agenttesla | a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

Analysis

max time kernel
143s
max time network
141s
platform
windows7_x64
resource
win7-en
submitted
15-09-2021 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cecfa83ee6ea6dd1de38462bbedf15c.exe
Size

761KB
MD5

0cecfa83ee6ea6dd1de38462bbedf15c
SHA1

de4dde34707658d98f50de8cf2a182bf7ded2a45
SHA256

a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
SHA512

cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
princeprice@voodome.com
Password:
princeprice@11

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2252-110-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2252-111-0x000000000043764E-mapping.dmp	family_agenttesla
behavioral1/memory/2252-113-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/2908-147-0x000000000043764E-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 14 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe481F404B.exeAdvancedRun.exeAdvancedRun.exe

pid process

1836 AdvancedRun.exe
1076 AdvancedRun.exe
824 481F404B.exe
2576 AdvancedRun.exe
2628 AdvancedRun.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe481F404B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	481F404B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	481F404B.exe

Drops startup file 2 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Loads dropped DLL 10 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exeAdvancedRun.exe481F404B.exeAdvancedRun.exe

pid	process
1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe
1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe
1836	AdvancedRun.exe
1836	AdvancedRun.exe
1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe
1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe
824	481F404B.exe
824	481F404B.exe
2576	AdvancedRun.exe
2576	AdvancedRun.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe481F404B.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\481F404B = "C:\\Windows\\Resources\\Themes\\aero\\Shell\\4B6A7152\\svchost.exe"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\481F404B = "C:\\Windows\\Resources\\Themes\\aero\\Shell\\4B6A7152\\svchost.exe"	481F404B.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe481F404B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	481F404B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	481F404B.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

481F404B.exe0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	481F404B.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	481F404B.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe481F404B.exe

description	pid	process	target process
PID 1664 set thread context of 2252	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 824 set thread context of 2908	824	481F404B.exe	aspnet_compiler.exe

Drops file in Windows directory 1 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description ioc process

File created C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe 0cecfa83ee6ea6dd1de38462bbedf15c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeaspnet_compiler.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exepowershell.exepowershell.exe

pid	process
1836	AdvancedRun.exe
1836	AdvancedRun.exe
1076	AdvancedRun.exe
1076	AdvancedRun.exe
2252	aspnet_compiler.exe
2252	aspnet_compiler.exe
1468	powershell.exe
1924	powershell.exe
628	powershell.exe
528	powershell.exe
532	powershell.exe
1112	powershell.exe
1436	powershell.exe
1564	powershell.exe
2576	AdvancedRun.exe
2576	AdvancedRun.exe
2628	AdvancedRun.exe
2628	AdvancedRun.exe
2792	powershell.exe
2700	powershell.exe
2908	aspnet_compiler.exe
2908	aspnet_compiler.exe
2676	powershell.exe
2732	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe0cecfa83ee6ea6dd1de38462bbedf15c.exeaspnet_compiler.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exe481F404B.exepowershell.exepowershell.exeaspnet_compiler.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1836	AdvancedRun.exe
Token: SeImpersonatePrivilege	1836	AdvancedRun.exe
Token: SeDebugPrivilege	1076	AdvancedRun.exe
Token: SeImpersonatePrivilege	1076	AdvancedRun.exe
Token: SeDebugPrivilege	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Token: SeDebugPrivilege	2252	aspnet_compiler.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2576	AdvancedRun.exe
Token: SeImpersonatePrivilege	2576	AdvancedRun.exe
Token: SeDebugPrivilege	2628	AdvancedRun.exe
Token: SeImpersonatePrivilege	2628	AdvancedRun.exe
Token: SeDebugPrivilege	824	481F404B.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2908	aspnet_compiler.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

2908 aspnet_compiler.exe

pid	process
2908	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exeAdvancedRun.exe481F404B.exeAdvancedRun.exe

description	pid	process	target process
PID 1664 wrote to memory of 1836	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 1664 wrote to memory of 1836	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 1664 wrote to memory of 1836	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 1664 wrote to memory of 1836	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 1836 wrote to memory of 1076	1836	AdvancedRun.exe	AdvancedRun.exe
PID 1836 wrote to memory of 1076	1836	AdvancedRun.exe	AdvancedRun.exe
PID 1836 wrote to memory of 1076	1836	AdvancedRun.exe	AdvancedRun.exe
PID 1836 wrote to memory of 1076	1836	AdvancedRun.exe	AdvancedRun.exe
PID 1664 wrote to memory of 628	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 628	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 628	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 628	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 532	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 532	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 532	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 532	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1112	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1112	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1112	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1112	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1564	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1564	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1564	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1564	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 528	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 528	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 528	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 528	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 824	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 1664 wrote to memory of 824	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 1664 wrote to memory of 824	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 1664 wrote to memory of 824	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 1664 wrote to memory of 1436	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1436	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1436	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1436	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1468	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1468	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1468	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1468	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1924	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1924	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1924	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 1924	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 1664 wrote to memory of 2252	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 2252	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 2252	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 2252	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 2252	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 2252	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 2252	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 2252	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 1664 wrote to memory of 2252	1664	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 824 wrote to memory of 2576	824	481F404B.exe	AdvancedRun.exe
PID 824 wrote to memory of 2576	824	481F404B.exe	AdvancedRun.exe
PID 824 wrote to memory of 2576	824	481F404B.exe	AdvancedRun.exe
PID 824 wrote to memory of 2576	824	481F404B.exe	AdvancedRun.exe
PID 2576 wrote to memory of 2628	2576	AdvancedRun.exe	AdvancedRun.exe
PID 2576 wrote to memory of 2628	2576	AdvancedRun.exe	AdvancedRun.exe
PID 2576 wrote to memory of 2628	2576	AdvancedRun.exe	AdvancedRun.exe
PID 2576 wrote to memory of 2628	2576	AdvancedRun.exe	AdvancedRun.exe
PID 824 wrote to memory of 2676	824	481F404B.exe	powershell.exe
PID 824 wrote to memory of 2676	824	481F404B.exe	powershell.exe
PID 824 wrote to memory of 2676	824	481F404B.exe	powershell.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

481F404B.exe0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	481F404B.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe

C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe
"C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664

C:\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe" /SpecialRun 4101d8 1836
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:824

C:\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe" /SpecialRun 4101d8 2576
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
e6e5950e7df18ec4e4a418cee2519f18

SHA1
4624e5e4e8d4bb5bd6ebdded374771a69d8c5486

SHA256
72c53d4b7193f35fe9c1997cf2227dffd82d6dccde0553ffb455be8963522138

SHA512
87a8e8d75522bb9e3122a94480f1754f30a79a65c36a7f86b3cd1e7f399a3fefd15553788117878280f3185607be50985abd3cead1568adfb6c2cbc88e522233

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\40af8cc4-6f3d-4175-a86d-3a084d89b020\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\653fb5ad-0276-441d-9bb3-a1d25d45d091\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
memory/528-107-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/528-117-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/528-104-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/528-73-0x0000000000000000-mapping.dmp

Download
memory/532-105-0x0000000002291000-0x0000000002292000-memory.dmp

Filesize
4KB

Download
memory/532-103-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/532-116-0x0000000002292000-0x0000000002294000-memory.dmp

Filesize
8KB

Download
memory/532-68-0x0000000000000000-mapping.dmp

Download
memory/628-67-0x0000000000000000-mapping.dmp

Download
memory/628-101-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/824-83-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/824-87-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/824-79-0x0000000000000000-mapping.dmp

Download
memory/824-88-0x0000000000AB5000-0x0000000000AC6000-memory.dmp

Filesize
68KB

Download
memory/1076-64-0x0000000000000000-mapping.dmp

Download
memory/1112-106-0x0000000002261000-0x0000000002262000-memory.dmp

Filesize
4KB

Download
memory/1112-69-0x0000000000000000-mapping.dmp

Download
memory/1112-102-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1112-115-0x0000000002262000-0x0000000002264000-memory.dmp

Filesize
8KB

Download
memory/1436-109-0x0000000002350000-0x0000000002F9A000-memory.dmp

Filesize
12.3MB

Download
memory/1436-81-0x0000000000000000-mapping.dmp

Download
memory/1468-100-0x0000000002320000-0x0000000002F6A000-memory.dmp

Filesize
12.3MB

Download
memory/1468-84-0x0000000000000000-mapping.dmp

Download
memory/1564-108-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/1564-70-0x0000000000000000-mapping.dmp

Download
memory/1564-99-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/1664-54-0x0000000004E35000-0x0000000004E46000-memory.dmp

Filesize
68KB

Download
memory/1664-53-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1664-52-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1664-112-0x00000000043B0000-0x00000000043B3000-memory.dmp

Filesize
12KB

Download
memory/1664-55-0x0000000004790000-0x00000000047F8000-memory.dmp

Filesize
416KB

Download
memory/1836-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1836-58-0x0000000000000000-mapping.dmp

Download
memory/1924-98-0x0000000002220000-0x0000000002E6A000-memory.dmp

Filesize
12.3MB

Download
memory/1924-85-0x0000000000000000-mapping.dmp

Download
memory/2252-113-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2252-110-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2252-111-0x000000000043764E-mapping.dmp

Download
memory/2252-118-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/2576-122-0x0000000000000000-mapping.dmp

Download
memory/2628-128-0x0000000000000000-mapping.dmp

Download
memory/2676-131-0x0000000000000000-mapping.dmp

Download
memory/2676-162-0x00000000022E0000-0x0000000002F2A000-memory.dmp

Filesize
12.3MB

Download
memory/2700-157-0x00000000022D0000-0x0000000002F1A000-memory.dmp

Filesize
12.3MB

Download
memory/2700-161-0x00000000022D0000-0x0000000002F1A000-memory.dmp

Filesize
12.3MB

Download
memory/2700-152-0x00000000022D0000-0x0000000002F1A000-memory.dmp

Filesize
12.3MB

Download
memory/2700-132-0x0000000000000000-mapping.dmp

Download
memory/2732-159-0x0000000002250000-0x0000000002E9A000-memory.dmp

Filesize
12.3MB

Download
memory/2732-133-0x0000000000000000-mapping.dmp

Download
memory/2764-134-0x0000000000000000-mapping.dmp

Download
memory/2764-160-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/2764-154-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/2764-156-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/2792-158-0x00000000021C0000-0x0000000002E0A000-memory.dmp

Filesize
12.3MB

Download
memory/2792-155-0x00000000021C0000-0x0000000002E0A000-memory.dmp

Filesize
12.3MB

Download
memory/2792-137-0x0000000000000000-mapping.dmp

Download
memory/2908-153-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2908-151-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2908-147-0x000000000043764E-mapping.dmp

Download
memory/2908-163-0x0000000000381000-0x0000000000382000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads