agenttesla | a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 01:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
Size

171KB
MD5

6712cbb5c19fb549c7dc9f581627a419
SHA1

539d2c689375899c7d5665fe9b112321a29e6a04
SHA256

a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338
SHA512

6f853842a15e29179eadb7c7b49bc06eb365dc19517c4ec8baa9ef9363e64e99eda2fc12d84f1d75c00718ae8f58c9cc060d67807522e50ba166137215b7059e
SSDEEP

1536:r+582BRECPAtU/xu/ulwDKh6VDLs1ZD6+uN88JqhIY/3yRYAu9Vhnr:r+58SRECPA6/xu/qw7D5+eWIYwYdNr

Score

10^/10

agenttesla discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6901757045:AAECHdJgM-9SB9wlIc9C6zp-keuy5Tgv0OY/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe

Contacts a large (4260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\ubSLUM = "C:\\Users\\Admin\\AppData\\Roaming\\ubSLUM\\ubSLUM.exe"	AddInProcess32.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6045	api.ipify.org
6046	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 18716	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
18668	powershell.exe
18668	powershell.exe
18716	AddInProcess32.exe
18716	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
Token: SeDebugPrivilege	18668	powershell.exe
Token: SeDebugPrivilege	18716	AddInProcess32.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 18668	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	28
PID 1092 wrote to memory of 18668	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	28
PID 1092 wrote to memory of 18668	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	28
PID 1092 wrote to memory of 18716	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	30
PID 1092 wrote to memory of 18716	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	30
PID 1092 wrote to memory of 18716	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	30
PID 1092 wrote to memory of 18716	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	30
PID 1092 wrote to memory of 18716	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	30
PID 1092 wrote to memory of 18716	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	30
PID 1092 wrote to memory of 18716	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	30
PID 1092 wrote to memory of 18716	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	30
PID 1092 wrote to memory of 18716	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	30
PID 1092 wrote to memory of 18984	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	31
PID 1092 wrote to memory of 18984	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	31
PID 1092 wrote to memory of 18984	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	31
PID 1092 wrote to memory of 18984	1092	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe	31

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe

C:\Users\Admin\AppData\Local\Temp\a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe
"C:\Users\Admin\AppData\Local\Temp\a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a48b8204ca3d109aba4ba729519ac0f6a2220d1455f51dca72aef96a0d200338.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:18668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:18716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:18984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
bac12220621b5d1a3bb74dce60b80baa

SHA1
4af30917c0df7161f8e67287dc660e6e9893e0c2

SHA256
2fe8090b3579d9727cbffbf2dcd67d1ebe22f06f4d71dd184841b0144431fd3a

SHA512
87ae5236493bcad2f3d76b9e6a71dc11897c8a68abf85eb54cf2407b1bc2dfbadbd2ecb27a28445cdaa8255b88d8a28b027e0a03024be24a35b21c8eac4f738c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
dfe4291b3e218755df627b3871d6d399

SHA1
d8283e99d31f50a35344ad0ecd20835a768d2dc5

SHA256
73ef8d4f506a19392e4c105b474f1a513920f5ee90be31b619513551eb944751

SHA512
805e642583fa59af7b9b4117273d03ce603b4974cb9b68c6b1118483e86161b800d2a105482bfb2ecd5a04849b9dc0fb8dd84a195168022449211f7ed06a8402

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9ca5e80cf07c8593b9d53a5aefb90a85

SHA1
20c7a3acc85ef2f48d56ffb20d325ad4838351a3

SHA256
fd7f4027ab1fd01de8bd875705f13f40b3a860cf70dfc213393181a18853b2ad

SHA512
9664c4c5a49b7470b23fb078f9c03c35fcba8a79833e75ea754db53a14027ba9b891d8d6c306c6fef388aeaa2868c08fd6989b314850cabbbec6c984aa174560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
18c6fe45ad905d74d59842475e9ba111

SHA1
0ededd2fcfb642e01b83084601ff1fe68d70da67

SHA256
e725ac9b920d83da9e3790fbf2b4035444a60929faee9ec1b055a91f37f54ed5

SHA512
f645e754ba01cf21546ffac0c0112d9c0bce99b71bc53c8f5cea345f409a4cea4429deff3e8aa9a56134fe2e054a8b148a9022e128851455e6f0b0e784410736

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7d5e949557d836bbc3d1f6d600b1e819

SHA1
3abfe24b4c0d3d6de042e1b2fc3ce63785131752

SHA256
f9ddc4fb8bced8cc071c4b72990d0aa022ecdf0f0711ce82f8adee38e7e91a3c

SHA512
44b2f6690ea732869baa46d60c9953e8b8373dc9b7b7db550ec9898f65c25f6b3b3e4ef80350c548f17fab291f56965a27973de350ff9e62aeefd9d492e7bc7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7862c8df4d2ca10c9aa334cf477adb60

SHA1
ae9cdb79e577c2605bdb1f0317281904695d814e

SHA256
34715b0b88d2945ab37adaa9da0d68e3ceeec49dcd43471fe21d4b6db0f0def8

SHA512
517acc17cdbdfab82add2ab859cec3e05bc9752631ab333a2657b0dd6ddcde92a24faff06c581e530b8f5d2fcd3896d89acc6030240354aaf9119d62862c2e1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a9da4d389cd8c482af6f5be67c94e290

SHA1
0070f5e3af883e9ee2691f906f9e5afbe686c6b7

SHA256
ce6737abd334ae6f8958c9cd367093f89d1c164e8fd49d3757bca177e55b497b

SHA512
1313db69f138ccc5dfbf1bd1ed312a5e20266d0dedfb56ffdd056067eab6fe0ccf8a7725eb2c0a7353c4596247893e77c99466aa4055355dccd908d6c6f7f6be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
40900bbf295ed4732680c57482554125

SHA1
d746703850f97e3268283a233f3b88238f2855b7

SHA256
cad12b8a5d96f2074ef33600b2eb9ac8bc25a7239e4123e35b53ab13a4140862

SHA512
895c7526b5da73844487e9f421dd99ed2e7defeef7afba58e4078bfb3b2c98776ac276599bd6c27b2677c717966cf009c3f9c853e195861ca5c2b718deb188f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7b758ecc90a337d656039df2d7eef11c

SHA1
28f1fe28c673a9fdf8ec23787b7dd32509c1f118

SHA256
896bcb0172bf563d866097dc2ca389110aadef1b1a677bae3d34540af62f5bb1

SHA512
d8d27ebf3364c1246e97b089397f69359728ae3d8cf95b7afdea5e62a79131083775236b8c49d94355342547ff8b3556a4d360c94197d2c3177865ef63e73f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
00d612f779d7107006c871a90f35db81

SHA1
58a4cde6304c4b7eb32009b098af4f6cefefab65

SHA256
10ba980d98928e885cc5d8a9d34feaf25535313aee074e5b6fbda81dfcf59f01

SHA512
86eb1ebea49ee48e35ed3bd22cf7c5abbc40f275882516e29ecf4c8b5e496c85bcbbc8f83854ace48b68db7a6b74befe7cdb0ec293f366816a1f3573b03b1d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
33b5f844e4be4edacdc0ecd3889612d5

SHA1
e2e8ed94d2b398583218e0967dba9347c8a159cf

SHA256
cb183c6c52427189f92926b5ba45ba82ba66d1467d6ba806fe34ab4f4b0f475b

SHA512
1ca6a931c47ef68985553cec5eb5937627b20f41739213854aa2ab6fa83505bbd3a57e1b41ff3acc7df724fb2a3b381968654ec427bd5fccf7b7dd0560555a1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9a6bbf62a95baee3d3eabc12d210a9b8

SHA1
61d09232dfa850ff18abd89c599dbc3e1cbbb63e

SHA256
bb571caf8d3b1f6368ba6b78954703fb84e1689ca5ed63dee651c769109f39b0

SHA512
2e6bd03186d87081dae9513030e3391b91b2ea8ad0c3073a4214b9c070cc984df9a260502d4657f710d53d3ce2d56470aefe4dee7b56ff7a0df619dc6a27db4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5548.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/1092-2-0x0000000000A20000-0x0000000000AA0000-memory.dmp

Filesize
512KB

Download
memory/1092-1-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/1092-695-0x0000000000A20000-0x0000000000AA0000-memory.dmp

Filesize
512KB

Download
memory/1092-628-0x0000000000F40000-0x0000000000FD8000-memory.dmp

Filesize
608KB

Download
memory/1092-674-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/1092-705-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/1092-0-0x0000000001100000-0x000000000112E000-memory.dmp

Filesize
184KB

Download
memory/18668-685-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/18668-708-0x000007FEECF40000-0x000007FEED8DD000-memory.dmp

Filesize
9.6MB

Download
memory/18668-688-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/18668-691-0x000007FEECF40000-0x000007FEED8DD000-memory.dmp

Filesize
9.6MB

Download
memory/18668-693-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/18668-686-0x000007FEECF40000-0x000007FEED8DD000-memory.dmp

Filesize
9.6MB

Download
memory/18668-696-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/18668-673-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/18668-698-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/18716-690-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/18716-699-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/18716-701-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/18716-702-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/18716-704-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/18716-694-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/18716-707-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/18716-687-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/18716-709-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/18716-710-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/18716-713-0x0000000074210000-0x00000000748FE000-memory.dmp

Filesize
6.9MB

Download
memory/18716-714-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download