agenttesla | a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-en
submitted
15-09-2021 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cecfa83ee6ea6dd1de38462bbedf15c.exe
Size

761KB
MD5

0cecfa83ee6ea6dd1de38462bbedf15c
SHA1

de4dde34707658d98f50de8cf2a182bf7ded2a45
SHA256

a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
SHA512

cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
princeprice@voodome.com
Password:
princeprice@11

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2200-108-0x000000000043764E-mapping.dmp	family_agenttesla
behavioral1/memory/2200-112-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2200-106-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2936-151-0x000000000043764E-mapping.dmp	family_agenttesla
behavioral1/memory/2796-159-0x0000000002410000-0x000000000305A000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 14 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe481F404B.exeAdvancedRun.exeAdvancedRun.exe

pid process

1356 AdvancedRun.exe
1948 AdvancedRun.exe
1596 481F404B.exe
2548 AdvancedRun.exe
2600 AdvancedRun.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

481F404B.exe0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	481F404B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	481F404B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Drops startup file 2 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Loads dropped DLL 10 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exeAdvancedRun.exe481F404B.exeAdvancedRun.exe

pid	process
1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe
1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe
1356	AdvancedRun.exe
1356	AdvancedRun.exe
1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe
1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe
1596	481F404B.exe
1596	481F404B.exe
2548	AdvancedRun.exe
2548	AdvancedRun.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe481F404B.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\481F404B = "C:\\Windows\\Resources\\Themes\\aero\\Shell\\4B6A7152\\svchost.exe"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\481F404B = "C:\\Windows\\Resources\\Themes\\aero\\Shell\\4B6A7152\\svchost.exe"	481F404B.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe481F404B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	481F404B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	481F404B.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe481F404B.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	481F404B.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	481F404B.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe481F404B.exe

description	pid	process	target process
PID 1316 set thread context of 2200	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1596 set thread context of 2936	1596	481F404B.exe	aspnet_compiler.exe

Drops file in Windows directory 1 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description ioc process

File created C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe 0cecfa83ee6ea6dd1de38462bbedf15c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaspnet_compiler.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exepowershell.exe

pid	process
1356	AdvancedRun.exe
1356	AdvancedRun.exe
1948	AdvancedRun.exe
1948	AdvancedRun.exe
1616	powershell.exe
292	powershell.exe
756	powershell.exe
800	powershell.exe
1584	powershell.exe
672	powershell.exe
524	powershell.exe
1504	powershell.exe
2200	aspnet_compiler.exe
2200	aspnet_compiler.exe
2548	AdvancedRun.exe
2548	AdvancedRun.exe
2600	AdvancedRun.exe
2600	AdvancedRun.exe
2668	powershell.exe
2692	powershell.exe
2756	powershell.exe
2936	aspnet_compiler.exe
2936	aspnet_compiler.exe
2724	powershell.exe
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe0cecfa83ee6ea6dd1de38462bbedf15c.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaspnet_compiler.exeAdvancedRun.exeAdvancedRun.exe481F404B.exepowershell.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1356	AdvancedRun.exe
Token: SeImpersonatePrivilege	1356	AdvancedRun.exe
Token: SeDebugPrivilege	1948	AdvancedRun.exe
Token: SeImpersonatePrivilege	1948	AdvancedRun.exe
Token: SeDebugPrivilege	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2200	aspnet_compiler.exe
Token: SeDebugPrivilege	2548	AdvancedRun.exe
Token: SeImpersonatePrivilege	2548	AdvancedRun.exe
Token: SeDebugPrivilege	2600	AdvancedRun.exe
Token: SeImpersonatePrivilege	2600	AdvancedRun.exe
Token: SeDebugPrivilege	1596	481F404B.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2936	aspnet_compiler.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

2936 aspnet_compiler.exe

pid	process
2936	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exeAdvancedRun.exe481F404B.exeAdvancedRun.exe

description	pid	process	target process
PID 1316 wrote to memory of 1356	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 1316 wrote to memory of 1356	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 1316 wrote to memory of 1356	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 1316 wrote to memory of 1356	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 1356 wrote to memory of 1948	1356	AdvancedRun.exe	AdvancedRun.exe
PID 1356 wrote to memory of 1948	1356	AdvancedRun.exe	AdvancedRun.exe
PID 1356 wrote to memory of 1948	1356	AdvancedRun.exe	AdvancedRun.exe
PID 1356 wrote to memory of 1948	1356	AdvancedRun.exe	AdvancedRun.exe
PID 1316 wrote to memory of 800	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 800	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 800	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 800	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 292	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 292	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 292	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 292	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1616	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1616	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1616	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1616	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1584	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1584	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1584	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1584	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 756	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 756	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 756	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 756	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1596	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 1316 wrote to memory of 1596	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 1316 wrote to memory of 1596	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 1316 wrote to memory of 1596	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 1316 wrote to memory of 524	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 524	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 524	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 524	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 672	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 672	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 672	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 672	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1504	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1504	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1504	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 1504	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1316 wrote to memory of 2200	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1316 wrote to memory of 2200	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1316 wrote to memory of 2200	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1316 wrote to memory of 2200	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1316 wrote to memory of 2200	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1316 wrote to memory of 2200	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1316 wrote to memory of 2200	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1316 wrote to memory of 2200	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1316 wrote to memory of 2200	1316	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1596 wrote to memory of 2548	1596	481F404B.exe	AdvancedRun.exe
PID 1596 wrote to memory of 2548	1596	481F404B.exe	AdvancedRun.exe
PID 1596 wrote to memory of 2548	1596	481F404B.exe	AdvancedRun.exe
PID 1596 wrote to memory of 2548	1596	481F404B.exe	AdvancedRun.exe
PID 2548 wrote to memory of 2600	2548	AdvancedRun.exe	AdvancedRun.exe
PID 2548 wrote to memory of 2600	2548	AdvancedRun.exe	AdvancedRun.exe
PID 2548 wrote to memory of 2600	2548	AdvancedRun.exe	AdvancedRun.exe
PID 2548 wrote to memory of 2600	2548	AdvancedRun.exe	AdvancedRun.exe
PID 1596 wrote to memory of 2668	1596	481F404B.exe	powershell.exe
PID 1596 wrote to memory of 2668	1596	481F404B.exe	powershell.exe
PID 1596 wrote to memory of 2668	1596	481F404B.exe	powershell.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe481F404B.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	481F404B.exe

C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe
"C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1316

C:\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe" /SpecialRun 4101d8 1356
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1596

C:\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe" /SpecialRun 4101d8 2548
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
080b16d66a964f17391fee4fe7e1a8aa

SHA1
37e8e1cb1c1c709605d7312c020286824c4d1690

SHA256
be713cf4c2a0334bf8a9a8faad02c77371e1624a6115b736b85b3274ddd13667

SHA512
6c2922bc4539330421f170f0da3e74d28724087d21c3d3ae34cf101c623b4599aa2b961a35780f718828fcd4de76bbaab12557e4ac4d9abd87e873d64d20e4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
080b16d66a964f17391fee4fe7e1a8aa

SHA1
37e8e1cb1c1c709605d7312c020286824c4d1690

SHA256
be713cf4c2a0334bf8a9a8faad02c77371e1624a6115b736b85b3274ddd13667

SHA512
6c2922bc4539330421f170f0da3e74d28724087d21c3d3ae34cf101c623b4599aa2b961a35780f718828fcd4de76bbaab12557e4ac4d9abd87e873d64d20e4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
080b16d66a964f17391fee4fe7e1a8aa

SHA1
37e8e1cb1c1c709605d7312c020286824c4d1690

SHA256
be713cf4c2a0334bf8a9a8faad02c77371e1624a6115b736b85b3274ddd13667

SHA512
6c2922bc4539330421f170f0da3e74d28724087d21c3d3ae34cf101c623b4599aa2b961a35780f718828fcd4de76bbaab12557e4ac4d9abd87e873d64d20e4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
080b16d66a964f17391fee4fe7e1a8aa

SHA1
37e8e1cb1c1c709605d7312c020286824c4d1690

SHA256
be713cf4c2a0334bf8a9a8faad02c77371e1624a6115b736b85b3274ddd13667

SHA512
6c2922bc4539330421f170f0da3e74d28724087d21c3d3ae34cf101c623b4599aa2b961a35780f718828fcd4de76bbaab12557e4ac4d9abd87e873d64d20e4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
080b16d66a964f17391fee4fe7e1a8aa

SHA1
37e8e1cb1c1c709605d7312c020286824c4d1690

SHA256
be713cf4c2a0334bf8a9a8faad02c77371e1624a6115b736b85b3274ddd13667

SHA512
6c2922bc4539330421f170f0da3e74d28724087d21c3d3ae34cf101c623b4599aa2b961a35780f718828fcd4de76bbaab12557e4ac4d9abd87e873d64d20e4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
080b16d66a964f17391fee4fe7e1a8aa

SHA1
37e8e1cb1c1c709605d7312c020286824c4d1690

SHA256
be713cf4c2a0334bf8a9a8faad02c77371e1624a6115b736b85b3274ddd13667

SHA512
6c2922bc4539330421f170f0da3e74d28724087d21c3d3ae34cf101c623b4599aa2b961a35780f718828fcd4de76bbaab12557e4ac4d9abd87e873d64d20e4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
080b16d66a964f17391fee4fe7e1a8aa

SHA1
37e8e1cb1c1c709605d7312c020286824c4d1690

SHA256
be713cf4c2a0334bf8a9a8faad02c77371e1624a6115b736b85b3274ddd13667

SHA512
6c2922bc4539330421f170f0da3e74d28724087d21c3d3ae34cf101c623b4599aa2b961a35780f718828fcd4de76bbaab12557e4ac4d9abd87e873d64d20e4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
080b16d66a964f17391fee4fe7e1a8aa

SHA1
37e8e1cb1c1c709605d7312c020286824c4d1690

SHA256
be713cf4c2a0334bf8a9a8faad02c77371e1624a6115b736b85b3274ddd13667

SHA512
6c2922bc4539330421f170f0da3e74d28724087d21c3d3ae34cf101c623b4599aa2b961a35780f718828fcd4de76bbaab12557e4ac4d9abd87e873d64d20e4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
080b16d66a964f17391fee4fe7e1a8aa

SHA1
37e8e1cb1c1c709605d7312c020286824c4d1690

SHA256
be713cf4c2a0334bf8a9a8faad02c77371e1624a6115b736b85b3274ddd13667

SHA512
6c2922bc4539330421f170f0da3e74d28724087d21c3d3ae34cf101c623b4599aa2b961a35780f718828fcd4de76bbaab12557e4ac4d9abd87e873d64d20e4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
080b16d66a964f17391fee4fe7e1a8aa

SHA1
37e8e1cb1c1c709605d7312c020286824c4d1690

SHA256
be713cf4c2a0334bf8a9a8faad02c77371e1624a6115b736b85b3274ddd13667

SHA512
6c2922bc4539330421f170f0da3e74d28724087d21c3d3ae34cf101c623b4599aa2b961a35780f718828fcd4de76bbaab12557e4ac4d9abd87e873d64d20e4b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\d6dbfa94-3af2-45e6-8eeb-557e38ce5687\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\ecdadbef-0e85-4d06-9d40-4f1f07fd6fe0\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
memory/292-101-0x00000000023C0000-0x000000000300A000-memory.dmp

Filesize
12.3MB

Download
memory/292-117-0x00000000023C0000-0x000000000300A000-memory.dmp

Filesize
12.3MB

Download
memory/292-69-0x0000000000000000-mapping.dmp

Download
memory/292-99-0x00000000023C0000-0x000000000300A000-memory.dmp

Filesize
12.3MB

Download
memory/524-119-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/524-82-0x0000000000000000-mapping.dmp

Download
memory/672-84-0x0000000000000000-mapping.dmp

Download
memory/672-118-0x00000000021A0000-0x0000000002DEA000-memory.dmp

Filesize
12.3MB

Download
memory/672-110-0x00000000021A0000-0x0000000002DEA000-memory.dmp

Filesize
12.3MB

Download
memory/756-74-0x0000000000000000-mapping.dmp

Download
memory/756-95-0x0000000002041000-0x0000000002042000-memory.dmp

Filesize
4KB

Download
memory/756-107-0x0000000002042000-0x0000000002044000-memory.dmp

Filesize
8KB

Download
memory/756-91-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/800-111-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/800-102-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/800-68-0x0000000000000000-mapping.dmp

Download
memory/800-97-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/1316-56-0x0000000004B70000-0x0000000004BD8000-memory.dmp

Filesize
416KB

Download
memory/1316-55-0x0000000004CC5000-0x0000000004CD6000-memory.dmp

Filesize
68KB

Download
memory/1316-53-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1316-54-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/1316-114-0x0000000004200000-0x0000000004203000-memory.dmp

Filesize
12KB

Download
memory/1356-59-0x0000000000000000-mapping.dmp

Download
memory/1356-61-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/1504-90-0x0000000000000000-mapping.dmp

Download
memory/1504-116-0x0000000002370000-0x0000000002FBA000-memory.dmp

Filesize
12.3MB

Download
memory/1584-73-0x0000000000000000-mapping.dmp

Download
memory/1584-120-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/1584-121-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/1584-109-0x0000000002310000-0x0000000002F5A000-memory.dmp

Filesize
12.3MB

Download
memory/1596-100-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1596-83-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1596-77-0x0000000000000000-mapping.dmp

Download
memory/1596-103-0x0000000004D95000-0x0000000004DA6000-memory.dmp

Filesize
68KB

Download
memory/1616-98-0x00000000021B0000-0x0000000002DFA000-memory.dmp

Filesize
12.3MB

Download
memory/1616-93-0x00000000021B0000-0x0000000002DFA000-memory.dmp

Filesize
12.3MB

Download
memory/1616-113-0x00000000021B0000-0x0000000002DFA000-memory.dmp

Filesize
12.3MB

Download
memory/1616-71-0x0000000000000000-mapping.dmp

Download
memory/1948-65-0x0000000000000000-mapping.dmp

Download
memory/2200-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2200-106-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2200-122-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/2200-108-0x000000000043764E-mapping.dmp

Download
memory/2548-126-0x0000000000000000-mapping.dmp

Download
memory/2600-132-0x0000000000000000-mapping.dmp

Download
memory/2668-135-0x0000000000000000-mapping.dmp

Download
memory/2668-161-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/2668-160-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/2668-155-0x00000000023E0000-0x000000000302A000-memory.dmp

Filesize
12.3MB

Download
memory/2692-136-0x0000000000000000-mapping.dmp

Download
memory/2692-157-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/2692-163-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/2724-167-0x00000000022A0000-0x0000000002EEA000-memory.dmp

Filesize
12.3MB

Download
memory/2724-137-0x0000000000000000-mapping.dmp

Download
memory/2724-164-0x00000000022A0000-0x0000000002EEA000-memory.dmp

Filesize
12.3MB

Download
memory/2724-158-0x00000000022A0000-0x0000000002EEA000-memory.dmp

Filesize
12.3MB

Download
memory/2756-162-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/2756-139-0x0000000000000000-mapping.dmp

Download
memory/2756-165-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/2756-166-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/2796-140-0x0000000000000000-mapping.dmp

Download
memory/2796-159-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download
memory/2796-168-0x0000000002410000-0x000000000305A000-memory.dmp

Filesize
12.3MB

Download
memory/2936-156-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/2936-151-0x000000000043764E-mapping.dmp

Download
memory/2936-169-0x0000000004BD1000-0x0000000004BD2000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads