agenttesla | 2ea073ddc357d19912eeb45d967fd80c742a676cf9f00ad8d7ade93be5e4b101

Analysis

max time kernel
167s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
08-02-2022 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO_Invoices_pdf.exe
Size

1.6MB
MD5

59d7d8d5dd3e0055e7c0dcc75897f569
SHA1

b249b28d088d54e971e2d9d8b2688440f8e6d513
SHA256

ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb
SHA512

79ebc2a128d018eb7e71b254fdd2fa72deae18081f1732619046e1db9d1aee92f7529521c005a5f861275afcbda3a39fd304cd5e1a49df848675460c5cf8f30d

Score

10^/10

agenttesla matiex collection keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Matiex
Matiex is a keylogger and infostealer first seen in July 2020.
stealer keylogger matiex

Matiex Main Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmp	family_matiex
behavioral2/memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmp	family_matiex
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe	family_matiex
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe	family_matiex
behavioral2/memory/1688-375-0x0000000000500000-0x0000000000576000-memory.dmp	family_matiex

AgentTesla Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmp	family_agenttesla
behavioral2/memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmp	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe	family_agenttesla
behavioral2/memory/4760-371-0x0000000000E30000-0x0000000000E6C000-memory.dmp	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe	family_agenttesla
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe	family_agenttesla

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/1320-130-0x00000000007D0000-0x000000000096A000-memory.dmp	beds_protector

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmp	MailPassView
behavioral2/memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmp	MailPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	MailPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmp	WebBrowserPassView
behavioral2/memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmp	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmp	Nirsoft
behavioral2/memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe	Nirsoft

Executes dropped EXE 4 IoCs

Processes:

hawkgoods.exeorigigoods40.exeMatiexgoods.exeorigigoods20.exe

pid process

4708 hawkgoods.exe
4760 origigoods40.exe
1688 Matiexgoods.exe
2948 origigoods20.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation RegAsm.exe

pid	process
4708	hawkgoods.exe
4760	origigoods40.exe
1688	Matiexgoods.exe
2948	origigoods20.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 2 IoCs

Processes:

Powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe	Powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Matiexgoods.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Matiexgoods.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Matiexgoods.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Matiexgoods.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 checkip.dyndns.org
43 freegeoip.app
44 freegeoip.app
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO_Invoices_pdf.exe

description pid process target process

PID 1320 set thread context of 4332 1320 PO_Invoices_pdf.exe RegAsm.exe

flow	ioc
38	checkip.dyndns.org
43	freegeoip.app
44	freegeoip.app

description	pid	process	target process
PID 1320 set thread context of 4332	1320	PO_Invoices_pdf.exe	RegAsm.exe

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

PO_Invoices_pdf.exePowershell.exeorigigoods40.exeMatiexgoods.exe

pid	process
1320	PO_Invoices_pdf.exe
1320	PO_Invoices_pdf.exe
1320	PO_Invoices_pdf.exe
1320	PO_Invoices_pdf.exe
1320	PO_Invoices_pdf.exe
1320	PO_Invoices_pdf.exe
1372	Powershell.exe
1372	Powershell.exe
4760	origigoods40.exe
4760	origigoods40.exe
1688	Matiexgoods.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Matiexgoods.exe

pid process

1688 Matiexgoods.exe

pid	process
1688	Matiexgoods.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

PO_Invoices_pdf.exePowershell.exeorigigoods40.exeMatiexgoods.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	1320	PO_Invoices_pdf.exe
Token: SeDebugPrivilege	1372	Powershell.exe
Token: SeDebugPrivilege	4760	origigoods40.exe
Token: SeDebugPrivilege	1688	Matiexgoods.exe
Token: SeShutdownPrivilege	3708	svchost.exe
Token: SeCreatePagefilePrivilege	3708	svchost.exe
Token: SeShutdownPrivilege	3708	svchost.exe
Token: SeCreatePagefilePrivilege	3708	svchost.exe
Token: SeShutdownPrivilege	3708	svchost.exe
Token: SeCreatePagefilePrivilege	3708	svchost.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe
Token: SeBackupPrivilege	1900	TiWorker.exe
Token: SeRestorePrivilege	1900	TiWorker.exe
Token: SeSecurityPrivilege	1900	TiWorker.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exeMatiexgoods.exe

pid process

4332 RegAsm.exe
1688 Matiexgoods.exe

pid	process
4332	RegAsm.exe
1688	Matiexgoods.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

PO_Invoices_pdf.exeRegAsm.exehawkgoods.exeorigigoods20.exefondue.exefondue.exeMatiexgoods.exe

description	pid	process	target process
PID 1320 wrote to memory of 1372	1320	PO_Invoices_pdf.exe	Powershell.exe
PID 1320 wrote to memory of 1372	1320	PO_Invoices_pdf.exe	Powershell.exe
PID 1320 wrote to memory of 1372	1320	PO_Invoices_pdf.exe	Powershell.exe
PID 1320 wrote to memory of 956	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 956	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 956	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 3876	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 3876	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 3876	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 2456	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 2456	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 2456	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 4332	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 4332	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 4332	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 4332	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 4332	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 4332	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 1320 wrote to memory of 4332	1320	PO_Invoices_pdf.exe	RegAsm.exe
PID 4332 wrote to memory of 4708	4332	RegAsm.exe	hawkgoods.exe
PID 4332 wrote to memory of 4708	4332	RegAsm.exe	hawkgoods.exe
PID 4332 wrote to memory of 4708	4332	RegAsm.exe	hawkgoods.exe
PID 4708 wrote to memory of 2244	4708	hawkgoods.exe	fondue.exe
PID 4708 wrote to memory of 2244	4708	hawkgoods.exe	fondue.exe
PID 4708 wrote to memory of 2244	4708	hawkgoods.exe	fondue.exe
PID 4332 wrote to memory of 4760	4332	RegAsm.exe	origigoods40.exe
PID 4332 wrote to memory of 4760	4332	RegAsm.exe	origigoods40.exe
PID 4332 wrote to memory of 4760	4332	RegAsm.exe	origigoods40.exe
PID 4332 wrote to memory of 1688	4332	RegAsm.exe	Matiexgoods.exe
PID 4332 wrote to memory of 1688	4332	RegAsm.exe	Matiexgoods.exe
PID 4332 wrote to memory of 1688	4332	RegAsm.exe	Matiexgoods.exe
PID 4332 wrote to memory of 2948	4332	RegAsm.exe	origigoods20.exe
PID 4332 wrote to memory of 2948	4332	RegAsm.exe	origigoods20.exe
PID 4332 wrote to memory of 2948	4332	RegAsm.exe	origigoods20.exe
PID 2948 wrote to memory of 2316	2948	origigoods20.exe	fondue.exe
PID 2948 wrote to memory of 2316	2948	origigoods20.exe	fondue.exe
PID 2948 wrote to memory of 2316	2948	origigoods20.exe	fondue.exe
PID 2244 wrote to memory of 2884	2244	fondue.exe	FonDUE.EXE
PID 2244 wrote to memory of 2884	2244	fondue.exe	FonDUE.EXE
PID 2316 wrote to memory of 3404	2316	fondue.exe	FonDUE.EXE
PID 2316 wrote to memory of 3404	2316	fondue.exe	FonDUE.EXE
PID 1688 wrote to memory of 1192	1688	Matiexgoods.exe	netsh.exe
PID 1688 wrote to memory of 1192	1688	Matiexgoods.exe	netsh.exe
PID 1688 wrote to memory of 1192	1688	Matiexgoods.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

Matiexgoods.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Matiexgoods.exe

outlook_win_path 1 IoCs

Processes:

Matiexgoods.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Matiexgoods.exe

C:\Users\Admin\AppData\Local\Temp\PO_Invoices_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\PO_Invoices_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\PO_Invoices_pdf.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4332

C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe
"C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe" 0
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\origigoods40.exe
"C:\Users\Admin\AppData\Local\Temp\origigoods40.exe" 0
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe
"C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe" 0
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1688

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
4⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\origigoods20.exe
"C:\Users\Admin\AppData\Local\Temp\origigoods20.exe" 0
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
4⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
5⤵
PID:3404

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe
MD5
80c61b903400b534858d047dd0919f0e

SHA1
d0ab5400b74392308140642c75f0897e16a88d60

SHA256
25ade9899c000a27570b527cffc938ec9626978219ec8a086082b113cbe4f492

SHA512
b3216f0e4e95c7f50bccba5fdcca2ad622a42379383be855546fa1e0bac41a6beea8226f8634ad5e0d8596169e0443494018bbe70b7052f094402aecaa038bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Matiexgoods.exe
MD5
80c61b903400b534858d047dd0919f0e

SHA1
d0ab5400b74392308140642c75f0897e16a88d60

SHA256
25ade9899c000a27570b527cffc938ec9626978219ec8a086082b113cbe4f492

SHA512
b3216f0e4e95c7f50bccba5fdcca2ad622a42379383be855546fa1e0bac41a6beea8226f8634ad5e0d8596169e0443494018bbe70b7052f094402aecaa038bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe
MD5
ffdb58533d5d1362e896e96fb6f02a95

SHA1
d6e4a3ca253bfc372a9a3180b5887c716ed285c6

SHA256
b3d02fd5c69293db419ac03cdf6396bd5e7765682fb3b2390454d9a52ba2ca88

SHA512
3ae6e49d3d728531201453a0bc27436b1a4305c8ef938b2cbb5e34ee45bb9a9a88cf2a41b08e4914fda9a96bbaa48bd999a2d2f1dffcd39761bb1f3620ca725f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hawkgoods.exe
MD5
ffdb58533d5d1362e896e96fb6f02a95

SHA1
d6e4a3ca253bfc372a9a3180b5887c716ed285c6

SHA256
b3d02fd5c69293db419ac03cdf6396bd5e7765682fb3b2390454d9a52ba2ca88

SHA512
3ae6e49d3d728531201453a0bc27436b1a4305c8ef938b2cbb5e34ee45bb9a9a88cf2a41b08e4914fda9a96bbaa48bd999a2d2f1dffcd39761bb1f3620ca725f

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe
MD5
61dc57c6575e1f3f2ae14c1b332ad2fb

SHA1
f52f34623048e5fd720e97a72eedfd32358cd3a9

SHA256
1c7757ee223f2480fbc478ae2ecaf82e1d3c17f2e4d47581d3972416166c54ab

SHA512
81a7db927f53660d3a04a161d5c18aab17d676bcc7ae0738ab786d9bee82b91016e54e6f70428aec4087961744be89b1511f9e07d8dabbe5c2a9d836722395a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods20.exe
MD5
61dc57c6575e1f3f2ae14c1b332ad2fb

SHA1
f52f34623048e5fd720e97a72eedfd32358cd3a9

SHA256
1c7757ee223f2480fbc478ae2ecaf82e1d3c17f2e4d47581d3972416166c54ab

SHA512
81a7db927f53660d3a04a161d5c18aab17d676bcc7ae0738ab786d9bee82b91016e54e6f70428aec4087961744be89b1511f9e07d8dabbe5c2a9d836722395a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe
MD5
ae36f0d16230b9f41ffecbd3c5b1d660

SHA1
88afc2923d1eefb70bad3c0cd9304949954377ef

SHA256
cfad1e486666ff3fb042ba0e9967634de1065f1bbd505c61b3295e55705a2a50

SHA512
1e98aee7dc693822113dcde1446a5bed1c564b76eef39f39f3a5d98d7d2099cf69ac92717a3297afc7082203929f1e9437f21cb6bc690974a0ef6d6cf6e4393c

Download Submit
C:\Users\Admin\AppData\Local\Temp\origigoods40.exe
MD5
ae36f0d16230b9f41ffecbd3c5b1d660

SHA1
88afc2923d1eefb70bad3c0cd9304949954377ef

SHA256
cfad1e486666ff3fb042ba0e9967634de1065f1bbd505c61b3295e55705a2a50

SHA512
1e98aee7dc693822113dcde1446a5bed1c564b76eef39f39f3a5d98d7d2099cf69ac92717a3297afc7082203929f1e9437f21cb6bc690974a0ef6d6cf6e4393c

Download Submit
memory/1320-134-0x0000000005420000-0x0000000005432000-memory.dmp

Filesize
72KB

Download
memory/1320-214-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/1320-291-0x0000000009260000-0x00000000092FC000-memory.dmp

Filesize
624KB

Download
memory/1320-130-0x00000000007D0000-0x000000000096A000-memory.dmp

Filesize
1.6MB

Download
memory/1320-136-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/1320-135-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/1320-133-0x0000000005380000-0x0000000005412000-memory.dmp

Filesize
584KB

Download
memory/1320-132-0x0000000005930000-0x0000000005ED4000-memory.dmp

Filesize
5.6MB

Download
memory/1320-131-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1372-357-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/1372-361-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/1372-362-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/1372-360-0x0000000005B20000-0x0000000005B42000-memory.dmp

Filesize
136KB

Download
memory/1372-366-0x0000000006300000-0x000000000631E000-memory.dmp

Filesize
120KB

Download
memory/1372-359-0x00000000053F0000-0x0000000005A18000-memory.dmp

Filesize
6.2MB

Download
memory/1372-358-0x0000000004D32000-0x0000000004D33000-memory.dmp

Filesize
4KB

Download
memory/1372-356-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1372-381-0x00000000074F0000-0x0000000007586000-memory.dmp

Filesize
600KB

Download
memory/1372-354-0x0000000004D80000-0x0000000004DB6000-memory.dmp

Filesize
216KB

Download
memory/1372-382-0x0000000006810000-0x000000000682A000-memory.dmp

Filesize
104KB

Download
memory/1372-383-0x0000000006860000-0x0000000006882000-memory.dmp

Filesize
136KB

Download
memory/1688-375-0x0000000000500000-0x0000000000576000-memory.dmp

Filesize
472KB

Download
memory/1688-379-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/1688-380-0x0000000002900000-0x000000000299C000-memory.dmp

Filesize
624KB

Download
memory/1688-391-0x0000000006C50000-0x0000000006E12000-memory.dmp

Filesize
1.8MB

Download
memory/1688-393-0x0000000002900000-0x000000000299C000-memory.dmp

Filesize
624KB

Download
memory/2044-138-0x000002051DAD0000-0x000002051DAE0000-memory.dmp

Filesize
64KB

Download
memory/2044-137-0x000002051DA70000-0x000002051DA80000-memory.dmp

Filesize
64KB

Download
memory/3708-392-0x000001E71F510000-0x000001E71F514000-memory.dmp

Filesize
16KB

Download
memory/4332-364-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4332-355-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/4760-372-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/4760-371-0x0000000000E30000-0x0000000000E6C000-memory.dmp

Filesize
240KB

Download
memory/4760-378-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download