agenttesla | c2530bd0dfc05cf316f3ec108fc0a384eb8e72f40bc8142c3fcdb92a9d251946

Analysis

max time kernel
181s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
08-02-2022 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Orders.exe
Size

1.6MB
MD5

e85daf3a43f107b213310a53bfd35aa9
SHA1

042208c7a232b806c6382e34417f9c8e2a955747
SHA256

0b1fbc81d9d9e685307e80d20afe4b01c6538b903b77136b0d1db2486fe8c6e8
SHA512

29688e0fe124802b3317355e9836864147e56f6e1d47f702f88ea36df813f0eb388818ead042c4463619e17bd5ec295d4cfc4f0caa2c2dbd90edd22b2277ec7d

Score

10^/10

agenttesla matiex collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmp	family_matiex
behavioral2/memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmp	family_matiex
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe	family_matiex
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe	family_matiex
behavioral2/memory/4124-161-0x0000000000210000-0x0000000000286000-memory.dmp	family_matiex
behavioral2/memory/3604-162-0x0000000004A20000-0x0000000004FC4000-memory.dmp	family_matiex
behavioral2/memory/4124-164-0x0000000004B90000-0x0000000005134000-memory.dmp	family_matiex

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4684 created 4264 4684 WerFault.exe Orders.exe

description	pid	process	target process
PID 4684 created 4264	4684	WerFault.exe	Orders.exe

AgentTesla Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmp	family_agenttesla
behavioral2/memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmp	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe	family_agenttesla
behavioral2/memory/3604-157-0x0000000000250000-0x000000000028C000-memory.dmp	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe	family_agenttesla

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/4264-131-0x0000000000830000-0x00000000009C4000-memory.dmp	beds_protector

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmp	MailPassView
behavioral2/memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmp	MailPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmp	WebBrowserPassView
behavioral2/memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmp	Nirsoft
behavioral2/memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

hawkgoods.exeorigigoods40.exeMatiexgoods.exeorigigoods20.exe

pid process

3560 hawkgoods.exe
3604 origigoods40.exe
4124 Matiexgoods.exe
3320 origigoods20.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RegAsm.exe

pid	process
3560	hawkgoods.exe
3604	origigoods40.exe
4124	Matiexgoods.exe
3320	origigoods20.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

Matiexgoods.exeorigigoods40.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Matiexgoods.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	origigoods40.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	origigoods40.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	origigoods40.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Matiexgoods.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Matiexgoods.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

51 freegeoip.app
52 freegeoip.app
49 checkip.dyndns.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Orders.exe

description pid process target process

PID 4264 set thread context of 4836 4264 Orders.exe RegAsm.exe

flow	ioc
51	freegeoip.app
52	freegeoip.app
49	checkip.dyndns.org

description	pid	process	target process
PID 4264 set thread context of 4836	4264	Orders.exe	RegAsm.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3080 4264 WerFault.exe Orders.exe

pid	pid_target	process	target process
3080	4264	WerFault.exe	Orders.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Powershell.exeOrders.exeorigigoods40.exeMatiexgoods.exeWerFault.exe

pid	process
2300	Powershell.exe
4264	Orders.exe
4264	Orders.exe
2300	Powershell.exe
3604	origigoods40.exe
3604	origigoods40.exe
4124	Matiexgoods.exe
3080	WerFault.exe
3080	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Matiexgoods.exe

