a9e9a6f17973edf3801aa613ad45d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
8dad4ba27c6b577114eb53245816d8dd

SHA1
998010b2b3526e49434cf2a88db84397cd4b3a43

SHA256
57ea0966e1465bf394d47e8def2912f333ae640117d6d38166a4b91ffdbeb2ef

SHA512
48a3f5f702d50d53ce30f999a4ef77a7cf92cdabc4e45e4385a449d3690fd1d91486f75e1e72505ff5eabeeef0b4ba0d91d58662c115acad055c193fe5cb3eb1

Download Submit
\??\Volume{f994966a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{d6315ecd-6de5-4816-9f78-1b27aecf2ded}_OnDiskSnapshotProp
MD5
e5fe749dfde93fbf6498e2c741af11c6

SHA1
e5d6a4bd50cf9f76bcf99a47c765539125e30b4e

SHA256
fa9f9a9130dcabc772873379e507143aa2b24fcf7b8a180ee75c6b952aff587e

SHA512
1a16be47851836cd5c809340d4cdc41e4efcdfe8f80d9348a6249f3b92903863304a01c72246ea3808bc57719eeb1918dde044abb5769b1215bef416405e7f24

Download Submit
memory/520-7-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/520-3-0x0000000000000000-mapping.dmp

Download
memory/520-11-0x00000000032C0000-0x00000000032D0000-memory.dmp

Filesize
64KB

Download
memory/520-9-0x00000000058C0000-0x00000000058C1000-memory.dmp

Filesize
4KB

Download
memory/520-14-0x0000000006060000-0x00000000060AD000-memory.dmp

Filesize
308KB

Download
memory/520-15-0x00000000065B0000-0x00000000065B1000-memory.dmp

Filesize
4KB

Download
memory/520-6-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/520-10-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/528-0-0x0000000000000000-mapping.dmp

Download
memory/1900-16-0x0000000000000000-mapping.dmp

Download
memory/2288-18-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2288-19-0x00000000004470BE-mapping.dmp

Download
memory/2288-22-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2288-28-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/2288-29-0x0000000005DD0000-0x0000000005DD1000-memory.dmp

Filesize
4KB

Download
memory/2288-31-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/4892-1-0x000001BF377A0000-0x000001BF37A21000-memory.dmp

Filesize
2.5MB

Download
memory/4892-25-0x000001BF36920000-0x000001BF36921000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads