agenttesla | hxxps://www[.]mediafire[.]com/file/n9xwhfo3rb94q9d/Inquiry+for+Uzbekistan+Customers[.]tgz/file

Analysis

max time kernel
139s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2023 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/n9xwhfo3rb94q9d/Inquiry+for+Uzbekistan+Customers.tgz/file

Score

10^/10

agenttesla zgrat collection keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6467305343:AAEqGE6MxS8ftbjN6sd7EEip8g1xBpkmw7s/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral2/memory/4288-174-0x0000000005990000-0x00000000059A8000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 4 IoCs

pid	Process
4288	nz9EmUgbTbmmpq3.exe
892	nz9EmUgbTbmmpq3.exe
4272	nz9EmUgbTbmmpq3.exe
6052	nz9EmUgbTbmmpq3.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nz9EmUgbTbmmpq3.exe
Key opened	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nz9EmUgbTbmmpq3.exe
Key opened	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nz9EmUgbTbmmpq3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4288 set thread context of 4272	4288	nz9EmUgbTbmmpq3.exe	135

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3616	msedge.exe
3616	msedge.exe
4864	msedge.exe
4864	msedge.exe
4168	identity_helper.exe
4168	identity_helper.exe
2108	msedge.exe
2108	msedge.exe
3132	msedge.exe
3132	msedge.exe
3132	msedge.exe
3132	msedge.exe
4272	nz9EmUgbTbmmpq3.exe
4272	nz9EmUgbTbmmpq3.exe
4272	nz9EmUgbTbmmpq3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4956	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4956	7zFM.exe
Token: 35	4956	7zFM.exe
Token: SeSecurityPrivilege	4956	7zFM.exe
Token: SeSecurityPrivilege	4956	7zFM.exe
Token: SeDebugPrivilege	4272	nz9EmUgbTbmmpq3.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4956	7zFM.exe
4956	7zFM.exe
4956	7zFM.exe
4956	7zFM.exe
4956	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe
4864	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2500	4864	msedge.exe	16
PID 4864 wrote to memory of 2500	4864	msedge.exe	16
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 1996	4864	msedge.exe	88
PID 4864 wrote to memory of 3616	4864	msedge.exe	87
PID 4864 wrote to memory of 3616	4864	msedge.exe	87
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89
PID 4864 wrote to memory of 1500	4864	msedge.exe	89

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nz9EmUgbTbmmpq3.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nz9EmUgbTbmmpq3.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/n9xwhfo3rb94q9d/Inquiry+for+Uzbekistan+Customers.tgz/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdad1546f8,0x7ffdad154708,0x7ffdad154718
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,17555860773364364081,15768028798916902822,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3456 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4064

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Inquiry for Uzbekistan Customers.tgz"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4956

C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe
"C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4288
- C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe
  "C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4272

C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe
"C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe"
1⤵
- Executes dropped EXE
PID:892

C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe
"C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe"
1⤵
- Executes dropped EXE
PID:6052
- C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe
  "C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe"
  2⤵
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nz9EmUgbTbmmpq3.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9757335dca53b623d3211674e1e5c0e3

SHA1
d66177f71ab5ed83fefece6042269b5b7cd06e72

SHA256
02f0348e2af36f2955efda1613dc6480f1c68c8e55f19590b7b58e9355c6a940

SHA512
f13351398f5dd5b6cf638b174dc50ddc782b690c6d4736d48941923a3425b5dff4a9aa0da22773e9abc9559d40f020f268018db902e0a7772b7b1f4d21126f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
185B

MD5
b69adcfb75f2916b35c51474352bb803

SHA1
c4646f34326f902dcdd824338e0e9d9ec98c1eca

SHA256
ba460330a066edf83b12d01733f71ee2e5a1d9ff657473ce6a02c1d55635d971

SHA512
6074e327f9c72839df92f70fc623773128abbe598a6af6ac65f57fdcc94b219a5718721676e5e7c982383861ae40b6cb8a9284f0fa2b0db1c05192ab89fbd36f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
71a49f043a73caeb6c21722bdc03a254

SHA1
0902977fbe7dad6adcee8547ba05b48fde9f0e1c

SHA256
88055d11e74c1c68790d8a801bbdb5d44780c8c9fcac4ae850d15104b3b660e5

SHA512
16b58be48eee1a33dc2708138e75f7fd1b0fa3df044715979956feb0468ed4e8b7deac6fff8f7ce596a04f82993c5448d7793f1f9c005bb4654192fecf349ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2499cf921f537a3c873ff84667adf40

SHA1
20d0c154175988cb6b48f9506a7e3c6e22a6a445

SHA256
be2a6e848b22a71cab9974341fefb222f730308c6e5d65e175de9e33421356f3

SHA512
26b2bf24ba84d0cf28b91d68ed667d051967c8f8cf5a91c2fb6173c7d9207dce9297b8ac4a49702d69aa83fd95065444bf9a45a611004a5c59f58233f30c826d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d7871595f8e9bc563c5f724b4d8a5c41

SHA1
34b0a68c760e6a27795390094d6b547cbb87f8f9

SHA256
4fc860e1632156927bb7e3cfebf9380183009ad6522ac0b9c36438839501d1a1

SHA512
70dc3f07d4f800dc94077289287db2bef218fa246fcf683a7fab9c713ea8a230aa99187b9f311d4f25858b4d5110c68d912c7b5f11aaa95643414a02c3243a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c0499655f74785ff5fb5b5abf5b2f488

SHA1
334f08bdb5d7564d1b11e543a2d431bd05b8bdd1

SHA256
6aa332a4d21802b2dbcd08e153764da60f538ceb0daaaaf7504ba8f67c08ef03

SHA512
5f0cec6dd823f2b3ac62017383dbbf71ed38893724312ec75e73fb197e0bcd5418bb70fdfe9150f5ca495d5f8547d8a08618bdacb5010514a3cb1101437d698e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cf78318c3059b7f082a03df971bebb7b

SHA1
ec3ed8d71e56c14c586aca2b3c8428c4dd00fa08

SHA256
77c95b3566af95d867fbeaa7482816912d333e21b8fdf2d910bcdb276591d8df

SHA512
2a81896da3c5631677c6535cb71316db7b85444779a0a356f01666eb9735750d26a22b18b583c8385267c6dcaad3581ec1c704cbac2301daacf7653c476f1f75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9478ea8bc5a1afbab59eb29baa0bf162

SHA1
bf2ab1c98423ccf45805aff47d8c21354ef77b1c

SHA256
e9d09909df35d637ba358cec3b80334c756d971edc223d0a31483d85049115ad

SHA512
d83afcc1a751be1e99b0f78cea98168bb520d8bf8592778b427872c43de9179f43db1d8f327dcae9cd22ced5aab232c46ee4cdf72583de72ff77b74b77ca8d55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e7093dbd9553e6e502138fc7cb9a46ab

SHA1
0f181d5dd85a36f7063b1cf99580573b852367b2

SHA256
b02a1a7ecf5aec26fac05f285480e399cb04bf831ca881ec6064334d565bd52e

SHA512
c7a56ee74afa140cb07be61750fc00d9c30e8c6d8b26071550def964599a0be0a28e2c2871b7aa7be4dc330a44cf7b7b134bec7169b0fdfbaa72306f47c75090

Download Submit
C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe

Filesize
4.8MB

MD5
a8e6178e066612ed0a2396b11d6b87f7

SHA1
ad57807afe35a028562e6edfe8982ca1356187d4

SHA256
be3c42422f878b16a98477e48c195136c762a5565f053b4e683f99b602510d98

SHA512
ab2e70bb5819b04d1f63d34435a0d2c8b0cf534f095e6cb5cce923cdd0d1432bcd198cfd42ee083710203435c3d73c824564b8e910061fa6ca1cda3e4613f3f7

Download Submit
C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe

Filesize
3.7MB

MD5
65346ca31b072f846f4e007f5bf83d6f

SHA1
a54a86788bc53dcdd7f90b7c2c7bf41aaa64e74b

SHA256
170b72036f7d787fb78806ba9f203c6698587db23b0bbe76bad5469de2dcc03a

SHA512
92c0f4e3608ae6c005a60aa4afedefd223cfe3468c99ca351e1d1b4b20948adf0779642738d2d6bcf7a230c3e7fbf9d7be8c1f797761d895bc0a0d6d757372e1

Download Submit
C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe

Filesize
2.8MB

MD5
1bd3fd877b079774ba6e9d93dbccbea8

SHA1
632af72fad190a23516283bd6181bd22698d70b9

SHA256
70ff77784a6554f2702ecdb5e46c758968ff1140553321cc0112d56a31731ee2

SHA512
cff824bfb3a6c4d47da88a6fa7448960dab02514d93eb0a135566f8f24f015f6dc8ecde49cdb323087a4392889e6f7aff30b01895ff1c73f210f61291294b98e

Download Submit
C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe

Filesize
3.3MB

MD5
478b1e350d9699aaf314e9f56a6e1f71

SHA1
1d1d35438b0e8ad028b72d18e6595504179c4645

SHA256
8de92084a020574766d7854c97bebc47bfb7fa1927cfb1722e175bf59fde8ea8

SHA512
3bc546c5a46e5a1b3cb9351a4102cfe0ae073de809f929044c93609a68c82254cac2243fc5424ab0edfe9ab80c9e97c1ef25ea0f9f2cbeb9bebbe23aeef8ac27

Download Submit
C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe

Filesize
3.5MB

MD5
c82c171c587ebd313e7c5ecbdd2db2ae

SHA1
2f31b7ad30ae93a6752313a71e7dabaa87c8fb43

SHA256
69798fa4dc45d5b511ebef5da2f46bb6f04894dd856ce6e73afb8be777124bca

SHA512
f30ab99d2911035a1858813f93524f641ad80adfbbf77532c1f18bd8c91e380d9e42dc5bf7c1ef4505c429c149b70234fe29686c678c6d71c5d3bfff50228e6c

Download Submit
C:\Users\Admin\Desktop\nz9EmUgbTbmmpq3.exe

Filesize
1.3MB

MD5
bf34b81fa3b4af01d58c00d5c83e5c21

SHA1
522f9a44d5649e563415efffe480f43f2a5d50f9

SHA256
2902a930029afac94ab841e68e9a5fd26ab3a32e8b530b2aa77686179ef99864

SHA512
99cde7d58b749167c6d10455ae9a4ba877330ddfa9e141c09b6efff3e7e48da7d7ec960a71c59872dfd4b309107e52a622629178c308607d65831514096b24e4

Download Submit
C:\Users\Admin\Downloads\Inquiry for Uzbekistan Customers.tgz

Filesize
1.5MB

MD5
77b14347d53dda88b6c94212193d50e3

SHA1
63a36058e55305268a9fde46456497ee8ef7c151

SHA256
16bbca0f582bcddbc4e6884e037657ec1a0938356c7812c03d192c7478927a59

SHA512
f62a06c2ed78c95859951e59f617244a6e8b5c488a178b2dd332a9270f82870a179646abee5c63ba63b241422166787c2b638b881150462918a03f372b650768

Download Submit
memory/892-194-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/892-177-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/892-178-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/2912-213-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4272-191-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4272-209-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/4272-208-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4272-195-0x00000000063F0000-0x0000000006440000-memory.dmp

Filesize
320KB

Download
memory/4272-193-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/4272-192-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/4272-186-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4288-171-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/4288-170-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/4288-174-0x0000000005990000-0x00000000059A8000-memory.dmp

Filesize
96KB

Download
memory/4288-172-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/4288-185-0x000000000C6F0000-0x000000000C78C000-memory.dmp

Filesize
624KB

Download
memory/4288-168-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4288-184-0x00000000095D0000-0x000000000964C000-memory.dmp

Filesize
496KB

Download
memory/4288-190-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4288-175-0x00000000094C0000-0x00000000094C8000-memory.dmp

Filesize
32KB

Download
memory/4288-169-0x0000000000B00000-0x0000000000BB4000-memory.dmp

Filesize
720KB

Download
memory/4288-183-0x0000000006A20000-0x0000000006A2A000-memory.dmp

Filesize
40KB

Download
memory/4288-173-0x0000000005640000-0x000000000564A000-memory.dmp

Filesize
40KB

Download
memory/6052-198-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/6052-197-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/6052-212-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download