pid process

4124 Matiexgoods.exe

pid	process
4124	Matiexgoods.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Powershell.exeOrders.exeorigigoods40.exeWerFault.exeMatiexgoods.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	2300	Powershell.exe
Token: SeDebugPrivilege	4264	Orders.exe
Token: SeDebugPrivilege	3604	origigoods40.exe
Token: SeRestorePrivilege	3080	WerFault.exe
Token: SeBackupPrivilege	3080	WerFault.exe
Token: SeDebugPrivilege	4124	Matiexgoods.exe
Token: SeShutdownPrivilege	4652	svchost.exe
Token: SeCreatePagefilePrivilege	4652	svchost.exe
Token: SeShutdownPrivilege	4652	svchost.exe
Token: SeCreatePagefilePrivilege	4652	svchost.exe
Token: SeShutdownPrivilege	4652	svchost.exe
Token: SeCreatePagefilePrivilege	4652	svchost.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe
Token: SeRestorePrivilege	2348	TiWorker.exe
Token: SeSecurityPrivilege	2348	TiWorker.exe
Token: SeBackupPrivilege	2348	TiWorker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exeMatiexgoods.exe

pid process

4836 RegAsm.exe
4124 Matiexgoods.exe

pid	process
4836	RegAsm.exe
4124	Matiexgoods.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

Orders.exeWerFault.exeRegAsm.exehawkgoods.exeorigigoods20.exefondue.exefondue.exeMatiexgoods.exe

description	pid	process	target process
PID 4264 wrote to memory of 2300	4264	Orders.exe	Powershell.exe
PID 4264 wrote to memory of 2300	4264	Orders.exe	Powershell.exe
PID 4264 wrote to memory of 2300	4264	Orders.exe	Powershell.exe
PID 4264 wrote to memory of 796	4264	Orders.exe	RegAsm.exe
PID 4264 wrote to memory of 796	4264	Orders.exe	RegAsm.exe
PID 4264 wrote to memory of 796	4264	Orders.exe	RegAsm.exe
PID 4264 wrote to memory of 4836	4264	Orders.exe	RegAsm.exe
PID 4264 wrote to memory of 4836	4264	Orders.exe	RegAsm.exe
PID 4264 wrote to memory of 4836	4264	Orders.exe	RegAsm.exe
PID 4264 wrote to memory of 4836	4264	Orders.exe	RegAsm.exe
PID 4264 wrote to memory of 4836	4264	Orders.exe	RegAsm.exe
PID 4264 wrote to memory of 4836	4264	Orders.exe	RegAsm.exe
PID 4264 wrote to memory of 4836	4264	Orders.exe	RegAsm.exe
PID 4684 wrote to memory of 4264	4684	WerFault.exe	Orders.exe
PID 4684 wrote to memory of 4264	4684	WerFault.exe	Orders.exe
PID 4836 wrote to memory of 3560	4836	RegAsm.exe	hawkgoods.exe
PID 4836 wrote to memory of 3560	4836	RegAsm.exe	hawkgoods.exe
PID 4836 wrote to memory of 3560	4836	RegAsm.exe	hawkgoods.exe
PID 3560 wrote to memory of 3600	3560	hawkgoods.exe	fondue.exe
PID 3560 wrote to memory of 3600	3560	hawkgoods.exe	fondue.exe
PID 3560 wrote to memory of 3600	3560	hawkgoods.exe	fondue.exe
PID 4836 wrote to memory of 3604	4836	RegAsm.exe	origigoods40.exe
PID 4836 wrote to memory of 3604	4836	RegAsm.exe	origigoods40.exe
PID 4836 wrote to memory of 3604	4836	RegAsm.exe	origigoods40.exe
PID 4836 wrote to memory of 4124	4836	RegAsm.exe	Matiexgoods.exe
PID 4836 wrote to memory of 4124	4836	RegAsm.exe	Matiexgoods.exe
PID 4836 wrote to memory of 4124	4836	RegAsm.exe	Matiexgoods.exe
PID 4836 wrote to memory of 3320	4836	RegAsm.exe	origigoods20.exe
PID 4836 wrote to memory of 3320	4836	RegAsm.exe	origigoods20.exe
PID 4836 wrote to memory of 3320	4836	RegAsm.exe	origigoods20.exe
PID 3320 wrote to memory of 3540	3320	origigoods20.exe	fondue.exe
PID 3320 wrote to memory of 3540	3320	origigoods20.exe	fondue.exe
PID 3320 wrote to memory of 3540	3320	origigoods20.exe	fondue.exe
PID 3600 wrote to memory of 1464	3600	fondue.exe	FonDUE.EXE
PID 3600 wrote to memory of 1464	3600	fondue.exe	FonDUE.EXE
PID 3540 wrote to memory of 4752	3540	fondue.exe	FonDUE.EXE
PID 3540 wrote to memory of 4752	3540	fondue.exe	FonDUE.EXE
PID 4124 wrote to memory of 3388	4124	Matiexgoods.exe	netsh.exe
PID 4124 wrote to memory of 3388	4124	Matiexgoods.exe	netsh.exe
PID 4124 wrote to memory of 3388	4124	Matiexgoods.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

origigoods40.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	origigoods40.exe

outlook_win_path 1 IoCs

Processes:

origigoods40.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	origigoods40.exe

C:\Users\Admin\AppData\Local\Temp\Orders.exe
"C:\Users\Admin\AppData\Local\Temp\Orders.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Orders.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4836

C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe
"C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe" 0
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\origigoods40.exe
"C:\Users\Admin\AppData\Local\Temp\origigoods40.exe" 0
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3604

C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe
"C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe" 0
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
4⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\origigoods20.exe
"C:\Users\Admin\AppData\Local\Temp\origigoods20.exe" 0
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1108
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4264 -ip 4264
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe
MD5
80c61b903400b534858d047dd0919f0e

SHA1
d0ab5400b74392308140642c75f0897e16a88d60

SHA256
25ade9899c000a27570b527cffc938ec9626978219ec8a086082b113cbe4f492

SHA512
b3216f0e4e95c7f50bccba5fdcca2ad622a42379383be855546fa1e0bac41a6beea8226f8634ad5e0d8596169e0443494018bbe70b7052f094402aecaa038bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe
MD5
80c61b903400b534858d047dd0919f0e

SHA1
d0ab5400b74392308140642c75f0897e16a88d60

SHA256
25ade9899c000a27570b527cffc938ec9626978219ec8a086082b113cbe4f492

SHA512
b3216f0e4e95c7f50bccba5fdcca2ad622a42379383be855546fa1e0bac41a6beea8226f8634ad5e0d8596169e0443494018bbe70b7052f094402aecaa038bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe
MD5
ffdb58533d5d1362e896e96fb6f02a95

SHA1
d6e4a3ca253bfc372a9a3180b5887c716ed285c6

SHA256
b3d02fd5c69293db419ac03cdf6396bd5e7765682fb3b2390454d9a52ba2ca88

SHA512
3ae6e49d3d728531201453a0bc27436b1a4305c8ef938b2cbb5e34ee45bb9a9a88cf2a41b08e4914fda9a96bbaa48bd999a2d2f1dffcd39761bb1f3620ca725f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe
MD5
ffdb58533d5d1362e896e96fb6f02a95

SHA1
d6e4a3ca253bfc372a9a3180b5887c716ed285c6

SHA256
b3d02fd5c69293db419ac03cdf6396bd5e7765682fb3b2390454d9a52ba2ca88

SHA512
3ae6e49d3d728531201453a0bc27436b1a4305c8ef938b2cbb5e34ee45bb9a9a88cf2a41b08e4914fda9a96bbaa48bd999a2d2f1dffcd39761bb1f3620ca725f

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe
MD5
61dc57c6575e1f3f2ae14c1b332ad2fb

SHA1
f52f34623048e5fd720e97a72eedfd32358cd3a9

SHA256
1c7757ee223f2480fbc478ae2ecaf82e1d3c17f2e4d47581d3972416166c54ab

SHA512
81a7db927f53660d3a04a161d5c18aab17d676bcc7ae0738ab786d9bee82b91016e54e6f70428aec4087961744be89b1511f9e07d8dabbe5c2a9d836722395a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe
MD5
61dc57c6575e1f3f2ae14c1b332ad2fb

SHA1
f52f34623048e5fd720e97a72eedfd32358cd3a9

SHA256
1c7757ee223f2480fbc478ae2ecaf82e1d3c17f2e4d47581d3972416166c54ab

SHA512
81a7db927f53660d3a04a161d5c18aab17d676bcc7ae0738ab786d9bee82b91016e54e6f70428aec4087961744be89b1511f9e07d8dabbe5c2a9d836722395a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe
MD5
ae36f0d16230b9f41ffecbd3c5b1d660

SHA1
88afc2923d1eefb70bad3c0cd9304949954377ef

SHA256
cfad1e486666ff3fb042ba0e9967634de1065f1bbd505c61b3295e55705a2a50

SHA512
1e98aee7dc693822113dcde1446a5bed1c564b76eef39f39f3a5d98d7d2099cf69ac92717a3297afc7082203929f1e9437f21cb6bc690974a0ef6d6cf6e4393c

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe
MD5
ae36f0d16230b9f41ffecbd3c5b1d660

SHA1
88afc2923d1eefb70bad3c0cd9304949954377ef

SHA256
cfad1e486666ff3fb042ba0e9967634de1065f1bbd505c61b3295e55705a2a50

SHA512
1e98aee7dc693822113dcde1446a5bed1c564b76eef39f39f3a5d98d7d2099cf69ac92717a3297afc7082203929f1e9437f21cb6bc690974a0ef6d6cf6e4393c

Download Submit
memory/2300-139-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/2300-151-0x0000000006B90000-0x0000000006BAA000-memory.dmp

Filesize
104KB

Download
memory/2300-140-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/2300-141-0x0000000005232000-0x0000000005233000-memory.dmp

Filesize
4KB

Download
memory/2300-142-0x00000000056F0000-0x0000000005712000-memory.dmp

Filesize
136KB

Download
memory/2300-143-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/2300-144-0x0000000006080000-0x00000000060E6000-memory.dmp

Filesize
408KB

Download
memory/2300-137-0x0000000005100000-0x0000000005136000-memory.dmp

Filesize
216KB

Download
memory/2300-138-0x0000000005870000-0x0000000005E98000-memory.dmp

Filesize
6.2MB

Download
memory/2300-149-0x0000000006640000-0x000000000665E000-memory.dmp

Filesize
120KB

Download
memory/2300-150-0x0000000006C10000-0x0000000006CA6000-memory.dmp

Filesize
600KB

Download
memory/2300-152-0x0000000006BE0000-0x0000000006C02000-memory.dmp

Filesize
136KB

Download
memory/3604-157-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/3604-158-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/3604-162-0x0000000004A20000-0x0000000004FC4000-memory.dmp

Filesize
5.6MB

Download
memory/4124-161-0x0000000000210000-0x0000000000286000-memory.dmp

Filesize
472KB

Download
memory/4124-168-0x0000000006A80000-0x0000000006C42000-memory.dmp

Filesize
1.8MB

Download
memory/4124-169-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/4124-167-0x0000000006460000-0x000000000646A000-memory.dmp

Filesize
40KB

Download
memory/4124-164-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/4124-163-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4264-136-0x0000000005370000-0x0000000005391000-memory.dmp

Filesize
132KB

Download
memory/4264-133-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/4264-134-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/4264-135-0x0000000005A10000-0x0000000005AAC000-memory.dmp

Filesize
624KB

Download
memory/4264-132-0x0000000005350000-0x0000000005362000-memory.dmp

Filesize
72KB

Download
memory/4264-131-0x0000000000830000-0x00000000009C4000-memory.dmp

Filesize
1.6MB

Download
memory/4264-130-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4652-182-0x000001F9D45C0000-0x000001F9D45C4000-memory.dmp

Filesize
16KB

Download
memory/4836-147-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4836-145-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download