agenttesla | 570d4ac0ca764601b37e77aea4b5bf8138bdbaa24f46255fa68b09d4dc62869c

General

Target

hvala na predra?unu.exe
Size

2.0MB
MD5

1d025c80f31210ed9530941eae6633da
SHA1

9af0a3622f58f4b50c9159cead2f672ec4707ece
SHA256

b08f164f0363528f8928f01133da533a2868e12b95177df09b2f11e78510e02d
SHA512

5f5bcbfb2598c299f27aeb667301c8972b18e13306ccc53c3d47ff045bc7f29cbc2ca3e2ac1e9e521a7b2ca13549a635762aecbbc001babb4ebf30c040fd1b79

Score

10^/10

agenttesla collection keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.kapackserv.com
Port:
587
Username:
[email protected]
Password:
Gwou86k?R#Xng+ywl~

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1980-64-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1980-69-0x000000000044CFAE-mapping.dmp	family_agenttesla
behavioral1/memory/1980-70-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/1980-71-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

Processes:

hvala na predra_unumgr.exe

pid process

1772 hvala na predra_unumgr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe	upx
\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe	upx
C:\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe	upx
behavioral1/memory/1772-59-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

hvala na predra_unu.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notepad.url	hvala na predra_unu.exe

Loads dropped DLL 2 IoCs

Processes:

hvala na predra_unu.exe

pid process

1656 hvala na predra_unu.exe
1656 hvala na predra_unu.exe

pid	process
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MSBuild.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\UoOfbM = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UoOfbM\\UoOfbM.exe"	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

hvala na predra_unu.exe

description pid process target process

PID 1656 set thread context of 1980 1656 hvala na predra_unu.exe MSBuild.exe

description	pid	process	target process
PID 1656 set thread context of 1980	1656	hvala na predra_unu.exe	MSBuild.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81E96C01-D8D9-11EC-9824-4224C87335A1} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "359883906"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81E944F1-D8D9-11EC-9824-4224C87335A1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

hvala na predra_unumgr.exeMSBuild.exehvala na predra_unu.exe

pid	process
1772	hvala na predra_unumgr.exe
1772	hvala na predra_unumgr.exe
1772	hvala na predra_unumgr.exe
1772	hvala na predra_unumgr.exe
1772	hvala na predra_unumgr.exe
1772	hvala na predra_unumgr.exe
1772	hvala na predra_unumgr.exe
1772	hvala na predra_unumgr.exe
1980	MSBuild.exe
1980	MSBuild.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hvala na predra_unumgr.exeMSBuild.exe

description pid process

Token: SeDebugPrivilege 1772 hvala na predra_unumgr.exe
Token: SeDebugPrivilege 1980 MSBuild.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

hvala na predra_unu.exeiexplore.exeiexplore.exe

pid process

1656 hvala na predra_unu.exe
1656 hvala na predra_unu.exe
1656 hvala na predra_unu.exe
900 iexplore.exe
1644 iexplore.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

hvala na predra_unu.exe

pid process

1656 hvala na predra_unu.exe
1656 hvala na predra_unu.exe
1656 hvala na predra_unu.exe

description	pid	process
Token: SeDebugPrivilege	1772	hvala na predra_unumgr.exe
Token: SeDebugPrivilege	1980	MSBuild.exe

pid	process
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
900	iexplore.exe
1644	iexplore.exe

pid	process
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe
1656	hvala na predra_unu.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEMSBuild.exe

pid	process
900	iexplore.exe
900	iexplore.exe
1644	iexplore.exe
1644	iexplore.exe
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
580	IEXPLORE.EXE
580	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
1980	MSBuild.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

hvala na predra_unu.exehvala na predra_unumgr.exeiexplore.exeiexplore.exeMSBuild.exe

description	pid	process	target process
PID 1656 wrote to memory of 1772	1656	hvala na predra_unu.exe	hvala na predra_unumgr.exe
PID 1656 wrote to memory of 1772	1656	hvala na predra_unu.exe	hvala na predra_unumgr.exe
PID 1656 wrote to memory of 1772	1656	hvala na predra_unu.exe	hvala na predra_unumgr.exe
PID 1656 wrote to memory of 1772	1656	hvala na predra_unu.exe	hvala na predra_unumgr.exe
PID 1772 wrote to memory of 900	1772	hvala na predra_unumgr.exe	iexplore.exe
PID 1772 wrote to memory of 900	1772	hvala na predra_unumgr.exe	iexplore.exe
PID 1772 wrote to memory of 900	1772	hvala na predra_unumgr.exe	iexplore.exe
PID 1772 wrote to memory of 900	1772	hvala na predra_unumgr.exe	iexplore.exe
PID 1772 wrote to memory of 1644	1772	hvala na predra_unumgr.exe	iexplore.exe
PID 1772 wrote to memory of 1644	1772	hvala na predra_unumgr.exe	iexplore.exe
PID 1772 wrote to memory of 1644	1772	hvala na predra_unumgr.exe	iexplore.exe
PID 1772 wrote to memory of 1644	1772	hvala na predra_unumgr.exe	iexplore.exe
PID 900 wrote to memory of 580	900	iexplore.exe	IEXPLORE.EXE
PID 900 wrote to memory of 580	900	iexplore.exe	IEXPLORE.EXE
PID 900 wrote to memory of 580	900	iexplore.exe	IEXPLORE.EXE
PID 900 wrote to memory of 580	900	iexplore.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1888	1644	iexplore.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1888	1644	iexplore.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1888	1644	iexplore.exe	IEXPLORE.EXE
PID 1644 wrote to memory of 1888	1644	iexplore.exe	IEXPLORE.EXE
PID 1656 wrote to memory of 1980	1656	hvala na predra_unu.exe	MSBuild.exe
PID 1656 wrote to memory of 1980	1656	hvala na predra_unu.exe	MSBuild.exe
PID 1656 wrote to memory of 1980	1656	hvala na predra_unu.exe	MSBuild.exe
PID 1656 wrote to memory of 1980	1656	hvala na predra_unu.exe	MSBuild.exe
PID 1656 wrote to memory of 1980	1656	hvala na predra_unu.exe	MSBuild.exe
PID 1656 wrote to memory of 1980	1656	hvala na predra_unu.exe	MSBuild.exe
PID 1980 wrote to memory of 904	1980	MSBuild.exe	netsh.exe
PID 1980 wrote to memory of 904	1980	MSBuild.exe	netsh.exe
PID 1980 wrote to memory of 904	1980	MSBuild.exe	netsh.exe
PID 1980 wrote to memory of 904	1980	MSBuild.exe	netsh.exe

outlook_office_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

outlook_win_path 1 IoCs

Processes:

MSBuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\hvala na predra_unu.exe
"C:\Users\Admin\AppData\Local\Temp\hvala na predra_unu.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe
"C:\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1644 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:900 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1980

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{81E944F1-D8D9-11EC-9824-4224C87335A1}.dat
Filesize
5KB

MD5
80dcf4c6ad137002a73330fb6d006506

SHA1
8eb7c62091f0415fbf44728818ca8ff9b4ece6a7

SHA256
2427a7597f77376dc85a4c50829ab4c9e3476e77337aba353f01fd84f665b015

SHA512
41b3238f2dd9d077e8faab58ff1e15e6577b9ed5b4f2ec28eb148376d5b8a9239a02911e1a3aaa7f9ef22c444863aaa8275b5f0a1eb5a01445e062008db3b105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{81E96C01-D8D9-11EC-9824-4224C87335A1}.dat
Filesize
5KB

MD5
229e1bc41ecf5ceb32374f18560c2e42

SHA1
d86e2b77ea3205b774ad49c9c4b21a1addcf8c2c

SHA256
1e774d940205acd132ac3966afa9efbcd01a641956518d4219a11fb62cbeab8c

SHA512
685ba0280d5089822acc1201bea164f5739c2aa97431f9d25099a88c565ca3d41df3963cc19f92a25c6779180a3eb6ad034767f3c900ee25c7ebe1356a438334

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe
Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AQ4D1ILJ.txt
Filesize
604B

MD5
de979e9ed4d6cf5aee8cfb6ce317cd4a

SHA1
e8eeae13905cec9bb2eb8b63861e7d0b3c1a5cc9

SHA256
74d300c684dd842ef60585e99cd73d66c09a323d8b8abc793df607d8dde5c44c

SHA512
e9182e5d7743c8818ac563476c8c8ef1dcc9c4a5f7954a7a93f0196fe27f1d1a81dc776cfc47d2ee05e22596747f32bc733f3a8a875a0ae19df6d54055801a92

Download Submit
\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe
Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
\Users\Admin\AppData\Local\Temp\hvala na predra_unumgr.exe
Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
memory/904-77-0x0000000000000000-mapping.dmp

Download
memory/1656-72-0x0000000074F40000-0x0000000074FD8000-memory.dmp

Filesize
608KB

Download
memory/1656-54-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1656-73-0x000000007CA60000-0x000000007CAF8000-memory.dmp

Filesize
608KB

Download
memory/1772-57-0x0000000000000000-mapping.dmp

Download
memory/1772-59-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1980-62-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1980-71-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1980-70-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1980-75-0x0000000071780000-0x0000000071D2B000-memory.dmp

Filesize
5.7MB

Download
memory/1980-69-0x000000000044CFAE-mapping.dmp

Download
memory/1980-64-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads