agenttesla | a12c65ad23f195521f525ed905373f22fe0853c1e1fcfb317056d81051e6e532

Analysis

max time kernel
122s
max time network
79s
platform
windows7_x64
resource
win7v20201028
submitted
25-01-2021 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Size

2.2MB
MD5

5ff5bbb9fd1f1d3a586ad9bea10a9773
SHA1

1426737ae0a2039a85e9683aad4e1fc6b2d5a27b
SHA256

a12c65ad23f195521f525ed905373f22fe0853c1e1fcfb317056d81051e6e532
SHA512

aa21b5424ff194d35552e25a64a96d29c50229bc2281964a62c82069f38e956592d4099e99e682c859d9ab36165c80bf63b26dac11e9c7d1ca1ec63c84a547fe

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.newviking.com.my
Port:
587
Username:
[email protected]
Password:
{&SgX:^(7m

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe\""	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1896-91-0x000000000043763E-mapping.dmp	family_agenttesla
behavioral1/memory/1896-88-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1896-100-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Drops startup file 2 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Administrator Rights = "C:\\Users\\Admin\\AppData\\Roaming\\Administrator Rights\\Administrator Rights.exe"	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid	process
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

description	pid	process	target process
PID 1668 set thread context of 1732	1668	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1732 set thread context of 1896	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1772 1732 WerFault.exe RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1136 timeout.exe

pid	pid_target	process	target process
1772	1732	WerFault.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid	process
1136	timeout.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exeWerFault.exe

pid	process
680	powershell.exe
1508	powershell.exe
576	powershell.exe
1104	powershell.exe
1508	powershell.exe
576	powershell.exe
680	powershell.exe
1104	powershell.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1896	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1896	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe
1772	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1772 WerFault.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid process

1896 RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

pid	process
1772	WerFault.exe

pid	process
1896	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exepowershell.exepowershell.exepowershell.exepowershell.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1896	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
Token: SeDebugPrivilege	1772	WerFault.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeRFQ for the supply of materialsservices for P.O. No. - 4700001838.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 1732	1668	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1668 wrote to memory of 1732	1668	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1668 wrote to memory of 1732	1668	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1668 wrote to memory of 1732	1668	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1668 wrote to memory of 1732	1668	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1668 wrote to memory of 1732	1668	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1668 wrote to memory of 1732	1668	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1668 wrote to memory of 1732	1668	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1668 wrote to memory of 1732	1668	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1732 wrote to memory of 1508	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 1508	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 1508	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 1508	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 1104	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 1104	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 1104	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 1104	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 576	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 576	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 576	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 576	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 680	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 680	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 680	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 680	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	powershell.exe
PID 1732 wrote to memory of 340	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	cmd.exe
PID 1732 wrote to memory of 340	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	cmd.exe
PID 1732 wrote to memory of 340	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	cmd.exe
PID 1732 wrote to memory of 340	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	cmd.exe
PID 340 wrote to memory of 1136	340	cmd.exe	timeout.exe
PID 340 wrote to memory of 1136	340	cmd.exe	timeout.exe
PID 340 wrote to memory of 1136	340	cmd.exe	timeout.exe
PID 340 wrote to memory of 1136	340	cmd.exe	timeout.exe
PID 1732 wrote to memory of 1896	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1732 wrote to memory of 1896	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1732 wrote to memory of 1896	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1732 wrote to memory of 1896	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1732 wrote to memory of 1896	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1732 wrote to memory of 1896	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1732 wrote to memory of 1896	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1732 wrote to memory of 1896	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1732 wrote to memory of 1896	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
PID 1732 wrote to memory of 1772	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	WerFault.exe
PID 1732 wrote to memory of 1772	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	WerFault.exe
PID 1732 wrote to memory of 1772	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	WerFault.exe
PID 1732 wrote to memory of 1772	1732	RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"
2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
3⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:1136

C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ for the supply of materialsservices for P.O. No. - 4700001838.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1964
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_03bfaf74-c48a-406b-812c-2684df821d22
MD5
597009ea0430a463753e0f5b1d1a249e

SHA1
4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62

SHA256
3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d

SHA512
5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1b0b2f5a-4fa9-4284-9780-9a1da7b14a47
MD5
02ff38ac870de39782aeee04d7b48231

SHA1
0390d39fa216c9b0ecdb38238304e518fb2b5095

SHA256
fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

SHA512
24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3d474bac-b68c-4304-b0ad-7658b47fbee8
MD5
354b8209f647a42e2ce36d8cf326cc92

SHA1
98c3117f797df69935f8b09fc9e95accfe3d8346

SHA256
feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239

SHA512
420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_85c7c16f-de6b-4cda-bf8a-ede9c5910d3d
MD5
df44874327d79bd75e4264cb8dc01811

SHA1
1396b06debed65ea93c24998d244edebd3c0209d

SHA256
55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

SHA512
95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_88bbc21d-0468-4d89-ae93-5ef00d27a235
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8a1c91a4-12ac-4f8f-af77-1ce30c1ef0db
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a02197da-f9c8-43e6-9ff1-846e01d2d404
MD5
75a8da7754349b38d64c87c938545b1b

SHA1
5c28c257d51f1c1587e29164cc03ea880c21b417

SHA256
bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

SHA512
798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b771b377-145f-49e9-bf64-45e69646f7b9
MD5
5e3c7184a75d42dda1a83606a45001d8

SHA1
94ca15637721d88f30eb4b6220b805c5be0360ed

SHA256
8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

SHA512
fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c356f451-13b2-41fc-8d4c-54a293efa6e1
MD5
b6d38f250ccc9003dd70efd3b778117f

SHA1
d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

SHA256
4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

SHA512
67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ce569c42-07bf-442e-b377-8e9695c9383c
MD5
be4d72095faf84233ac17b94744f7084

SHA1
cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

SHA256
b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

SHA512
43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dadf780e-0f00-49bb-86e1-35585efd8a97
MD5
a725bb9fafcf91f3c6b7861a2bde6db2

SHA1
8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

SHA256
51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

SHA512
1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e2dde722-a327-4834-8fd5-d88fd6aa6ee0
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
d33728c910c1fe765a5f3734e6e1c6d8

SHA1
80eafafd03369231583aaf2acfdfaf4fa1539dec

SHA256
9b288b112f9b362f4d80713b08229b99a57a721eda57b21dfdb6e848e6c83b18

SHA512
e356b2c915563faf879cc8b8688ea4e4cd8943a1e371fcc546427a999a96ed427b1e73f7516f5c7aed66a7d55d7d11f1add379af1ef23ff81a8493288f3e0c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
31aa4ad3abde83c5a7365a0005edfc2f

SHA1
26cb187db95f71aef19f7bd99db132fd23c9b4c7

SHA256
570579aa59fed77773fc8cc7d2133a52c6db613bce417360d81620edb955a676

SHA512
ef0bd064e07a0f8b1d08015f73aa43f35289b1c1f493dcdce96b42a3b2d6ef3320bed13f999bca97fd1def1b0771325bc4887791d21397d34b8aeca1cc76655d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
da6b2f28a064aac0e8fb100dea9f1e37

SHA1
38e52d134b54aea39f298bd6e627cedfad1d3667

SHA256
f37e8ba9503b0595b85efdfb355f6c640dfa1b420c81383d554531dcfd43195f

SHA512
569c7f19301b8576813d3920a6995130c17c2a9e4ee8f0a2b856f4601471f420c7f1839690eb4bb223dc8cb7d502ee874a72436c474b8e2ad1dbb059be83db5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f87abe36bc96a4dfe210f5fd558b838a

SHA1
63148f6ca1bb36182df5aec13a2e27b1da1af02e

SHA256
228b6b8249b5a79e5b68d5ee4e01878f3c5597a1e472c40ce0fa6a4c25b33a42

SHA512
f50dfdc406585ac90799b7e099c0f1d71b90c5092e6bc8fe900290f121bb76c3ee698fa752b38acdb479abaab5c040da3fc41ddab86d81d4fa26451046c4a5cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
e62b95e57a1b20008e02a25a1105e8d8

SHA1
2b9abd6bc6031883be952e063bd75908183464fa

SHA256
82b12512d77c052270c7f2963eb7d0452363c058839fc05bba09a270247bb8ff

SHA512
d4ca46ef8f441ded3de72ca67092a59e1be0ec3cde420c9c31984b8c173662dc3da53afd21d1aee16e0bf23e75e082743a7e8c29f0ff62f4fd7d44a846567b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
709328ff1b5166324687faf8bac828ac

SHA1
467827855d7ab06ff353261399b2a95136dd4335

SHA256
b9884c7b68447bedf533e1ab0cfb07270c13085ec864648376a13b49108003b6

SHA512
c93c683128c6c3ea44800653300dbf323e59783c39deef2758133690b453dd32944799f234d37198ae2854a0edde87ddebb93bccb87d2cd638eb1dbe0fdbb259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
9b9449e7d0958bcaf9dd7f82b12052c7

SHA1
0a6155016a62b997455be2947c9f000b80eda481

SHA256
8940b5cfdc0033822f0369b7f23c8aa41e5861d25d30ad9e011b6c983780a9a9

SHA512
95d4a49af24be55e8c65c5d822bf74ef92859666c5a7c99200518a1a456fd4a0d985a8704b2c4822659004bc8e592292f8a8416df2592a06b6870e5d235c204e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
ef2c204bb4a9ce1bdbb8fee3f666aa7f

SHA1
b014896ccbb196cac339ef0218f751c6bfa00593

SHA256
4aa0b3220edc3ed567a8567fbd27357a7f2151f6b1547043a5e35741c36f32eb

SHA512
89317ced3747f7b6bd53113f69de97de465d327d9c22639eed3160937aa60b7eb6acedddbed1686539105ca96c42248f80da54c3e35345ded8882815e6757016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
854cb5535d413f6b88352cc3c427b3b3

SHA1
79f1a5c8de31a15e6c309259942c709150b1098a

SHA256
3620c64f9e85482f1344e4d2258fa7153edb2d79316f70abd916c9ed9be49cda

SHA512
8b6b6eb389dc609079bda351a2af6d01a10b5ea76bd03a81b681aa113389f28177e5658b52d0828719c8dad5d8db64e4e5ff9df55277ea674e7b241c0dd804d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
321a1c4a8f77ae2fb4b71d63f859f19f

SHA1
29cdf77d8968c83df84959fbe06f5b07995a1052

SHA256
7a09856d1567062666675f476c9a1f22c0e253db57bbafd9fa7c5ae41d077e25

SHA512
0a79e07b8420ff2722945ed9a0e35369cb456897a7205d9cb9b630ef246157cffe1624a1582a2bb7b11bd79dc6a94f279941c908b36e8040094c7c2ecae5810e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
321a1c4a8f77ae2fb4b71d63f859f19f

SHA1
29cdf77d8968c83df84959fbe06f5b07995a1052

SHA256
7a09856d1567062666675f476c9a1f22c0e253db57bbafd9fa7c5ae41d077e25

SHA512
0a79e07b8420ff2722945ed9a0e35369cb456897a7205d9cb9b630ef246157cffe1624a1582a2bb7b11bd79dc6a94f279941c908b36e8040094c7c2ecae5810e

Download Submit
memory/340-51-0x0000000000000000-mapping.dmp

Download
memory/576-31-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/576-23-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/576-37-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/576-27-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/576-15-0x0000000000000000-mapping.dmp

Download
memory/576-39-0x0000000000B52000-0x0000000000B53000-memory.dmp

Filesize
4KB

Download
memory/680-42-0x0000000004942000-0x0000000004943000-memory.dmp

Filesize
4KB

Download
memory/680-17-0x0000000000000000-mapping.dmp

Download
memory/680-55-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/680-60-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/680-61-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/680-62-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/680-69-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/680-104-0x0000000006300000-0x0000000006301000-memory.dmp

Filesize
4KB

Download
memory/680-79-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/680-105-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/680-38-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/680-26-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1104-21-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1104-47-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1104-41-0x00000000008B2000-0x00000000008B3000-memory.dmp

Filesize
4KB

Download
memory/1104-13-0x0000000000000000-mapping.dmp

Download
memory/1104-36-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1104-43-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1136-52-0x0000000000000000-mapping.dmp

Download
memory/1508-134-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/1508-12-0x0000000000000000-mapping.dmp

Download
memory/1508-40-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download
memory/1508-135-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/1508-35-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1508-14-0x0000000074B31000-0x0000000074B33000-memory.dmp

Filesize
8KB

Download
memory/1508-24-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1668-11-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1668-5-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/1668-2-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1668-3-0x00000000012B0000-0x00000000012B1000-memory.dmp

Filesize
4KB

Download
memory/1732-22-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/1732-8-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-9-0x0000000010000000-0x0000000010058000-memory.dmp

Filesize
352KB

Download
memory/1732-6-0x0000000010000000-0x0000000010058000-memory.dmp

Filesize
352KB

Download
memory/1732-7-0x000000001005266E-mapping.dmp

Download
memory/1772-106-0x0000000000000000-mapping.dmp

Download
memory/1772-111-0x0000000001CE0000-0x0000000001CF1000-memory.dmp

Filesize
68KB

Download
memory/1772-137-0x0000000002610000-0x0000000002621000-memory.dmp

Filesize
68KB

Download
memory/1772-152-0x0000000001B90000-0x0000000001B91000-memory.dmp

Filesize
4KB

Download
memory/1896-121-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1896-100-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-88-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1896-92-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/1896-91-0x000000000043763E-mapping.dmp

Download
memory/1896-153-0x00000000009A1000-0x00000000009A2000-memory.dmp

Filesize
4KB

Download