agenttesla | 341e2d5159578433b9509ab15c1b2acd52162a51531d8c94689286a91eebcdc4

General

Target

tmp.exe
Size

1.8MB
MD5

ed7fa6ec8aa0602b18ac40bf6abff7e6
SHA1

21f14e8533a1143001c0bc1a842cb4f9f4c69a8a
SHA256

341e2d5159578433b9509ab15c1b2acd52162a51531d8c94689286a91eebcdc4
SHA512

3388db86341f13ed30d40942df6b1844c6ebdbe7a360749edec9b23b87ca106ae90082c08648308fc9a9f78a4ffdd0c92855b090aeca52ddc00a903834d856e7
SSDEEP

12288:Lnjo5JZCGepoAgPBEudDgeOYnWZQzjFeM6DJOjB9sTTHyOx+mRfGrwmMeOS34MIy:6ZL0QpfnYQb6VOUROrwE

Score

10^/10

agenttesla remcos remotehost collection keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.fishtrans.ro
Port:
587
Username:
depozit@fishtrans.ro
Password:
Filepangasius2000

Extracted

Family

remcos

Botnet

RemoteHost

C2

mam.mastercoa.co:37824

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3FCFQU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1620-89-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1620-100-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1924-88-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1924-93-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1752-85-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1924-88-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1620-89-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1924-93-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1620-100-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

dwn.exedwn.exe

pid process

1352 dwn.exe
1308 dwn.exe
Loads dropped DLL 2 IoCs

Processes:

InstallUtil.exedwn.exe

pid process

880 InstallUtil.exe
1352 dwn.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1352	dwn.exe
1308	dwn.exe

pid	process
880	InstallUtil.exe
1352	dwn.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	InstallUtil.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

dwn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dwn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dwn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dwn.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exedwn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kbvypcxq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Eygho\\Kbvypcxq.exe\""	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uqvkhzka = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iotsfyb\\Uqvkhzka.exe\""	dwn.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

tmp.exeInstallUtil.exedwn.exe

description	pid	process	target process
PID 1096 set thread context of 880	1096	tmp.exe	InstallUtil.exe
PID 880 set thread context of 1924	880	InstallUtil.exe	InstallUtil.exe
PID 880 set thread context of 1620	880	InstallUtil.exe	InstallUtil.exe
PID 880 set thread context of 1752	880	InstallUtil.exe	InstallUtil.exe
PID 1352 set thread context of 1308	1352	dwn.exe	dwn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

dwn.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dwn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	dwn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	dwn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	dwn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dwn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	dwn.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeInstallUtil.exepowershell.exedwn.exe

pid process

2036 powershell.exe
1924 InstallUtil.exe
1924 InstallUtil.exe
1016 powershell.exe
1308 dwn.exe
1308 dwn.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

InstallUtil.exe

pid process

880 InstallUtil.exe
880 InstallUtil.exe
880 InstallUtil.exe

pid	process
2036	powershell.exe
1924	InstallUtil.exe
1924	InstallUtil.exe
1016	powershell.exe
1308	dwn.exe
1308	dwn.exe

pid	process
880	InstallUtil.exe
880	InstallUtil.exe
880	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exetmp.exeInstallUtil.exepowershell.exedwn.exedwn.exe

description	pid	process
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1096	tmp.exe
Token: SeDebugPrivilege	1752	InstallUtil.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1352	dwn.exe
Token: SeDebugPrivilege	1308	dwn.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

