agenttesla | f1f18b0a7efd6702ce47f9bea620165785050d55074d6ae27e6a6ff4322f6ad3

Analysis

max time kernel
150s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hesaphareketi000,pdf.exe
Size

938KB
MD5

1d77691991b358cddb9e88b28380b124
SHA1

e815d27cdf5fde77c3ac60388408bb27304dc75a
SHA256

a9892834c6f030fd7a292b213a39270e2fc991b6c9287fff73b540dd2b36e290
SHA512

6660827d12b5e21f9116ea5cbf48e484e95c3fdc41969a3a9e78677c29c36768f8652656c126007814db8d27d242d7bc748ece8a26f179da24a57036048fdc0b

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.slbdc-lk.org
Port:
587
Username:
[email protected]
Password:
finance2017

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/820-131-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/820-130-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/820-132-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/820-133-0x00000000004477BE-mapping.dmp	family_agenttesla
behavioral1/memory/820-136-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/820-138-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Executes dropped EXE 8 IoCs

Processes:

hesaphareketi000,pdf.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeapp.exeRegAsm.exe

pid process

956 hesaphareketi000,pdf.exe
1204 icsys.icn.exe
1908 explorer.exe
520 spoolsv.exe
1336 svchost.exe
1316 spoolsv.exe
1592 app.exe
820 RegAsm.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
956	hesaphareketi000,pdf.exe
1204	icsys.icn.exe
1908	explorer.exe
520	spoolsv.exe
1336	svchost.exe
1316	spoolsv.exe
1592	app.exe
820	RegAsm.exe

Loads dropped DLL 19 IoCs

Processes:

hesaphareketi000,pdf.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exehesaphareketi000,pdf.exe app.exeWerFault.exeRegAsm.exe

pid	process
1564	hesaphareketi000,pdf.exe
1564	hesaphareketi000,pdf.exe
1564	hesaphareketi000,pdf.exe
1204	icsys.icn.exe
1204	icsys.icn.exe
1908	explorer.exe
1908	explorer.exe
520	spoolsv.exe
520	spoolsv.exe
1336	svchost.exe
1336	svchost.exe
956	hesaphareketi000,pdf.exe
1592	app.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
1728	WerFault.exe
820	RegAsm.exe
1728	WerFault.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exeexplorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\app = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\app.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

app.exe

description pid process target process

PID 1592 set thread context of 820 1592 app.exe RegAsm.exe

description	pid	process	target process
PID 1592 set thread context of 820	1592	app.exe	RegAsm.exe

Drops file in Windows directory 6 IoCs

Processes:

spoolsv.exeexplorer.exesvchost.exeicsys.icn.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1728 1592 WerFault.exe app.exe

pid	pid_target	process	target process
1728	1592	WerFault.exe	app.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
1204	icsys.icn.exe
1908	explorer.exe
1908	explorer.exe
1908	explorer.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe
1908	explorer.exe
1908	explorer.exe
1336	svchost.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe
1908	explorer.exe
1908	explorer.exe
1336	svchost.exe
1908	explorer.exe
1336	svchost.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe
1908	explorer.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe
1908	explorer.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe
1908	explorer.exe
1908	explorer.exe
1336	svchost.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe
1908	explorer.exe
1336	svchost.exe
1908	explorer.exe
1908	explorer.exe
1336	svchost.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe
1908	explorer.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe
1908	explorer.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe
1908	explorer.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe
1908	explorer.exe
1908	explorer.exe
1336	svchost.exe
1908	explorer.exe
1336	svchost.exe
1336	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1908 explorer.exe
1336 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

hesaphareketi000,pdf.exe app.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 956 hesaphareketi000,pdf.exe
Token: SeDebugPrivilege 1592 app.exe
Token: SeDebugPrivilege 820 RegAsm.exe

pid	process
1908	explorer.exe
1336	svchost.exe

description	pid	process
Token: SeDebugPrivilege	956	hesaphareketi000,pdf.exe
Token: SeDebugPrivilege	1592	app.exe
Token: SeDebugPrivilege	820	RegAsm.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

hesaphareketi000,pdf.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
1564	hesaphareketi000,pdf.exe
1564	hesaphareketi000,pdf.exe
1204	icsys.icn.exe
1204	icsys.icn.exe
1908	explorer.exe
1908	explorer.exe
520	spoolsv.exe
520	spoolsv.exe
1336	svchost.exe
1336	svchost.exe
1316	spoolsv.exe
1316	spoolsv.exe
1908	explorer.exe
1908	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hesaphareketi000,pdf.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exehesaphareketi000,pdf.exe cmd.exeapp.exe

description	pid	process	target process
PID 1564 wrote to memory of 956	1564	hesaphareketi000,pdf.exe	hesaphareketi000,pdf.exe
PID 1564 wrote to memory of 956	1564	hesaphareketi000,pdf.exe	hesaphareketi000,pdf.exe
PID 1564 wrote to memory of 956	1564	hesaphareketi000,pdf.exe	hesaphareketi000,pdf.exe
PID 1564 wrote to memory of 956	1564	hesaphareketi000,pdf.exe	hesaphareketi000,pdf.exe
PID 1564 wrote to memory of 1204	1564	hesaphareketi000,pdf.exe	icsys.icn.exe
PID 1564 wrote to memory of 1204	1564	hesaphareketi000,pdf.exe	icsys.icn.exe
PID 1564 wrote to memory of 1204	1564	hesaphareketi000,pdf.exe	icsys.icn.exe
PID 1564 wrote to memory of 1204	1564	hesaphareketi000,pdf.exe	icsys.icn.exe
PID 1204 wrote to memory of 1908	1204	icsys.icn.exe	explorer.exe
PID 1204 wrote to memory of 1908	1204	icsys.icn.exe	explorer.exe
PID 1204 wrote to memory of 1908	1204	icsys.icn.exe	explorer.exe
PID 1204 wrote to memory of 1908	1204	icsys.icn.exe	explorer.exe
PID 1908 wrote to memory of 520	1908	explorer.exe	spoolsv.exe
PID 1908 wrote to memory of 520	1908	explorer.exe	spoolsv.exe
PID 1908 wrote to memory of 520	1908	explorer.exe	spoolsv.exe
PID 1908 wrote to memory of 520	1908	explorer.exe	spoolsv.exe
PID 520 wrote to memory of 1336	520	spoolsv.exe	svchost.exe
PID 520 wrote to memory of 1336	520	spoolsv.exe	svchost.exe
PID 520 wrote to memory of 1336	520	spoolsv.exe	svchost.exe
PID 520 wrote to memory of 1336	520	spoolsv.exe	svchost.exe
PID 1336 wrote to memory of 1316	1336	svchost.exe	spoolsv.exe
PID 1336 wrote to memory of 1316	1336	svchost.exe	spoolsv.exe
PID 1336 wrote to memory of 1316	1336	svchost.exe	spoolsv.exe
PID 1336 wrote to memory of 1316	1336	svchost.exe	spoolsv.exe
PID 1336 wrote to memory of 876	1336	svchost.exe	at.exe
PID 1336 wrote to memory of 876	1336	svchost.exe	at.exe
PID 1336 wrote to memory of 876	1336	svchost.exe	at.exe
PID 1336 wrote to memory of 876	1336	svchost.exe	at.exe
PID 956 wrote to memory of 1920	956	hesaphareketi000,pdf.exe	cmd.exe
PID 956 wrote to memory of 1920	956	hesaphareketi000,pdf.exe	cmd.exe
PID 956 wrote to memory of 1920	956	hesaphareketi000,pdf.exe	cmd.exe
PID 956 wrote to memory of 1920	956	hesaphareketi000,pdf.exe	cmd.exe
PID 1920 wrote to memory of 1980	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 1980	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 1980	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 1980	1920	cmd.exe	reg.exe
PID 956 wrote to memory of 1592	956	hesaphareketi000,pdf.exe	app.exe
PID 956 wrote to memory of 1592	956	hesaphareketi000,pdf.exe	app.exe
PID 956 wrote to memory of 1592	956	hesaphareketi000,pdf.exe	app.exe
PID 956 wrote to memory of 1592	956	hesaphareketi000,pdf.exe	app.exe
PID 1336 wrote to memory of 284	1336	svchost.exe	at.exe
PID 1336 wrote to memory of 284	1336	svchost.exe	at.exe
PID 1336 wrote to memory of 284	1336	svchost.exe	at.exe
PID 1336 wrote to memory of 284	1336	svchost.exe	at.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 820	1592	app.exe	RegAsm.exe
PID 1592 wrote to memory of 1728	1592	app.exe	WerFault.exe
PID 1592 wrote to memory of 1728	1592	app.exe	WerFault.exe
PID 1592 wrote to memory of 1728	1592	app.exe	WerFault.exe
PID 1592 wrote to memory of 1728	1592	app.exe	WerFault.exe
PID 1336 wrote to memory of 576	1336	svchost.exe	at.exe
PID 1336 wrote to memory of 576	1336	svchost.exe	at.exe
PID 1336 wrote to memory of 576	1336	svchost.exe	at.exe
PID 1336 wrote to memory of 576	1336	svchost.exe	at.exe

C:\Users\Admin\AppData\Local\Temp\hesaphareketi000,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\hesaphareketi000,pdf.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564

\??\c:\users\admin\appdata\local\temp\hesaphareketi000,pdf.exe
c:\users\admin\appdata\local\temp\hesaphareketi000,pdf.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v app /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v app /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
4⤵
- Adds Run key to start application
PID:1980

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 764
4⤵
- Loads dropped DLL
- Program crash
PID:1728

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1316

C:\Windows\SysWOW64\at.exe
at 05:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:876

C:\Windows\SysWOW64\at.exe
at 05:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:284

C:\Windows\SysWOW64\at.exe
at 05:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:576

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\hesaphareketi000,pdf.exe
Filesize
664KB

MD5
9ab7fad672f6817dfbf663c473a8602f

SHA1
a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01

SHA256
05b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d

SHA512
1d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
dbc587269e5c08f455c321d4bc83ab04

SHA1
871b0f1f5f97b69b9433ead91b0a99c85f184acd

SHA256
6bf20ee6b02f3e9dc93b924a50f3af4f6104190a4bceda329e80ab7d397dd382

SHA512
be5779e5f751a921f4ea7d4eca9a97234ef174f16168dcb4fdf93c641e4d33616cc684ce0099e18a2e8e2381637f2d9d39f32c1e84f63b5fc545ed80bbc14004

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
Filesize
664KB

MD5
9ab7fad672f6817dfbf663c473a8602f

SHA1
a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01

SHA256
05b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d

SHA512
1d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
Filesize
664KB

MD5
9ab7fad672f6817dfbf663c473a8602f

SHA1
a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01

SHA256
05b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d

SHA512
1d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
274KB

MD5
b6173c34a999a9f2b9cff0d1c0c39c10

SHA1
fd2b8ce6fffb7fb9b5fcef80e96671f404a984eb

SHA256
0150ae64ebdbceeb7876a2c646de854ec82cdadc684aceb4c9712c2fcbe00618

SHA512
8e392bf179b9e307524ac56957afff7436e697d58a517dd360ec13185f431451ce40bddeaca208ccf44f9e129ca64debf3e3b330ecb1a2121bf8d0d5f2a5640f

Download Submit
C:\Windows\system\explorer.exe
Filesize
274KB

MD5
fbcefc4a936247db3ac2450aed84e00f

SHA1
0d0359f8463223d47e20a0932102dbdc6bc5894a

SHA256
46fc13d4ad07d4c6219c15cbdb8275976f8d28ee35879a6f80b23cea61680172

SHA512
b5f88e058173ce4aad794fd9e18d229924f9e7ace47445ca8c4842fb69cdd8d349552fcd4f033a87775f460ae08aaa0e253b5b6f11f80829899098ad702b3cd6

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
274KB

MD5
4a8e374ade6c9066ecd52362dc53d560

SHA1
1f4ac58a7d2434e382b3bee9a4c28d168f867ed4

SHA256
09ca52b1a027dda5c751bdf8080ba84e6877382edd722b943ea86b21e0fda67b

SHA512
aaa738ba86622d11e6bd8f564b3bf11c8a13f0ffd3dcaed92bfc888e3cd22495d6be35d9bb734ba382430f41df9984c95eb8f4709717fe3db5ccc425c5d7edd1

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
274KB

MD5
4a8e374ade6c9066ecd52362dc53d560

SHA1
1f4ac58a7d2434e382b3bee9a4c28d168f867ed4

SHA256
09ca52b1a027dda5c751bdf8080ba84e6877382edd722b943ea86b21e0fda67b

SHA512
aaa738ba86622d11e6bd8f564b3bf11c8a13f0ffd3dcaed92bfc888e3cd22495d6be35d9bb734ba382430f41df9984c95eb8f4709717fe3db5ccc425c5d7edd1

Download Submit
C:\Windows\system\svchost.exe
Filesize
274KB

MD5
46beb0538df4902139d64c1e5a65dc19

SHA1
08cc10c5bd3d67f15dad511fec256e75c2004a0e

SHA256
a614822a47b62eeafe97b43c04e373ecb23ea5075043dbab8afb9fea60248123

SHA512
64c97f425ec67ef15a5268b34bac89f09475b6dc610047818e76816741e27f3628fc961297c1ba4e88975789fa3352567d023b39b742a1953ad0a6cc4c331781

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe
Filesize
274KB

MD5
dbc587269e5c08f455c321d4bc83ab04

SHA1
871b0f1f5f97b69b9433ead91b0a99c85f184acd

SHA256
6bf20ee6b02f3e9dc93b924a50f3af4f6104190a4bceda329e80ab7d397dd382

SHA512
be5779e5f751a921f4ea7d4eca9a97234ef174f16168dcb4fdf93c641e4d33616cc684ce0099e18a2e8e2381637f2d9d39f32c1e84f63b5fc545ed80bbc14004

Download Submit
\??\c:\users\admin\appdata\local\temp\hesaphareketi000,pdf.exe
Filesize
664KB

MD5
9ab7fad672f6817dfbf663c473a8602f

SHA1
a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01

SHA256
05b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d

SHA512
1d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c

Download Submit
\??\c:\windows\system\explorer.exe
Filesize
274KB

MD5
fbcefc4a936247db3ac2450aed84e00f

SHA1
0d0359f8463223d47e20a0932102dbdc6bc5894a

SHA256
46fc13d4ad07d4c6219c15cbdb8275976f8d28ee35879a6f80b23cea61680172

SHA512
b5f88e058173ce4aad794fd9e18d229924f9e7ace47445ca8c4842fb69cdd8d349552fcd4f033a87775f460ae08aaa0e253b5b6f11f80829899098ad702b3cd6

Download Submit
\??\c:\windows\system\spoolsv.exe
Filesize
274KB

MD5
4a8e374ade6c9066ecd52362dc53d560

SHA1
1f4ac58a7d2434e382b3bee9a4c28d168f867ed4

SHA256
09ca52b1a027dda5c751bdf8080ba84e6877382edd722b943ea86b21e0fda67b

SHA512
aaa738ba86622d11e6bd8f564b3bf11c8a13f0ffd3dcaed92bfc888e3cd22495d6be35d9bb734ba382430f41df9984c95eb8f4709717fe3db5ccc425c5d7edd1

Download Submit
\??\c:\windows\system\svchost.exe
Filesize
274KB

MD5
46beb0538df4902139d64c1e5a65dc19

SHA1
08cc10c5bd3d67f15dad511fec256e75c2004a0e

SHA256
a614822a47b62eeafe97b43c04e373ecb23ea5075043dbab8afb9fea60248123

SHA512
64c97f425ec67ef15a5268b34bac89f09475b6dc610047818e76816741e27f3628fc961297c1ba4e88975789fa3352567d023b39b742a1953ad0a6cc4c331781

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\RegAsm.exe
Filesize
63KB

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
\Users\Admin\AppData\Local\Temp\hesaphareketi000,pdf.exe
Filesize
664KB

MD5
9ab7fad672f6817dfbf663c473a8602f

SHA1
a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01

SHA256
05b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d

SHA512
1d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
dbc587269e5c08f455c321d4bc83ab04

SHA1
871b0f1f5f97b69b9433ead91b0a99c85f184acd

SHA256
6bf20ee6b02f3e9dc93b924a50f3af4f6104190a4bceda329e80ab7d397dd382

SHA512
be5779e5f751a921f4ea7d4eca9a97234ef174f16168dcb4fdf93c641e4d33616cc684ce0099e18a2e8e2381637f2d9d39f32c1e84f63b5fc545ed80bbc14004

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
dbc587269e5c08f455c321d4bc83ab04

SHA1
871b0f1f5f97b69b9433ead91b0a99c85f184acd

SHA256
6bf20ee6b02f3e9dc93b924a50f3af4f6104190a4bceda329e80ab7d397dd382

SHA512
be5779e5f751a921f4ea7d4eca9a97234ef174f16168dcb4fdf93c641e4d33616cc684ce0099e18a2e8e2381637f2d9d39f32c1e84f63b5fc545ed80bbc14004

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
Filesize
664KB

MD5
9ab7fad672f6817dfbf663c473a8602f

SHA1
a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01

SHA256
05b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d

SHA512
1d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
Filesize
664KB

MD5
9ab7fad672f6817dfbf663c473a8602f

SHA1
a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01

SHA256
05b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d

SHA512
1d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
Filesize
664KB

MD5
9ab7fad672f6817dfbf663c473a8602f

SHA1
a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01

SHA256
05b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d

SHA512
1d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
Filesize
664KB

MD5
9ab7fad672f6817dfbf663c473a8602f

SHA1
a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01

SHA256
05b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d

SHA512
1d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
Filesize
664KB

MD5
9ab7fad672f6817dfbf663c473a8602f

SHA1
a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01

SHA256
05b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d

SHA512
1d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\app.exe
Filesize
664KB

MD5
9ab7fad672f6817dfbf663c473a8602f

SHA1
a4330c7d5ce6c2c33c0c9546d0b79b54a0ff2f01

SHA256
05b3bbe8a204bb58b9e2bc0827c40df0479bf719a7a4e5d746efc5604f40338d

SHA512
1d3a4928e079c716116b84efb43e953bfa02def6525ac8fc45406297e3154b591395532803d0e1e4067be44cb7872f6be085bd3bab0ccf09f1d333132c18bc9c

Download Submit
\Windows\system\explorer.exe
Filesize
274KB

MD5
fbcefc4a936247db3ac2450aed84e00f

SHA1
0d0359f8463223d47e20a0932102dbdc6bc5894a

SHA256
46fc13d4ad07d4c6219c15cbdb8275976f8d28ee35879a6f80b23cea61680172

SHA512
b5f88e058173ce4aad794fd9e18d229924f9e7ace47445ca8c4842fb69cdd8d349552fcd4f033a87775f460ae08aaa0e253b5b6f11f80829899098ad702b3cd6

Download Submit
\Windows\system\explorer.exe
Filesize
274KB

MD5
fbcefc4a936247db3ac2450aed84e00f

SHA1
0d0359f8463223d47e20a0932102dbdc6bc5894a

SHA256
46fc13d4ad07d4c6219c15cbdb8275976f8d28ee35879a6f80b23cea61680172

SHA512
b5f88e058173ce4aad794fd9e18d229924f9e7ace47445ca8c4842fb69cdd8d349552fcd4f033a87775f460ae08aaa0e253b5b6f11f80829899098ad702b3cd6

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
4a8e374ade6c9066ecd52362dc53d560

SHA1
1f4ac58a7d2434e382b3bee9a4c28d168f867ed4

SHA256
09ca52b1a027dda5c751bdf8080ba84e6877382edd722b943ea86b21e0fda67b

SHA512
aaa738ba86622d11e6bd8f564b3bf11c8a13f0ffd3dcaed92bfc888e3cd22495d6be35d9bb734ba382430f41df9984c95eb8f4709717fe3db5ccc425c5d7edd1

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
4a8e374ade6c9066ecd52362dc53d560

SHA1
1f4ac58a7d2434e382b3bee9a4c28d168f867ed4

SHA256
09ca52b1a027dda5c751bdf8080ba84e6877382edd722b943ea86b21e0fda67b

SHA512
aaa738ba86622d11e6bd8f564b3bf11c8a13f0ffd3dcaed92bfc888e3cd22495d6be35d9bb734ba382430f41df9984c95eb8f4709717fe3db5ccc425c5d7edd1

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
4a8e374ade6c9066ecd52362dc53d560

SHA1
1f4ac58a7d2434e382b3bee9a4c28d168f867ed4

SHA256
09ca52b1a027dda5c751bdf8080ba84e6877382edd722b943ea86b21e0fda67b

SHA512
aaa738ba86622d11e6bd8f564b3bf11c8a13f0ffd3dcaed92bfc888e3cd22495d6be35d9bb734ba382430f41df9984c95eb8f4709717fe3db5ccc425c5d7edd1

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
4a8e374ade6c9066ecd52362dc53d560

SHA1
1f4ac58a7d2434e382b3bee9a4c28d168f867ed4

SHA256
09ca52b1a027dda5c751bdf8080ba84e6877382edd722b943ea86b21e0fda67b

SHA512
aaa738ba86622d11e6bd8f564b3bf11c8a13f0ffd3dcaed92bfc888e3cd22495d6be35d9bb734ba382430f41df9984c95eb8f4709717fe3db5ccc425c5d7edd1

Download Submit
\Windows\system\svchost.exe
Filesize
274KB

MD5
46beb0538df4902139d64c1e5a65dc19

SHA1
08cc10c5bd3d67f15dad511fec256e75c2004a0e

SHA256
a614822a47b62eeafe97b43c04e373ecb23ea5075043dbab8afb9fea60248123

SHA512
64c97f425ec67ef15a5268b34bac89f09475b6dc610047818e76816741e27f3628fc961297c1ba4e88975789fa3352567d023b39b742a1953ad0a6cc4c331781

Download Submit
\Windows\system\svchost.exe
Filesize
274KB

MD5
46beb0538df4902139d64c1e5a65dc19

SHA1
08cc10c5bd3d67f15dad511fec256e75c2004a0e

SHA256
a614822a47b62eeafe97b43c04e373ecb23ea5075043dbab8afb9fea60248123

SHA512
64c97f425ec67ef15a5268b34bac89f09475b6dc610047818e76816741e27f3628fc961297c1ba4e88975789fa3352567d023b39b742a1953ad0a6cc4c331781

Download Submit
memory/284-124-0x0000000000000000-mapping.dmp

Download
memory/520-109-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/520-85-0x0000000000000000-mapping.dmp

Download
memory/576-147-0x0000000000000000-mapping.dmp

Download
memory/820-128-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/820-138-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/820-133-0x00000000004477BE-mapping.dmp

Download
memory/820-132-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/820-136-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/820-127-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/820-130-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/820-131-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/876-112-0x0000000000000000-mapping.dmp

Download
memory/956-115-0x00000000004C0000-0x00000000004CA000-memory.dmp

Filesize
40KB

Download
memory/956-64-0x0000000000320000-0x000000000033C000-memory.dmp

Filesize
112KB

Download
memory/956-62-0x00000000009C0000-0x0000000000A6C000-memory.dmp

Filesize
688KB

Download
memory/956-59-0x0000000000000000-mapping.dmp

Download
memory/1204-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1204-67-0x0000000000000000-mapping.dmp

Download
memory/1316-103-0x0000000000000000-mapping.dmp

Download
memory/1316-108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1336-94-0x0000000000000000-mapping.dmp

Download
memory/1564-57-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download
memory/1564-110-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1592-122-0x0000000001300000-0x00000000013AC000-memory.dmp

Filesize
688KB

Download
memory/1592-119-0x0000000000000000-mapping.dmp

Download
memory/1728-139-0x0000000000000000-mapping.dmp

Download
memory/1908-76-0x0000000000000000-mapping.dmp

Download
memory/1908-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1920-116-0x0000000000000000-mapping.dmp

Download
memory/1980-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads