agenttesla | 3dfd5cf8a8661a448ac86d4aad831509092bb63556cdea451b8e93f6b678532d

Analysis

max time kernel
188s
max time network
44s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ T7-30032020.exe
Size

697KB
MD5

a189817dbab853329eb05c34f1c8e5e5
SHA1

68f28e839fc32aa4f2b62d8aaac49c8127b18e0a
SHA256

4850ce25c3caf99fc7f558ec6666d08c43d69ed4e1be9a8fd37f289db69561ab
SHA512

3a5756d37b4de9f2a6b2ef59a11ab01ffd145791c5a136a882e1a520072cb344b697a84e4520c3a58246fc924f7a0f316ac1bc0c8ba9458ba3e88a1ba6cd8041

Score

10^/10

agenttesla collection evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.fipco-sa.com
Port:
587
Username:
[email protected]
Password:
breakingnews77

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112

AgentTesla Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/876-122-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/876-121-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/876-120-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/876-123-0x000000000044C6FE-mapping.dmp	family_agenttesla
behavioral1/memory/876-126-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla
behavioral1/memory/876-128-0x0000000000400000-0x0000000000452000-memory.dmp	family_agenttesla

Executes dropped EXE 8 IoCs

Processes:

rfq t7-30032020.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exerfq t7-30032020.exe rfq t7-30032020.exe

pid	process
628	rfq t7-30032020.exe
848	icsys.icn.exe
1312	explorer.exe
800	spoolsv.exe
528	svchost.exe
1152	spoolsv.exe
1796	rfq t7-30032020.exe
876	rfq t7-30032020.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 13 IoCs

Processes:

RFQ T7-30032020.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exerfq t7-30032020.exe

pid	process
1672	RFQ T7-30032020.exe
1672	RFQ T7-30032020.exe
1672	RFQ T7-30032020.exe
848	icsys.icn.exe
848	icsys.icn.exe
1312	explorer.exe
1312	explorer.exe
800	spoolsv.exe
800	spoolsv.exe
528	svchost.exe
528	svchost.exe
628	rfq t7-30032020.exe
628	rfq t7-30032020.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

rfq t7-30032020.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rfq t7-30032020.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rfq t7-30032020.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rfq t7-30032020.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rfq t7-30032020.exe

description pid process target process

PID 628 set thread context of 876 628 rfq t7-30032020.exe rfq t7-30032020.exe

description	pid	process	target process
PID 628 set thread context of 876	628	rfq t7-30032020.exe	rfq t7-30032020.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exeexplorer.exeicsys.icn.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

icsys.icn.exeexplorer.exesvchost.exe

pid	process
848	icsys.icn.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
1312	explorer.exe
528	svchost.exe
528	svchost.exe
528	svchost.exe
1312	explorer.exe
1312	explorer.exe
528	svchost.exe
528	svchost.exe
1312	explorer.exe
1312	explorer.exe
528	svchost.exe
528	svchost.exe
1312	explorer.exe
1312	explorer.exe
528	svchost.exe
528	svchost.exe
1312	explorer.exe
1312	explorer.exe
528	svchost.exe
1312	explorer.exe
528	svchost.exe
1312	explorer.exe
528	svchost.exe
528	svchost.exe
1312	explorer.exe
1312	explorer.exe
528	svchost.exe
528	svchost.exe
1312	explorer.exe
528	svchost.exe
1312	explorer.exe
1312	explorer.exe
528	svchost.exe
528	svchost.exe
1312	explorer.exe
528	svchost.exe
1312	explorer.exe
1312	explorer.exe
528	svchost.exe
528	svchost.exe
1312	explorer.exe
528	svchost.exe
1312	explorer.exe
528	svchost.exe
1312	explorer.exe
528	svchost.exe
1312	explorer.exe
528	svchost.exe
1312	explorer.exe
528	svchost.exe
1312	explorer.exe
1312	explorer.exe
528	svchost.exe
528	svchost.exe
1312	explorer.exe
528	svchost.exe
1312	explorer.exe
528	svchost.exe
1312	explorer.exe
1312	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exesvchost.exe

pid process

1312 explorer.exe
528 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rfq t7-30032020.exe rfq t7-30032020.exe

description pid process

Token: SeDebugPrivilege 628 rfq t7-30032020.exe
Token: SeDebugPrivilege 876 rfq t7-30032020.exe

pid	process
1312	explorer.exe
528	svchost.exe

description	pid	process
Token: SeDebugPrivilege	628	rfq t7-30032020.exe
Token: SeDebugPrivilege	876	rfq t7-30032020.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

RFQ T7-30032020.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exerfq t7-30032020.exe

pid	process
1672	RFQ T7-30032020.exe
1672	RFQ T7-30032020.exe
848	icsys.icn.exe
848	icsys.icn.exe
1312	explorer.exe
1312	explorer.exe
800	spoolsv.exe
800	spoolsv.exe
528	svchost.exe
528	svchost.exe
1152	spoolsv.exe
1152	spoolsv.exe
1312	explorer.exe
1312	explorer.exe
876	rfq t7-30032020.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

RFQ T7-30032020.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exerfq t7-30032020.exe rfq t7-30032020.exe

description	pid	process	target process
PID 1672 wrote to memory of 628	1672	RFQ T7-30032020.exe	rfq t7-30032020.exe
PID 1672 wrote to memory of 628	1672	RFQ T7-30032020.exe	rfq t7-30032020.exe
PID 1672 wrote to memory of 628	1672	RFQ T7-30032020.exe	rfq t7-30032020.exe
PID 1672 wrote to memory of 628	1672	RFQ T7-30032020.exe	rfq t7-30032020.exe
PID 1672 wrote to memory of 848	1672	RFQ T7-30032020.exe	icsys.icn.exe
PID 1672 wrote to memory of 848	1672	RFQ T7-30032020.exe	icsys.icn.exe
PID 1672 wrote to memory of 848	1672	RFQ T7-30032020.exe	icsys.icn.exe
PID 1672 wrote to memory of 848	1672	RFQ T7-30032020.exe	icsys.icn.exe
PID 848 wrote to memory of 1312	848	icsys.icn.exe	explorer.exe
PID 848 wrote to memory of 1312	848	icsys.icn.exe	explorer.exe
PID 848 wrote to memory of 1312	848	icsys.icn.exe	explorer.exe
PID 848 wrote to memory of 1312	848	icsys.icn.exe	explorer.exe
PID 1312 wrote to memory of 800	1312	explorer.exe	spoolsv.exe
PID 1312 wrote to memory of 800	1312	explorer.exe	spoolsv.exe
PID 1312 wrote to memory of 800	1312	explorer.exe	spoolsv.exe
PID 1312 wrote to memory of 800	1312	explorer.exe	spoolsv.exe
PID 800 wrote to memory of 528	800	spoolsv.exe	svchost.exe
PID 800 wrote to memory of 528	800	spoolsv.exe	svchost.exe
PID 800 wrote to memory of 528	800	spoolsv.exe	svchost.exe
PID 800 wrote to memory of 528	800	spoolsv.exe	svchost.exe
PID 528 wrote to memory of 1152	528	svchost.exe	spoolsv.exe
PID 528 wrote to memory of 1152	528	svchost.exe	spoolsv.exe
PID 528 wrote to memory of 1152	528	svchost.exe	spoolsv.exe
PID 528 wrote to memory of 1152	528	svchost.exe	spoolsv.exe
PID 528 wrote to memory of 1724	528	svchost.exe	at.exe
PID 528 wrote to memory of 1724	528	svchost.exe	at.exe
PID 528 wrote to memory of 1724	528	svchost.exe	at.exe
PID 528 wrote to memory of 1724	528	svchost.exe	at.exe
PID 628 wrote to memory of 1796	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 1796	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 1796	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 1796	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 876	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 876	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 876	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 876	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 876	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 876	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 876	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 876	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 628 wrote to memory of 876	628	rfq t7-30032020.exe	rfq t7-30032020.exe
PID 528 wrote to memory of 1096	528	svchost.exe	at.exe
PID 528 wrote to memory of 1096	528	svchost.exe	at.exe
PID 528 wrote to memory of 1096	528	svchost.exe	at.exe
PID 528 wrote to memory of 1096	528	svchost.exe	at.exe
PID 876 wrote to memory of 584	876	rfq t7-30032020.exe	netsh.exe
PID 876 wrote to memory of 584	876	rfq t7-30032020.exe	netsh.exe
PID 876 wrote to memory of 584	876	rfq t7-30032020.exe	netsh.exe
PID 876 wrote to memory of 584	876	rfq t7-30032020.exe	netsh.exe
PID 528 wrote to memory of 1632	528	svchost.exe	at.exe
PID 528 wrote to memory of 1632	528	svchost.exe	at.exe
PID 528 wrote to memory of 1632	528	svchost.exe	at.exe
PID 528 wrote to memory of 1632	528	svchost.exe	at.exe

outlook_office_path 1 IoCs

Processes:

rfq t7-30032020.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rfq t7-30032020.exe

outlook_win_path 1 IoCs

Processes:

rfq t7-30032020.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rfq t7-30032020.exe

C:\Users\Admin\AppData\Local\Temp\RFQ T7-30032020.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ T7-30032020.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

\??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exe
"c:\users\admin\appdata\local\temp\rfq t7-30032020.exe "
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

\??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1796

\??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exe
"{path}"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:876

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
4⤵
PID:584

C:\Users\Admin\AppData\Local\icsys.icn.exe
C:\Users\Admin\AppData\Local\icsys.icn.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:800

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe PR
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\SysWOW64\at.exe
at 07:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1724

C:\Windows\SysWOW64\at.exe
at 07:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1096

C:\Windows\SysWOW64\at.exe
at 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
6⤵
PID:1632

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exe
Filesize
423KB

MD5
93410fd2945b880f9cb6a4dcc0637bbc

SHA1
fa86831282f50ed8efbdf10eeb31900e03ee66a3

SHA256
a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e

SHA512
d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exe
Filesize
423KB

MD5
93410fd2945b880f9cb6a4dcc0637bbc

SHA1
fa86831282f50ed8efbdf10eeb31900e03ee66a3

SHA256
a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e

SHA512
d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exe
Filesize
423KB

MD5
93410fd2945b880f9cb6a4dcc0637bbc

SHA1
fa86831282f50ed8efbdf10eeb31900e03ee66a3

SHA256
a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e

SHA512
d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4

Download Submit
C:\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
f8937266c07855421a0970755755d1d9

SHA1
e08d738ed3e6d3c780c5b5241f5cef44fc411601

SHA256
ebcdda59f95aa9871bedc35d75f956c555c810471317179596ec4e58b624fd3f

SHA512
d15c14dd72c7daa994e72d976a247118c88b9b65db954eb31235e4244647c9ebabaad9914137f02b19d2f22ef6d9434eb9bd3d728633e5ca42a3fb39f524e8f6

Download Submit
C:\Users\Admin\AppData\Roaming\mrsys.exe
Filesize
274KB

MD5
6cf5f2f4de186341de99317afbdfe60c

SHA1
e8b923fef733ff1d6e2e5f13c90e5d8ecdf09ec0

SHA256
7b7bb3cf919799c37bf0d2f6577ef6bc45fb02944cf64c5fdeb59b17d7cb77e4

SHA512
4a808625012928a0ec0129ff89ae06f4855cbe096db043bb9c1d7479b1c792f6a9f746d6068aa1b0ae62167a2ca47655515ad8731fa28248f515792771e7d0e7

Download Submit
C:\Windows\system\explorer.exe
Filesize
274KB

MD5
b70ea38f37327cd094007703717a952c

SHA1
c2ca69ec0b29c3500c83229519b1236c9e7fb87c

SHA256
b5ffee20703c6dd5a28492673a06e62a8abf03bec1c9a9e70bd31ebde774b2ae

SHA512
309bc9d83795e20b3e12bd7fd0511e8905aee95541cbb2f1b525256b3b39559dbde5d56fee109298a6f0222c0b187b1e454e115b9b0913d2afed1967ca70c5cc

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
274KB

MD5
079e1aa7a86d386e806e8a1976e96fe9

SHA1
b35b836ea224eac9ac0cf8c5f07100876d510996

SHA256
236fda9b8da682354928a41c95f3eba65d808591e0ca3b7361db8c10720aeb47

SHA512
5c39d5ace4b2114421c176e2ae5542a602b76cf93e24ce4cc70eb6e9879ea95ff23db12e35caabd10a668938a37f123e3f58c0e270308ff12fb3facbcd4a7d96

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
274KB

MD5
079e1aa7a86d386e806e8a1976e96fe9

SHA1
b35b836ea224eac9ac0cf8c5f07100876d510996

SHA256
236fda9b8da682354928a41c95f3eba65d808591e0ca3b7361db8c10720aeb47

SHA512
5c39d5ace4b2114421c176e2ae5542a602b76cf93e24ce4cc70eb6e9879ea95ff23db12e35caabd10a668938a37f123e3f58c0e270308ff12fb3facbcd4a7d96

Download Submit
C:\Windows\system\svchost.exe
Filesize
274KB

MD5
1169084c34244f0ab4e047fa8f46aaf4

SHA1
67d291b9a8ad5df9d8159a44a65b9721aaad2787

SHA256
183c5d18e66386a1f1a6ac2a7f4bd46901878b9c882888805ea792e507a70cfa

SHA512
86c7354a56c8c1483313edc69f72737cefcccbb445f2a43fe8644a123a551ec7267b39fec7ccde553edea86efb4fa343e794ebf6d6d78736e17681b66450b035

Download Submit
\??\c:\users\admin\appdata\local\icsys.icn.exe
Filesize
274KB

MD5
f8937266c07855421a0970755755d1d9

SHA1
e08d738ed3e6d3c780c5b5241f5cef44fc411601

SHA256
ebcdda59f95aa9871bedc35d75f956c555c810471317179596ec4e58b624fd3f

SHA512
d15c14dd72c7daa994e72d976a247118c88b9b65db954eb31235e4244647c9ebabaad9914137f02b19d2f22ef6d9434eb9bd3d728633e5ca42a3fb39f524e8f6

Download Submit
\??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exe
Filesize
423KB

MD5
93410fd2945b880f9cb6a4dcc0637bbc

SHA1
fa86831282f50ed8efbdf10eeb31900e03ee66a3

SHA256
a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e

SHA512
d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4

Download Submit
\??\c:\windows\system\explorer.exe
Filesize
274KB

MD5
b70ea38f37327cd094007703717a952c

SHA1
c2ca69ec0b29c3500c83229519b1236c9e7fb87c

SHA256
b5ffee20703c6dd5a28492673a06e62a8abf03bec1c9a9e70bd31ebde774b2ae

SHA512
309bc9d83795e20b3e12bd7fd0511e8905aee95541cbb2f1b525256b3b39559dbde5d56fee109298a6f0222c0b187b1e454e115b9b0913d2afed1967ca70c5cc

Download Submit
\??\c:\windows\system\spoolsv.exe
Filesize
274KB

MD5
079e1aa7a86d386e806e8a1976e96fe9

SHA1
b35b836ea224eac9ac0cf8c5f07100876d510996

SHA256
236fda9b8da682354928a41c95f3eba65d808591e0ca3b7361db8c10720aeb47

SHA512
5c39d5ace4b2114421c176e2ae5542a602b76cf93e24ce4cc70eb6e9879ea95ff23db12e35caabd10a668938a37f123e3f58c0e270308ff12fb3facbcd4a7d96

Download Submit
\??\c:\windows\system\svchost.exe
Filesize
274KB

MD5
1169084c34244f0ab4e047fa8f46aaf4

SHA1
67d291b9a8ad5df9d8159a44a65b9721aaad2787

SHA256
183c5d18e66386a1f1a6ac2a7f4bd46901878b9c882888805ea792e507a70cfa

SHA512
86c7354a56c8c1483313edc69f72737cefcccbb445f2a43fe8644a123a551ec7267b39fec7ccde553edea86efb4fa343e794ebf6d6d78736e17681b66450b035

Download Submit
\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exe
Filesize
423KB

MD5
93410fd2945b880f9cb6a4dcc0637bbc

SHA1
fa86831282f50ed8efbdf10eeb31900e03ee66a3

SHA256
a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e

SHA512
d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4

Download Submit
\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exe
Filesize
423KB

MD5
93410fd2945b880f9cb6a4dcc0637bbc

SHA1
fa86831282f50ed8efbdf10eeb31900e03ee66a3

SHA256
a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e

SHA512
d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4

Download Submit
\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exe
Filesize
423KB

MD5
93410fd2945b880f9cb6a4dcc0637bbc

SHA1
fa86831282f50ed8efbdf10eeb31900e03ee66a3

SHA256
a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e

SHA512
d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
f8937266c07855421a0970755755d1d9

SHA1
e08d738ed3e6d3c780c5b5241f5cef44fc411601

SHA256
ebcdda59f95aa9871bedc35d75f956c555c810471317179596ec4e58b624fd3f

SHA512
d15c14dd72c7daa994e72d976a247118c88b9b65db954eb31235e4244647c9ebabaad9914137f02b19d2f22ef6d9434eb9bd3d728633e5ca42a3fb39f524e8f6

Download Submit
\Users\Admin\AppData\Local\icsys.icn.exe
Filesize
274KB

MD5
f8937266c07855421a0970755755d1d9

SHA1
e08d738ed3e6d3c780c5b5241f5cef44fc411601

SHA256
ebcdda59f95aa9871bedc35d75f956c555c810471317179596ec4e58b624fd3f

SHA512
d15c14dd72c7daa994e72d976a247118c88b9b65db954eb31235e4244647c9ebabaad9914137f02b19d2f22ef6d9434eb9bd3d728633e5ca42a3fb39f524e8f6

Download Submit
\Windows\system\explorer.exe
Filesize
274KB

MD5
b70ea38f37327cd094007703717a952c

SHA1
c2ca69ec0b29c3500c83229519b1236c9e7fb87c

SHA256
b5ffee20703c6dd5a28492673a06e62a8abf03bec1c9a9e70bd31ebde774b2ae

SHA512
309bc9d83795e20b3e12bd7fd0511e8905aee95541cbb2f1b525256b3b39559dbde5d56fee109298a6f0222c0b187b1e454e115b9b0913d2afed1967ca70c5cc

Download Submit
\Windows\system\explorer.exe
Filesize
274KB

MD5
b70ea38f37327cd094007703717a952c

SHA1
c2ca69ec0b29c3500c83229519b1236c9e7fb87c

SHA256
b5ffee20703c6dd5a28492673a06e62a8abf03bec1c9a9e70bd31ebde774b2ae

SHA512
309bc9d83795e20b3e12bd7fd0511e8905aee95541cbb2f1b525256b3b39559dbde5d56fee109298a6f0222c0b187b1e454e115b9b0913d2afed1967ca70c5cc

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
079e1aa7a86d386e806e8a1976e96fe9

SHA1
b35b836ea224eac9ac0cf8c5f07100876d510996

SHA256
236fda9b8da682354928a41c95f3eba65d808591e0ca3b7361db8c10720aeb47

SHA512
5c39d5ace4b2114421c176e2ae5542a602b76cf93e24ce4cc70eb6e9879ea95ff23db12e35caabd10a668938a37f123e3f58c0e270308ff12fb3facbcd4a7d96

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
079e1aa7a86d386e806e8a1976e96fe9

SHA1
b35b836ea224eac9ac0cf8c5f07100876d510996

SHA256
236fda9b8da682354928a41c95f3eba65d808591e0ca3b7361db8c10720aeb47

SHA512
5c39d5ace4b2114421c176e2ae5542a602b76cf93e24ce4cc70eb6e9879ea95ff23db12e35caabd10a668938a37f123e3f58c0e270308ff12fb3facbcd4a7d96

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
079e1aa7a86d386e806e8a1976e96fe9

SHA1
b35b836ea224eac9ac0cf8c5f07100876d510996

SHA256
236fda9b8da682354928a41c95f3eba65d808591e0ca3b7361db8c10720aeb47

SHA512
5c39d5ace4b2114421c176e2ae5542a602b76cf93e24ce4cc70eb6e9879ea95ff23db12e35caabd10a668938a37f123e3f58c0e270308ff12fb3facbcd4a7d96

Download Submit
\Windows\system\spoolsv.exe
Filesize
274KB

MD5
079e1aa7a86d386e806e8a1976e96fe9

SHA1
b35b836ea224eac9ac0cf8c5f07100876d510996

SHA256
236fda9b8da682354928a41c95f3eba65d808591e0ca3b7361db8c10720aeb47

SHA512
5c39d5ace4b2114421c176e2ae5542a602b76cf93e24ce4cc70eb6e9879ea95ff23db12e35caabd10a668938a37f123e3f58c0e270308ff12fb3facbcd4a7d96

Download Submit
\Windows\system\svchost.exe
Filesize
274KB

MD5
1169084c34244f0ab4e047fa8f46aaf4

SHA1
67d291b9a8ad5df9d8159a44a65b9721aaad2787

SHA256
183c5d18e66386a1f1a6ac2a7f4bd46901878b9c882888805ea792e507a70cfa

SHA512
86c7354a56c8c1483313edc69f72737cefcccbb445f2a43fe8644a123a551ec7267b39fec7ccde553edea86efb4fa343e794ebf6d6d78736e17681b66450b035

Download Submit
\Windows\system\svchost.exe
Filesize
274KB

MD5
1169084c34244f0ab4e047fa8f46aaf4

SHA1
67d291b9a8ad5df9d8159a44a65b9721aaad2787

SHA256
183c5d18e66386a1f1a6ac2a7f4bd46901878b9c882888805ea792e507a70cfa

SHA512
86c7354a56c8c1483313edc69f72737cefcccbb445f2a43fe8644a123a551ec7267b39fec7ccde553edea86efb4fa343e794ebf6d6d78736e17681b66450b035

Download Submit
memory/528-92-0x0000000000000000-mapping.dmp

Download
memory/584-132-0x0000000000000000-mapping.dmp

Download
memory/628-59-0x0000000000000000-mapping.dmp

Download
memory/628-111-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/800-83-0x0000000000000000-mapping.dmp

Download
memory/800-107-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/848-109-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/848-65-0x0000000000000000-mapping.dmp

Download
memory/876-117-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/876-123-0x000000000044C6FE-mapping.dmp

Download
memory/876-137-0x0000000073C40000-0x00000000741EB000-memory.dmp

Filesize
5.7MB

Download
memory/876-128-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/876-126-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/876-118-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/876-122-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/876-121-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/876-120-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1096-130-0x0000000000000000-mapping.dmp

Download
memory/1152-106-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1152-101-0x0000000000000000-mapping.dmp

Download
memory/1312-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1312-74-0x0000000000000000-mapping.dmp

Download
memory/1632-134-0x0000000000000000-mapping.dmp

Download
memory/1672-57-0x0000000075371000-0x0000000075373000-memory.dmp

Filesize
8KB

Download
memory/1672-108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1724-110-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads