agenttesla | 1e6cf0bf090cbdb064a483cacc7bb094759083e8b5f199be562e30fed979398f

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7v20201028
submitted
01-03-2021 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

215b737d29d0253752bd2063777bbc62.exe
Size

884KB
MD5

215b737d29d0253752bd2063777bbc62
SHA1

860326f7ed714e3d5c42d1451a86730d48defcd8
SHA256

1e6cf0bf090cbdb064a483cacc7bb094759083e8b5f199be562e30fed979398f
SHA512

ccf277d2f018de03d49ad4a333fb0bcc2b2a5fcfcf0fac36521172a44603fb142939f94b01040e291e253a95093dfd9ce418d443a650ddaad83e0b08e9e72e2a

Score

10^/10

agenttesla darkcomet nanocore evasion keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

amariceo.duckdns.org:60400

Mutex

4a907de4-4fbf-4a20-a3ea-e50e28a3d397

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-12-09T13:09:41.583551436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
60400
default_group
Demand
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4a907de4-4fbf-4a20-a3ea-e50e28a3d397
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
amariceo.duckdns.org
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

agenttesla

https://api.telegram.org/bot1420497617:AAEpfMqK6KH0rB8KjZ-jw5W75IIVB2OSkHE/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe	family_agenttesla

Executes dropped EXE 12 IoCs

Processes:

Regsvc1‌.exeRegsvcN.exeRegsvcD.exeRegsvcO.exeRegsvc1‌.exeRegsvcN.exeRegsvcD.exeRegsvcO.exeRegsvc1‌.exeRegsvcN.exeRegsvcD.exeRegsvcO.exe

pid	process
1636	Regsvc1‌.exe
524	RegsvcN.exe
1428	RegsvcD.exe
824	RegsvcO.exe
956	Regsvc1‌.exe
112	RegsvcN.exe
240	RegsvcD.exe
456	RegsvcO.exe
1168	Regsvc1‌.exe
1780	RegsvcN.exe
2032	RegsvcD.exe
1752	RegsvcO.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe	upx
C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe	upx
C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe	upx
C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegsvcN.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Manager = "C:\\Program Files (x86)\\NTFS Manager\\ntfsmgr.exe"	RegsvcN.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegsvcN.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegsvcN.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegsvcN.exe

Drops file in Program Files directory 2 IoCs

Processes:

RegsvcN.exe

description	ioc	process
File created	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe	RegsvcN.exe
File opened for modification	C:\Program Files (x86)\NTFS Manager\ntfsmgr.exe	RegsvcN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1736 schtasks.exe
1632 schtasks.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

RegsvcO.exeRegsvcN.exeRegsvcO.exeRegsvcO.exe

pid process

824 RegsvcO.exe
824 RegsvcO.exe
524 RegsvcN.exe
524 RegsvcN.exe
524 RegsvcN.exe
456 RegsvcO.exe
456 RegsvcO.exe
1752 RegsvcO.exe
1752 RegsvcO.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegsvcN.exe

pid process

524 RegsvcN.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

RegsvcO.exe

pid process

456 RegsvcO.exe

pid	process
1736	schtasks.exe
1632	schtasks.exe

pid	process
824	RegsvcO.exe
824	RegsvcO.exe
524	RegsvcN.exe
524	RegsvcN.exe
524	RegsvcN.exe
456	RegsvcO.exe
456	RegsvcO.exe
1752	RegsvcO.exe
1752	RegsvcO.exe

pid	process
524	RegsvcN.exe

pid	process
456	RegsvcO.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RegsvcD.exeRegsvcO.exeRegsvcN.exeRegsvcD.exeRegsvcO.exeRegsvcD.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1428	RegsvcD.exe
Token: SeSecurityPrivilege	1428	RegsvcD.exe
Token: SeTakeOwnershipPrivilege	1428	RegsvcD.exe
Token: SeLoadDriverPrivilege	1428	RegsvcD.exe
Token: SeSystemProfilePrivilege	1428	RegsvcD.exe
Token: SeSystemtimePrivilege	1428	RegsvcD.exe
Token: SeProfSingleProcessPrivilege	1428	RegsvcD.exe
Token: SeIncBasePriorityPrivilege	1428	RegsvcD.exe
Token: SeCreatePagefilePrivilege	1428	RegsvcD.exe
Token: SeBackupPrivilege	1428	RegsvcD.exe
Token: SeRestorePrivilege	1428	RegsvcD.exe
Token: SeShutdownPrivilege	1428	RegsvcD.exe
Token: SeDebugPrivilege	1428	RegsvcD.exe
Token: SeSystemEnvironmentPrivilege	1428	RegsvcD.exe
Token: SeChangeNotifyPrivilege	1428	RegsvcD.exe
Token: SeRemoteShutdownPrivilege	1428	RegsvcD.exe
Token: SeUndockPrivilege	1428	RegsvcD.exe
Token: SeManageVolumePrivilege	1428	RegsvcD.exe
Token: SeImpersonatePrivilege	1428	RegsvcD.exe
Token: SeCreateGlobalPrivilege	1428	RegsvcD.exe
Token: 33	1428	RegsvcD.exe
Token: 34	1428	RegsvcD.exe
Token: 35	1428	RegsvcD.exe
Token: SeDebugPrivilege	824	RegsvcO.exe
Token: SeDebugPrivilege	524	RegsvcN.exe
Token: SeIncreaseQuotaPrivilege	240	RegsvcD.exe
Token: SeSecurityPrivilege	240	RegsvcD.exe
Token: SeTakeOwnershipPrivilege	240	RegsvcD.exe
Token: SeLoadDriverPrivilege	240	RegsvcD.exe
Token: SeSystemProfilePrivilege	240	RegsvcD.exe
Token: SeSystemtimePrivilege	240	RegsvcD.exe
Token: SeProfSingleProcessPrivilege	240	RegsvcD.exe
Token: SeIncBasePriorityPrivilege	240	RegsvcD.exe
Token: SeCreatePagefilePrivilege	240	RegsvcD.exe
Token: SeBackupPrivilege	240	RegsvcD.exe
Token: SeRestorePrivilege	240	RegsvcD.exe
Token: SeShutdownPrivilege	240	RegsvcD.exe
Token: SeDebugPrivilege	240	RegsvcD.exe
Token: SeSystemEnvironmentPrivilege	240	RegsvcD.exe
Token: SeChangeNotifyPrivilege	240	RegsvcD.exe
Token: SeRemoteShutdownPrivilege	240	RegsvcD.exe
Token: SeUndockPrivilege	240	RegsvcD.exe
Token: SeManageVolumePrivilege	240	RegsvcD.exe
Token: SeImpersonatePrivilege	240	RegsvcD.exe
Token: SeCreateGlobalPrivilege	240	RegsvcD.exe
Token: 33	240	RegsvcD.exe
Token: 34	240	RegsvcD.exe
Token: 35	240	RegsvcD.exe
Token: SeDebugPrivilege	456	RegsvcO.exe
Token: SeIncreaseQuotaPrivilege	2032	RegsvcD.exe
Token: SeSecurityPrivilege	2032	RegsvcD.exe
Token: SeTakeOwnershipPrivilege	2032	RegsvcD.exe
Token: SeLoadDriverPrivilege	2032	RegsvcD.exe
Token: SeSystemProfilePrivilege	2032	RegsvcD.exe
Token: SeSystemtimePrivilege	2032	RegsvcD.exe
Token: SeProfSingleProcessPrivilege	2032	RegsvcD.exe
Token: SeIncBasePriorityPrivilege	2032	RegsvcD.exe
Token: SeCreatePagefilePrivilege	2032	RegsvcD.exe
Token: SeBackupPrivilege	2032	RegsvcD.exe
Token: SeRestorePrivilege	2032	RegsvcD.exe
Token: SeShutdownPrivilege	2032	RegsvcD.exe
Token: SeDebugPrivilege	2032	RegsvcD.exe
Token: SeSystemEnvironmentPrivilege	2032	RegsvcD.exe
Token: SeChangeNotifyPrivilege	2032	RegsvcD.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RegsvcD.exe

pid process

1428 RegsvcD.exe

pid	process
1428	RegsvcD.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

215b737d29d0253752bd2063777bbc62.exetaskeng.exeRegsvc1‌.exeRegsvcN.exeRegsvc1‌.exeRegsvc1‌.exe

description	pid	process	target process
PID 548 wrote to memory of 1240	548	215b737d29d0253752bd2063777bbc62.exe	schtasks.exe
PID 548 wrote to memory of 1240	548	215b737d29d0253752bd2063777bbc62.exe	schtasks.exe
PID 548 wrote to memory of 1240	548	215b737d29d0253752bd2063777bbc62.exe	schtasks.exe
PID 1872 wrote to memory of 1636	1872	taskeng.exe	Regsvc1‌.exe
PID 1872 wrote to memory of 1636	1872	taskeng.exe	Regsvc1‌.exe
PID 1872 wrote to memory of 1636	1872	taskeng.exe	Regsvc1‌.exe
PID 1636 wrote to memory of 524	1636	Regsvc1‌.exe	RegsvcN.exe
PID 1636 wrote to memory of 524	1636	Regsvc1‌.exe	RegsvcN.exe
PID 1636 wrote to memory of 524	1636	Regsvc1‌.exe	RegsvcN.exe
PID 1636 wrote to memory of 524	1636	Regsvc1‌.exe	RegsvcN.exe
PID 1636 wrote to memory of 1428	1636	Regsvc1‌.exe	RegsvcD.exe
PID 1636 wrote to memory of 1428	1636	Regsvc1‌.exe	RegsvcD.exe
PID 1636 wrote to memory of 1428	1636	Regsvc1‌.exe	RegsvcD.exe
PID 1636 wrote to memory of 1428	1636	Regsvc1‌.exe	RegsvcD.exe
PID 1636 wrote to memory of 824	1636	Regsvc1‌.exe	RegsvcO.exe
PID 1636 wrote to memory of 824	1636	Regsvc1‌.exe	RegsvcO.exe
PID 1636 wrote to memory of 824	1636	Regsvc1‌.exe	RegsvcO.exe
PID 1636 wrote to memory of 824	1636	Regsvc1‌.exe	RegsvcO.exe
PID 524 wrote to memory of 1736	524	RegsvcN.exe	schtasks.exe
PID 524 wrote to memory of 1736	524	RegsvcN.exe	schtasks.exe
PID 524 wrote to memory of 1736	524	RegsvcN.exe	schtasks.exe
PID 524 wrote to memory of 1736	524	RegsvcN.exe	schtasks.exe
PID 524 wrote to memory of 1632	524	RegsvcN.exe	schtasks.exe
PID 524 wrote to memory of 1632	524	RegsvcN.exe	schtasks.exe
PID 524 wrote to memory of 1632	524	RegsvcN.exe	schtasks.exe
PID 524 wrote to memory of 1632	524	RegsvcN.exe	schtasks.exe
PID 1872 wrote to memory of 956	1872	taskeng.exe	Regsvc1‌.exe
PID 1872 wrote to memory of 956	1872	taskeng.exe	Regsvc1‌.exe
PID 1872 wrote to memory of 956	1872	taskeng.exe	Regsvc1‌.exe
PID 956 wrote to memory of 112	956	Regsvc1‌.exe	RegsvcN.exe
PID 956 wrote to memory of 112	956	Regsvc1‌.exe	RegsvcN.exe
PID 956 wrote to memory of 112	956	Regsvc1‌.exe	RegsvcN.exe
PID 956 wrote to memory of 112	956	Regsvc1‌.exe	RegsvcN.exe
PID 956 wrote to memory of 240	956	Regsvc1‌.exe	RegsvcD.exe
PID 956 wrote to memory of 240	956	Regsvc1‌.exe	RegsvcD.exe
PID 956 wrote to memory of 240	956	Regsvc1‌.exe	RegsvcD.exe
PID 956 wrote to memory of 240	956	Regsvc1‌.exe	RegsvcD.exe
PID 956 wrote to memory of 456	956	Regsvc1‌.exe	RegsvcO.exe
PID 956 wrote to memory of 456	956	Regsvc1‌.exe	RegsvcO.exe
PID 956 wrote to memory of 456	956	Regsvc1‌.exe	RegsvcO.exe
PID 956 wrote to memory of 456	956	Regsvc1‌.exe	RegsvcO.exe
PID 1872 wrote to memory of 1168	1872	taskeng.exe	Regsvc1‌.exe
PID 1872 wrote to memory of 1168	1872	taskeng.exe	Regsvc1‌.exe
PID 1872 wrote to memory of 1168	1872	taskeng.exe	Regsvc1‌.exe
PID 1168 wrote to memory of 1780	1168	Regsvc1‌.exe	RegsvcN.exe
PID 1168 wrote to memory of 1780	1168	Regsvc1‌.exe	RegsvcN.exe
PID 1168 wrote to memory of 1780	1168	Regsvc1‌.exe	RegsvcN.exe
PID 1168 wrote to memory of 1780	1168	Regsvc1‌.exe	RegsvcN.exe
PID 1168 wrote to memory of 2032	1168	Regsvc1‌.exe	RegsvcD.exe
PID 1168 wrote to memory of 2032	1168	Regsvc1‌.exe	RegsvcD.exe
PID 1168 wrote to memory of 2032	1168	Regsvc1‌.exe	RegsvcD.exe
PID 1168 wrote to memory of 2032	1168	Regsvc1‌.exe	RegsvcD.exe
PID 1168 wrote to memory of 1752	1168	Regsvc1‌.exe	RegsvcO.exe
PID 1168 wrote to memory of 1752	1168	Regsvc1‌.exe	RegsvcO.exe
PID 1168 wrote to memory of 1752	1168	Regsvc1‌.exe	RegsvcO.exe
PID 1168 wrote to memory of 1752	1168	Regsvc1‌.exe	RegsvcO.exe

C:\Users\Admin\AppData\Local\Temp\215b737d29d0253752bd2063777bbc62.exe
"C:\Users\Admin\AppData\Local\Temp\215b737d29d0253752bd2063777bbc62.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\system32\schtasks.exe
schtasks /run /TN "Update"
2⤵
PID:1240

C:\Windows\system32\taskeng.exe
taskeng.exe {BEEF7490-8E1A-4986-8612-E20827E60876} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\Regsvc1‌.exe
C:\Users\Admin\AppData\Local\Temp\Regsvc1‌.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\RegsvcN.exe
"C:\Users\Admin\AppData\Local\Temp\RegsvcN.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp88EE.tmp"
4⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8E8A.tmp"
4⤵
- Creates scheduled task(s)
PID:1632

C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe
"C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe
"C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Users\Admin\AppData\Local\Temp\Regsvc1‌.exe
C:\Users\Admin\AppData\Local\Temp\Regsvc1‌.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\RegsvcN.exe
"C:\Users\Admin\AppData\Local\Temp\RegsvcN.exe"
3⤵
- Executes dropped EXE
PID:112

C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe
"C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:240

C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe
"C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Users\Admin\AppData\Local\Temp\Regsvc1‌.exe
C:\Users\Admin\AppData\Local\Temp\Regsvc1‌.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\RegsvcN.exe
"C:\Users\Admin\AppData\Local\Temp\RegsvcN.exe"
3⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe
"C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032

C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe
"C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Regsvc1‌.exe
MD5
360cdd3b5042160e63061f805025f738

SHA1
350ed5ef071245ed694fbeca0044eb14b20bea91

SHA256
83a5d6da50195774a35e46a89d8d9854b4282ec5a3fffa02fa0f7c90d274117f

SHA512
4d5aa1595f88a5dab7d7a3617307613f4da5a5cfc7c7edc1ade7437c824cca4d531391cb5f526f75d9f66ee59befb72a81133f3ca4da99456b43f54b5a640538

Download Submit
C:\Users\Admin\AppData\Local\Temp\Regsvc1‌.exe
MD5
360cdd3b5042160e63061f805025f738

SHA1
350ed5ef071245ed694fbeca0044eb14b20bea91

SHA256
83a5d6da50195774a35e46a89d8d9854b4282ec5a3fffa02fa0f7c90d274117f

SHA512
4d5aa1595f88a5dab7d7a3617307613f4da5a5cfc7c7edc1ade7437c824cca4d531391cb5f526f75d9f66ee59befb72a81133f3ca4da99456b43f54b5a640538

Download Submit
C:\Users\Admin\AppData\Local\Temp\Regsvc1‌.exe
MD5
360cdd3b5042160e63061f805025f738

SHA1
350ed5ef071245ed694fbeca0044eb14b20bea91

SHA256
83a5d6da50195774a35e46a89d8d9854b4282ec5a3fffa02fa0f7c90d274117f

SHA512
4d5aa1595f88a5dab7d7a3617307613f4da5a5cfc7c7edc1ade7437c824cca4d531391cb5f526f75d9f66ee59befb72a81133f3ca4da99456b43f54b5a640538

Download Submit
C:\Users\Admin\AppData\Local\Temp\Regsvc1‌.exe
MD5
360cdd3b5042160e63061f805025f738

SHA1
350ed5ef071245ed694fbeca0044eb14b20bea91

SHA256
83a5d6da50195774a35e46a89d8d9854b4282ec5a3fffa02fa0f7c90d274117f

SHA512
4d5aa1595f88a5dab7d7a3617307613f4da5a5cfc7c7edc1ade7437c824cca4d531391cb5f526f75d9f66ee59befb72a81133f3ca4da99456b43f54b5a640538

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe
MD5
df163959a04ffeb139ac39b85366436d

SHA1
1b2677656c08eaac7d22bb5c3328252eb37d9225

SHA256
68d9e5651e4bf817e03e75823af3f06dd1757b225d917cdf32a3ab1776f6c863

SHA512
87ab7a800ae550b1d1f2cb4bf366f530d675b55b70dfe64b9302651e02c16c241ea4b8ab983a70ba53ec7c0df34c7835b1110da6dd47522ab44f0d6d8abf40a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe
MD5
df163959a04ffeb139ac39b85366436d

SHA1
1b2677656c08eaac7d22bb5c3328252eb37d9225

SHA256
68d9e5651e4bf817e03e75823af3f06dd1757b225d917cdf32a3ab1776f6c863

SHA512
87ab7a800ae550b1d1f2cb4bf366f530d675b55b70dfe64b9302651e02c16c241ea4b8ab983a70ba53ec7c0df34c7835b1110da6dd47522ab44f0d6d8abf40a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe
MD5
df163959a04ffeb139ac39b85366436d

SHA1
1b2677656c08eaac7d22bb5c3328252eb37d9225

SHA256
68d9e5651e4bf817e03e75823af3f06dd1757b225d917cdf32a3ab1776f6c863

SHA512
87ab7a800ae550b1d1f2cb4bf366f530d675b55b70dfe64b9302651e02c16c241ea4b8ab983a70ba53ec7c0df34c7835b1110da6dd47522ab44f0d6d8abf40a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcD.exe
MD5
df163959a04ffeb139ac39b85366436d

SHA1
1b2677656c08eaac7d22bb5c3328252eb37d9225

SHA256
68d9e5651e4bf817e03e75823af3f06dd1757b225d917cdf32a3ab1776f6c863

SHA512
87ab7a800ae550b1d1f2cb4bf366f530d675b55b70dfe64b9302651e02c16c241ea4b8ab983a70ba53ec7c0df34c7835b1110da6dd47522ab44f0d6d8abf40a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcN.exe
MD5
1c9e137f411d6b0a917ae802986b5ced

SHA1
2465cb3bb9b559959be9ef1b1f81a1fa59c64bcc

SHA256
ce040f9900f6c878b1bebd40b9a8cc5311068f4e2c7f3f137c1555eed42bbc2f

SHA512
af89bc9b9e3ace8458f77673a7810d5586636eb7aca99803501eab635bf1281b74812448ecd204cb3d9d4a5861617f4264c86440fa2b5d2b9bfb91876c69bd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcN.exe
MD5
1c9e137f411d6b0a917ae802986b5ced

SHA1
2465cb3bb9b559959be9ef1b1f81a1fa59c64bcc

SHA256
ce040f9900f6c878b1bebd40b9a8cc5311068f4e2c7f3f137c1555eed42bbc2f

SHA512
af89bc9b9e3ace8458f77673a7810d5586636eb7aca99803501eab635bf1281b74812448ecd204cb3d9d4a5861617f4264c86440fa2b5d2b9bfb91876c69bd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcN.exe
MD5
1c9e137f411d6b0a917ae802986b5ced

SHA1
2465cb3bb9b559959be9ef1b1f81a1fa59c64bcc

SHA256
ce040f9900f6c878b1bebd40b9a8cc5311068f4e2c7f3f137c1555eed42bbc2f

SHA512
af89bc9b9e3ace8458f77673a7810d5586636eb7aca99803501eab635bf1281b74812448ecd204cb3d9d4a5861617f4264c86440fa2b5d2b9bfb91876c69bd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcN.exe
MD5
1c9e137f411d6b0a917ae802986b5ced

SHA1
2465cb3bb9b559959be9ef1b1f81a1fa59c64bcc

SHA256
ce040f9900f6c878b1bebd40b9a8cc5311068f4e2c7f3f137c1555eed42bbc2f

SHA512
af89bc9b9e3ace8458f77673a7810d5586636eb7aca99803501eab635bf1281b74812448ecd204cb3d9d4a5861617f4264c86440fa2b5d2b9bfb91876c69bd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe
MD5
ea1a6a5dbf1fa559bac83a0fb9515c1f

SHA1
c7c46cc2c7d2db16238f61b8bda8ef09f333d2fc

SHA256
16fe8211dee1c56b1699402208f0a8f4ac8cdcf1fb00a7255028590e2afbe54f

SHA512
acfaf9900cb8988e627d5d063854b1209294baa51c0a7bb5e50af211a30deb45719cba8231c04db30113f6af896c6bfb8dde6d8dc1142f8609cb7904525ffd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe
MD5
ea1a6a5dbf1fa559bac83a0fb9515c1f

SHA1
c7c46cc2c7d2db16238f61b8bda8ef09f333d2fc

SHA256
16fe8211dee1c56b1699402208f0a8f4ac8cdcf1fb00a7255028590e2afbe54f

SHA512
acfaf9900cb8988e627d5d063854b1209294baa51c0a7bb5e50af211a30deb45719cba8231c04db30113f6af896c6bfb8dde6d8dc1142f8609cb7904525ffd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe
MD5
ea1a6a5dbf1fa559bac83a0fb9515c1f

SHA1
c7c46cc2c7d2db16238f61b8bda8ef09f333d2fc

SHA256
16fe8211dee1c56b1699402208f0a8f4ac8cdcf1fb00a7255028590e2afbe54f

SHA512
acfaf9900cb8988e627d5d063854b1209294baa51c0a7bb5e50af211a30deb45719cba8231c04db30113f6af896c6bfb8dde6d8dc1142f8609cb7904525ffd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegsvcO.exe
MD5
ea1a6a5dbf1fa559bac83a0fb9515c1f

SHA1
c7c46cc2c7d2db16238f61b8bda8ef09f333d2fc

SHA256
16fe8211dee1c56b1699402208f0a8f4ac8cdcf1fb00a7255028590e2afbe54f

SHA512
acfaf9900cb8988e627d5d063854b1209294baa51c0a7bb5e50af211a30deb45719cba8231c04db30113f6af896c6bfb8dde6d8dc1142f8609cb7904525ffd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp88EE.tmp
MD5
1d3dd58f1acb304cdc508900d282dfe1

SHA1
ce6bc8c52f38ae32f5a7d0e8a4018f97052a13e9

SHA256
315ab95cefefcd0171a890004bc85be1dc572a51a6032d433743d52b7b149c54

SHA512
869b14a945c580e6e7072b4bad6279e9eac159bf42e32c09474855c230cd1c3c940dfeb3c30accd5b8a7db62f05ccf5f408a8e25762aca2c0eca0b6883fb45a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E8A.tmp
MD5
41808f05a9aa523d0ef506d4993f1d6c

SHA1
5a228145decf63ebbbd673c9b7c08a86236a22d4

SHA256
f76bd5da395a725b5998efab9a5d3160657cf2d44a8be83fa24af6ba29acf731

SHA512
7cf71f8fd8dccaa8cf2c724afca3178be8b7a6e0cc6e4b44990e96413bd0dac8248e2bcfa1bb82da05efb6c4b46649722c20ce14cf4a44f1720e18732bd9246e

Download Submit
memory/112-38-0x0000000000000000-mapping.dmp

Download
memory/112-49-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/240-50-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/240-40-0x0000000000000000-mapping.dmp

Download
memory/456-51-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/456-46-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/456-42-0x0000000000000000-mapping.dmp

Download
memory/524-25-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/524-12-0x0000000000000000-mapping.dmp

Download
memory/548-3-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/548-2-0x000007FEF6960000-0x000007FEF734C000-memory.dmp

Filesize
9.9MB

Download
memory/824-28-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/824-21-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/824-17-0x0000000000000000-mapping.dmp

Download
memory/824-22-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/956-36-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/956-35-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

Filesize
9.9MB

Download
memory/956-33-0x0000000000000000-mapping.dmp

Download
memory/1168-54-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/1168-52-0x0000000000000000-mapping.dmp

Download
memory/1240-5-0x0000000000000000-mapping.dmp

Download
memory/1428-15-0x0000000000000000-mapping.dmp

Download
memory/1428-20-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1428-27-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1632-31-0x0000000000000000-mapping.dmp

Download
memory/1636-10-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1636-6-0x0000000000000000-mapping.dmp

Download
memory/1636-9-0x000007FEF59E0000-0x000007FEF63CC000-memory.dmp

Filesize
9.9MB

Download
memory/1736-29-0x0000000000000000-mapping.dmp

Download
memory/1752-62-0x0000000000000000-mapping.dmp

Download
memory/1752-67-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/1752-70-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/1780-57-0x0000000000000000-mapping.dmp

Download
memory/1780-66-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2032-59-0x0000000000000000-mapping.dmp

Download
memory/2032-65-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download