InstallUtil.exe

pid process

880 InstallUtil.exe

pid	process
880	InstallUtil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exeInstallUtil.exedwn.exe

description	pid	process	target process
PID 1096 wrote to memory of 2036	1096	tmp.exe	powershell.exe
PID 1096 wrote to memory of 2036	1096	tmp.exe	powershell.exe
PID 1096 wrote to memory of 2036	1096	tmp.exe	powershell.exe
PID 1096 wrote to memory of 2036	1096	tmp.exe	powershell.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 1096 wrote to memory of 880	1096	tmp.exe	InstallUtil.exe
PID 880 wrote to memory of 1924	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1924	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1924	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1924	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1924	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1924	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1924	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1924	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1620	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1620	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1620	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1620	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1620	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1620	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1620	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1620	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1752	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1752	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1752	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1752	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1752	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1752	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1752	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1752	880	InstallUtil.exe	InstallUtil.exe
PID 880 wrote to memory of 1352	880	InstallUtil.exe	dwn.exe
PID 880 wrote to memory of 1352	880	InstallUtil.exe	dwn.exe
PID 880 wrote to memory of 1352	880	InstallUtil.exe	dwn.exe
PID 880 wrote to memory of 1352	880	InstallUtil.exe	dwn.exe
PID 880 wrote to memory of 1352	880	InstallUtil.exe	dwn.exe
PID 880 wrote to memory of 1352	880	InstallUtil.exe	dwn.exe
PID 880 wrote to memory of 1352	880	InstallUtil.exe	dwn.exe
PID 1352 wrote to memory of 1016	1352	dwn.exe	powershell.exe
PID 1352 wrote to memory of 1016	1352	dwn.exe	powershell.exe
PID 1352 wrote to memory of 1016	1352	dwn.exe	powershell.exe
PID 1352 wrote to memory of 1016	1352	dwn.exe	powershell.exe
PID 1352 wrote to memory of 1308	1352	dwn.exe	dwn.exe
PID 1352 wrote to memory of 1308	1352	dwn.exe	dwn.exe
PID 1352 wrote to memory of 1308	1352	dwn.exe	dwn.exe
PID 1352 wrote to memory of 1308	1352	dwn.exe	dwn.exe
PID 1352 wrote to memory of 1308	1352	dwn.exe	dwn.exe
PID 1352 wrote to memory of 1308	1352	dwn.exe	dwn.exe
PID 1352 wrote to memory of 1308	1352	dwn.exe	dwn.exe
PID 1352 wrote to memory of 1308	1352	dwn.exe	dwn.exe
PID 1352 wrote to memory of 1308	1352	dwn.exe	dwn.exe

outlook_office_path 1 IoCs

Processes:

dwn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dwn.exe

outlook_win_path 1 IoCs

Processes:

dwn.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dwn.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\Admin\AppData\Local\Temp\iozmemfpz"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\Admin\AppData\Local\Temp\tqfffeqrnwvy"
3⤵
- Accesses Microsoft Outlook accounts
PID:1620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\Admin\AppData\Local\Temp\vkkpgxbkbencfkw"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Users\Admin\AppData\Local\Temp\dwn.exe
"C:\Users\Admin\AppData\Local\Temp\dwn.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Users\Admin\AppData\Local\Temp\dwn.exe
C:\Users\Admin\AppData\Local\Temp\dwn.exe
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

3

T1005

Email Collection

2

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dwn.exe
Filesize
1.5MB

MD5
24a24d65b79918f7e66562a87fee6092

SHA1
8bfe971f81d0e660e923d097e54d8851d49f23b1

SHA256
d985c6aae8f8244cae60bea8e32dc0be60af18ce2773dc1937e7080c4e851662

SHA512
3f9e3fa44f52a5ab13d3cad82168a9cc215cd6d06edccd1ee0d3ca2023a10f9a9ff5a3e97316c5a2ea9e9124791181c3156b36b0ced099a9993b055f459d52eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe
Filesize
1.5MB

MD5
24a24d65b79918f7e66562a87fee6092

SHA1
8bfe971f81d0e660e923d097e54d8851d49f23b1

SHA256
d985c6aae8f8244cae60bea8e32dc0be60af18ce2773dc1937e7080c4e851662

SHA512
3f9e3fa44f52a5ab13d3cad82168a9cc215cd6d06edccd1ee0d3ca2023a10f9a9ff5a3e97316c5a2ea9e9124791181c3156b36b0ced099a9993b055f459d52eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dwn.exe
Filesize
1.5MB

