agenttesla | b61d1249505ff6814c04662bba102938cda38a0062bd78e11839d24cead1f577

Analysis

max time kernel
150s
max time network
95s
platform
windows7_x64
resource
win7v20210408
submitted
27-09-2021 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.xlsx
Size

290KB
MD5

79dbf0cb4518f97174ee4535672a0a60
SHA1

5dd9de078a0945c39431df3bcb44151637331353
SHA256

b61d1249505ff6814c04662bba102938cda38a0062bd78e11839d24cead1f577
SHA512

8f4b5e00c90f960d7b6d931267ec59f28e37a54248ab0bbae5bd94a2cc6ca294cd3ab0065eb8fde2ed32963e5976772ec2ec85f0e79c2635351f935d2d5f01af

Score

10^/10

agenttesla neshta keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
)fjqy!s9

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Neshta Payload 10 IoCs

Processes:

resource	yara_rule
\Users\Public\vbc.exe	family_neshta
\Users\Public\vbc.exe	family_neshta
\Users\Public\vbc.exe	family_neshta
\Users\Public\vbc.exe	family_neshta
C:\Users\Public\vbc.exe	family_neshta
C:\Users\Public\vbc.exe	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\L1Y3K90W\MALCOM~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1042

Processes:

vbc.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	vbc.exe

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/868-100-0x00000000004375EE-mapping.dmp	family_agenttesla
behavioral1/memory/868-98-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/868-103-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

5 768 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

vbc.exevbc.exesvchost.comsvchost.comvbc.exe

pid process

1696 vbc.exe
1640 vbc.exe
1744 svchost.com
1476 svchost.com
868 vbc.exe
Loads dropped DLL 9 IoCs

Processes:

EQNEDT32.EXEvbc.exevbc.exe

pid process

768 EQNEDT32.EXE
768 EQNEDT32.EXE
768 EQNEDT32.EXE
768 EQNEDT32.EXE
1696 vbc.exe
1696 vbc.exe
1696 vbc.exe
1696 vbc.exe
1640 vbc.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
5	768	EQNEDT32.EXE

pid	process
1696	vbc.exe
1640	vbc.exe
1744	svchost.com
1476	svchost.com
868	vbc.exe

pid	process
768	EQNEDT32.EXE
768	EQNEDT32.EXE
768	EQNEDT32.EXE
768	EQNEDT32.EXE
1696	vbc.exe
1696	vbc.exe
1696	vbc.exe
1696	vbc.exe
1640	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\NLKBQYR = "C:\\Users\\Admin\\AppData\\Roaming\\NLKBQYR\\NLKBQYR.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1640 set thread context of 868 1640 vbc.exe vbc.exe

description	pid	process	target process
PID 1640 set thread context of 868	1640	vbc.exe	vbc.exe

Drops file in Program Files directory 64 IoCs

Processes:

vbc.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GO664E~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	vbc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~4.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	vbc.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Temp\GUMFBCB.tmp\GOFB2B~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~3.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOF5E2~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOBD5D~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\1335~1.452\GOOGLE~2.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	vbc.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	vbc.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	vbc.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	vbc.exe

Drops file in Windows directory 5 IoCs

Processes:

vbc.exesvchost.comsvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	vbc.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

524 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

768 EQNEDT32.EXE

pid	process
524	schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
768	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

vbc.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1832 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

vbc.exepowershell.exe

pid process

868 vbc.exe
868 vbc.exe
1688 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

vbc.exepowershell.exe

description pid process

Token: SeDebugPrivilege 868 vbc.exe
Token: SeDebugPrivilege 1688 powershell.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

EXCEL.EXEvbc.exe

pid process

1832 EXCEL.EXE
1832 EXCEL.EXE
1832 EXCEL.EXE
1832 EXCEL.EXE
1832 EXCEL.EXE
868 vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	vbc.exe

pid	process
1832	EXCEL.EXE

pid	process
868	vbc.exe
868	vbc.exe
1688	powershell.exe

description	pid	process
Token: SeDebugPrivilege	868	vbc.exe
Token: SeDebugPrivilege	1688	powershell.exe

pid	process
1832	EXCEL.EXE
1832	EXCEL.EXE
1832	EXCEL.EXE
1832	EXCEL.EXE
1832	EXCEL.EXE
868	vbc.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

EQNEDT32.EXEvbc.exevbc.exesvchost.comsvchost.com

description	pid	process	target process
PID 768 wrote to memory of 1696	768	EQNEDT32.EXE	vbc.exe
PID 768 wrote to memory of 1696	768	EQNEDT32.EXE	vbc.exe
PID 768 wrote to memory of 1696	768	EQNEDT32.EXE	vbc.exe
PID 768 wrote to memory of 1696	768	EQNEDT32.EXE	vbc.exe
PID 1696 wrote to memory of 1640	1696	vbc.exe	vbc.exe
PID 1696 wrote to memory of 1640	1696	vbc.exe	vbc.exe
PID 1696 wrote to memory of 1640	1696	vbc.exe	vbc.exe
PID 1696 wrote to memory of 1640	1696	vbc.exe	vbc.exe
PID 1640 wrote to memory of 1744	1640	vbc.exe	svchost.com
PID 1640 wrote to memory of 1744	1640	vbc.exe	svchost.com
PID 1640 wrote to memory of 1744	1640	vbc.exe	svchost.com
PID 1640 wrote to memory of 1744	1640	vbc.exe	svchost.com
PID 1744 wrote to memory of 1688	1744	svchost.com	powershell.exe
PID 1744 wrote to memory of 1688	1744	svchost.com	powershell.exe
PID 1744 wrote to memory of 1688	1744	svchost.com	powershell.exe
PID 1744 wrote to memory of 1688	1744	svchost.com	powershell.exe
PID 1640 wrote to memory of 1476	1640	vbc.exe	svchost.com
PID 1640 wrote to memory of 1476	1640	vbc.exe	svchost.com
PID 1640 wrote to memory of 1476	1640	vbc.exe	svchost.com
PID 1640 wrote to memory of 1476	1640	vbc.exe	svchost.com
PID 1640 wrote to memory of 868	1640	vbc.exe	vbc.exe
PID 1640 wrote to memory of 868	1640	vbc.exe	vbc.exe
PID 1640 wrote to memory of 868	1640	vbc.exe	vbc.exe
PID 1640 wrote to memory of 868	1640	vbc.exe	vbc.exe
PID 1640 wrote to memory of 868	1640	vbc.exe	vbc.exe
PID 1640 wrote to memory of 868	1640	vbc.exe	vbc.exe
PID 1640 wrote to memory of 868	1640	vbc.exe	vbc.exe
PID 1640 wrote to memory of 868	1640	vbc.exe	vbc.exe
PID 1640 wrote to memory of 868	1640	vbc.exe	vbc.exe
PID 1476 wrote to memory of 524	1476	svchost.com	schtasks.exe
PID 1476 wrote to memory of 524	1476	svchost.com	schtasks.exe
PID 1476 wrote to memory of 524	1476	svchost.com	schtasks.exe
PID 1476 wrote to memory of 524	1476	svchost.com	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order.xlsx"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DasQupfvgQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD9E9.tmp"
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\DasQupfvgQ /XML C:\Users\Admin\AppData\Local\Temp\tmpD9E9.tmp
5⤵
- Creates scheduled task(s)
PID:524

C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

T1203

Scheduled Task

T1053

Scripting

T1064

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\L1Y3K90W\MALCOM~1.EXE
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
MD5
5604eae191a7b77d3f939d02bbb028dd

SHA1
45c3f1d96f661abb05c248ec80e8bb1dd8c7fe86

SHA256
fc7ba4771f04fee9f36203f396b41da634c9e639a8eada6766ed4038cc08e9f0

SHA512
8d2dcbc6bb26dd9f1c1d0c5413772df4bb437d1756de743695cf9a164a51d91dc1011e0f0d7af41aa9290f1b8097eccdf0e99af3c06758b94028f47e670b0e21

Download Submit
C:\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
C:\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
C:\Windows\directx.sys
MD5
7779b7aac555eb734d1d878a0dfce1e2

SHA1
4216e4f627f3933d918ae4b86683e205e630d3a5

SHA256
62263e548942d1b55bc1f1c79489ddf0fc111a11df3660b30e202a8472fc7331

SHA512
e9608bb14045f4789c367771fd2a043a13e9732dd3daa4bd41bed753f46d9e0334d4af9bff59a755e8511988dea3b3a88f887940a09668eff07eb7e4b2ad209b

Download Submit
C:\Windows\svchost.com
MD5
ac3aa03e4370013a0dfd295363e22ec7

SHA1
320ad9813cd7be1a24f2b530af1edc52f5ea76b1

SHA256
821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181

SHA512
e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8

Download Submit
C:\Windows\svchost.com
MD5
ac3aa03e4370013a0dfd295363e22ec7

SHA1
320ad9813cd7be1a24f2b530af1edc52f5ea76b1

SHA256
821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181

SHA512
e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8

Download Submit
C:\Windows\svchost.com
MD5
ac3aa03e4370013a0dfd295363e22ec7

SHA1
320ad9813cd7be1a24f2b530af1edc52f5ea76b1

SHA256
821cbd807979771a80287ae994b20bfb3fb5f5fc3ce74dbaf588aa8797179181

SHA512
e05630d9f11951e31338bcb492c09214b9d2f68a8553c525400b9b0966239804a1332241a397d8d0a6bf3b2b21937aa1140c74aa44ea0b5d0d9739417d9095a8

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\PROGRA~2\Google\Temp\GUMFBCB.tmp\GOFB2B~1.EXE
MD5
583ff3367e050c4d62bc03516473b40a

SHA1
6aa1d26352b78310e711884829c35a69ed1bf0f9

SHA256
6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

SHA512
e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

Download Submit
\PROGRA~2\Google\Update\1335~1.452\GOFB2B~1.EXE
MD5
583ff3367e050c4d62bc03516473b40a

SHA1
6aa1d26352b78310e711884829c35a69ed1bf0f9

SHA256
6b63f8dd47d8b3baa71b6cd205d428861b96bf09cf479071e75ddd23f97c0146

SHA512
e9bdd5cc2e29db48cc524488fbadb08e808f17f6e18fa595cfebae229c94f2547079e52a2ada214169577b89b2ffbef424729cd90acdea3774f5c76aec192be0

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe
MD5
6427002ddf28933e5df19b7b8dcb159a

SHA1
138ff1f042b2f5984a8b57939d8586b26127e729

SHA256
4b2d34c642b7459d86399786f7e239e8528b4ac4f261aa974251fa634fc24cc0

SHA512
cd746bb9ba5fe1fe3704e624a8ae9e4b0c6d9a20f2f3939fca9821d6c3c4e8c668ac3450244c02838239867274ec9eeb4ba2b29da582ca715148f7301cfecd09

Download Submit
\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
\Users\Public\vbc.exe
MD5
1ad95ef0201298ba4966062d800ae957

SHA1
855db465c5aa7dc416a0fad8e55cebb1c8a46363

SHA256
784caaac6239bb681860dfd26ecff2f584342e2454bfb2ec807706d0ffd31731

SHA512
fa3f8619a34822f2c2adaf6828382c9647187bf73c063bd1cb33f062271429b610787256aa93d51055dc5f1c3e256e92bc526f8a17ce3a26f46595547759a6ba

Download Submit
memory/524-101-0x0000000000000000-mapping.dmp

Download
memory/768-63-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/868-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/868-145-0x0000000004B11000-0x0000000004B12000-memory.dmp

Filesize
4KB

Download
memory/868-108-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/868-103-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/868-100-0x00000000004375EE-mapping.dmp

Download
memory/1476-93-0x0000000000000000-mapping.dmp

Download
memory/1640-78-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/1640-85-0x0000000001EF0000-0x0000000001F35000-memory.dmp

Filesize
276KB

Download
memory/1640-84-0x0000000005700000-0x0000000005772000-memory.dmp

Filesize
456KB

Download
memory/1640-83-0x00000000003D0000-0x00000000003ED000-memory.dmp

Filesize
116KB

Download
memory/1640-73-0x0000000000000000-mapping.dmp

Download
memory/1640-76-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1688-119-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/1688-113-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/1688-143-0x0000000006500000-0x0000000006501000-memory.dmp

Filesize
4KB

Download
memory/1688-142-0x00000000064F0000-0x00000000064F1000-memory.dmp

Filesize
4KB

Download
memory/1688-104-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/1688-128-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/1688-106-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1688-107-0x00000000049E2000-0x00000000049E3000-memory.dmp

Filesize
4KB

Download
memory/1688-90-0x0000000000000000-mapping.dmp

Download
memory/1688-109-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/1688-110-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1688-99-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1688-114-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/1688-127-0x0000000006470000-0x0000000006471000-memory.dmp

Filesize
4KB

Download
memory/1688-120-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/1696-68-0x0000000000000000-mapping.dmp

Download
memory/1744-87-0x0000000000000000-mapping.dmp

Download
memory/1832-60-0x000000002F7A1000-0x000000002F7A4000-memory.dmp

Filesize
12KB

Download
memory/1832-61-0x0000000070E31000-0x0000000070E33000-memory.dmp

Filesize
8KB

Download
memory/1832-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1832-144-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download