MD5
24a24d65b79918f7e66562a87fee6092

SHA1
8bfe971f81d0e660e923d097e54d8851d49f23b1

SHA256
d985c6aae8f8244cae60bea8e32dc0be60af18ce2773dc1937e7080c4e851662

SHA512
3f9e3fa44f52a5ab13d3cad82168a9cc215cd6d06edccd1ee0d3ca2023a10f9a9ff5a3e97316c5a2ea9e9124791181c3156b36b0ced099a9993b055f459d52eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iozmemfpz
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1117613b2dd2f9694b0fd98430e1f311

SHA1
845d1bb1f3d5a7c52066040396b1a1eae1bcc69d

SHA256
d673ba4674b95decb14d4c8aacd7ad9a0a0005f1ccb6f5405ff3006e33c9832e

SHA512
527cba32c90a41b6e0a62b79f782de43b24917e39e143f44abd7327b125acafff0cde575f48c6b49b5136a1b0f68c676b913dcf2ebc5196a5829bf1e448c4bde

Download Submit
\Users\Admin\AppData\Local\Temp\dwn.exe
Filesize
1.5MB

MD5
24a24d65b79918f7e66562a87fee6092

SHA1
8bfe971f81d0e660e923d097e54d8851d49f23b1

SHA256
d985c6aae8f8244cae60bea8e32dc0be60af18ce2773dc1937e7080c4e851662

SHA512
3f9e3fa44f52a5ab13d3cad82168a9cc215cd6d06edccd1ee0d3ca2023a10f9a9ff5a3e97316c5a2ea9e9124791181c3156b36b0ced099a9993b055f459d52eb

Download Submit
\Users\Admin\AppData\Local\Temp\dwn.exe
Filesize
1.5MB

MD5
24a24d65b79918f7e66562a87fee6092

SHA1
8bfe971f81d0e660e923d097e54d8851d49f23b1

SHA256
d985c6aae8f8244cae60bea8e32dc0be60af18ce2773dc1937e7080c4e851662

SHA512
3f9e3fa44f52a5ab13d3cad82168a9cc215cd6d06edccd1ee0d3ca2023a10f9a9ff5a3e97316c5a2ea9e9124791181c3156b36b0ced099a9993b055f459d52eb

Download Submit
memory/880-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-62-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-74-0x00000000004327A4-mapping.dmp

Download
memory/880-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/880-101-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1016-99-0x000000006F990000-0x000000006FF3B000-memory.dmp

Filesize
5.7MB

Download
memory/1016-95-0x0000000000000000-mapping.dmp

Download
memory/1016-103-0x000000006F990000-0x000000006FF3B000-memory.dmp

Filesize
5.7MB

Download
memory/1016-102-0x000000006F990000-0x000000006FF3B000-memory.dmp

Filesize
5.7MB

Download
memory/1096-55-0x0000000004A70000-0x0000000004B52000-memory.dmp

Filesize
904KB

Download
memory/1096-56-0x0000000004460000-0x00000000044F2000-memory.dmp

Filesize
584KB

Download
memory/1096-54-0x00000000008A0000-0x0000000000A66000-memory.dmp

Filesize
1.8MB

Download
memory/1308-106-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1308-105-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1308-116-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1308-114-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1308-111-0x00000000004359DE-mapping.dmp

Download
memory/1308-110-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1308-109-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1308-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1352-87-0x0000000000000000-mapping.dmp

Download
memory/1352-92-0x0000000000170000-0x00000000002F6000-memory.dmp

Filesize
1.5MB

Download
memory/1352-94-0x0000000004820000-0x00000000048DC000-memory.dmp

Filesize
752KB

Download
memory/1620-100-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1620-80-0x0000000000455238-mapping.dmp

Download
memory/1620-89-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1752-85-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1752-81-0x0000000000422206-mapping.dmp

Download
memory/1924-88-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1924-79-0x0000000000476274-mapping.dmp

Download
memory/1924-93-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2036-59-0x000000006FE50000-0x00000000703FB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-58-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/2036-60-0x000000006FE50000-0x00000000703FB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads