agenttesla | 301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228

Analysis

max time kernel
122s
max time network
162s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe
Size

40KB
MD5

37e8da7ff8487da599c89c8a2b3b7d96
SHA1

144d2581c8bbc52c50b8e7a0d2cb84bb7e0c7c0f
SHA256

301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228
SHA512

1b861b54217f66d82784d920abdc8710944f2a223a788c16f7228102a781e54a5e881333caef32f18c63d3377c782afbb48f37f921f1cba2f9b91bab7e8e3af8
SSDEEP

768:lqWEIJXt+ONNXyiRP0zlu5GIGVlW3qWDnrvBF0jrYdZt:lvEmt+ONNXycP0zlu5GIGVl4qWDnrvTN

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.orako.co.ke
Port:
587
Username:
[email protected]
Password:
ao655d3dSP[{
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Contacts a large (4250) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs

resource	yara_rule
behavioral1/memory/16748-919-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/16748-921-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/16748-924-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/16748-928-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/16748-926-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs

resource	yara_rule
behavioral1/memory/16748-919-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/16748-921-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/16748-924-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/16748-928-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/16748-926-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables packed with or use KoiVM 1 IoCs

resource	yara_rule
behavioral1/memory/2072-861-0x000000001C180000-0x000000001C216000-memory.dmp	INDICATOR_EXE_Packed_KoiVM

Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs

resource	yara_rule
behavioral1/memory/16748-919-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/16748-921-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/16748-924-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/16748-928-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/16748-926-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/16748-919-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/16748-921-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/16748-924-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/16748-928-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/16748-926-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/16748-919-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/16748-921-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/16748-924-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/16748-928-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/16748-926-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral1/memory/16748-919-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/16748-921-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/16748-924-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/16748-928-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/16748-926-0x0000000000400000-0x0000000000442000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5886	api.ipify.org
5887	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 16748	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	30

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
16748	CasPol.exe
16748	CasPol.exe
16748	CasPol.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe
Token: SeDebugPrivilege	16748	CasPol.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
16748	CasPol.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 16748	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	30
PID 2072 wrote to memory of 16748	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	30
PID 2072 wrote to memory of 16748	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	30
PID 2072 wrote to memory of 16748	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	30
PID 2072 wrote to memory of 16748	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	30
PID 2072 wrote to memory of 16748	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	30
PID 2072 wrote to memory of 16748	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	30
PID 2072 wrote to memory of 16748	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	30
PID 2072 wrote to memory of 16748	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	30
PID 2072 wrote to memory of 6836	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	31
PID 2072 wrote to memory of 6836	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	31
PID 2072 wrote to memory of 6836	2072	301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe	31

C:\Users\Admin\AppData\Local\Temp\301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe
"C:\Users\Admin\AppData\Local\Temp\301ed1bb47c406723e68efa053bb4d4f5ce8fa794676c4411b0d2b506696d228.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:16748
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2072 -s 60368
  2⤵
  PID:6836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e7f2c386609e2d986d404909adface9b

SHA1
9fa39309e344cff958d2dd5a010d4a4ceea220f9

SHA256
9d700804ecb1617f1f45d36e11a0979819a832cbf6134ad6a01c05bb8a3c1210

SHA512
136f5c917a9cb6d6404bff34360a59b978ef9384ebf14490036c59dbf670f59ebcf4d28fc63ae8cc727cb75888c4ec77db6d54827260501ecc84549d18b0d893

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
425459e72f18982644e1d8a2e80ec009

SHA1
3bc39d53f7247d85b53ac1d608129d1b98e24ff1

SHA256
0a28d156dc22252685bd7b76eb5e8473de8ae411b5eb65f9597dae0c64e925d2

SHA512
82d5b8d364c1eaaa0e911e4b6109e55049ca543835d3cb7dbf91fdd0db8a3bff68a2d51c03c7524aa3a855e3d21cb05e641d30b9d08a5010dccceca3ce237e3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f5604efcaedea3cd0526434c0e7d25ec

SHA1
b42712e48f57251814303f5d37fbee466df45592

SHA256
ca48df976800e7b6537505b3d555247f2231e033f5f476330096de7afff4ee21

SHA512
aa1268f8d9794a79c23d152920d1ac19b71b1dcbcfe4e4d43a9d7ceca0a873c0c79f4a98ca57aeab631abbba80b88b5803b9f90a8ee87de1e526286f79ee7651

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5bd13590bddcff2b7471a72b411accbc

SHA1
b0bd731164a2cb3e31c8b37c93436afd67ecedf3

SHA256
757d15955c4b534a1e4bbf4443e40efc39cfaef5ce3d56b54faff84f1b7c488d

SHA512
385cb57a8ede794ac3415d18bf078af8b42074eb730a82a2a4507b4641093979c13b8821e1a1cff4c61bd5e88dbf609faf6476d701b1b9f93cab1ca26dfbf8d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6d4c08b4d8993b3f3f7a52f9d5a23711

SHA1
1fcfce575cc6383767092ecdfd980ce4bedcdff5

SHA256
a4ccfae1e234e651ebb7fd412fbb22cc0dd1681924cf1b85bbcc7d7da385fc12

SHA512
b322e43224ad614e373335571a2c97c50938e41a54e8cff393bf7b06592871a29e838143462068998f8a2297d9da34c75c6c832f11c3b1541aa4392498dff1ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a3cd99a3f917f89e553bb5b73462b286

SHA1
dc1a3706cd1a734101e544974bd8f2e9bf877af0

SHA256
93f534704dd545c0849e6b79fca0ceca170aedf5187cba3f05d77a07958da906

SHA512
b4b7f852139b080f536bf63e01c4a0a97076483fe9a0139fc4dd5d6973e5ee231cceadc21af02680a543aba9a0c533e9fbb77810b8b2601abb801c045c13fe73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8101a805b7a3133d9d59477deffd523b

SHA1
bf4279fcf13fb37a9db76241f64070ec39764bfa

SHA256
6bc4b956e1f60862b7042701191bf9c0dc8176f84e009f6d26c86b87a0bd4e09

SHA512
1c00cb8a594db883b63662665c8c8d1d43d8c34f73c81064ee492894b9cc2fd0dd3a590cefd60af088bd49a8d4777ba024f3871cf601f5a706298ceceb94ce07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2a2ecd27a689457410e9f940e5cff5c0

SHA1
a3a7b53bd80d9cefa096ab32ed5ef491c3386023

SHA256
9d08fdee4e55aa522e86ab06a1802ba4a40b0f559ab29267fdaec0a93582d294

SHA512
669fadbb45afe5799506b7469db9f8a3ebd063c3d5f2212fe5b6be85ee42c677754fedd2a55697f2b55b67cc5f6d06858a1003b11799a9dcc3f1359cab9964d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ab1c0bdbea0ba91646dd2575f350ef9d

SHA1
0d5f27dc1f01ed783d572f278d87ee02c3be79e5

SHA256
9eceb3a9ac3ff52b2af883a155611d658260671ca9e11607a5b892eae8305a4b

SHA512
18e61b62b389fb911303e03731b62bc9248a2255fe7305a2d7673f853b469e2028e05043ef27010f9de3cd719efdffe615abde81931765012b6021499b1dce22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9c99c03789f4dad0a0f0ab8220ce5af0

SHA1
c70cacf50f6b4048d887337ae993349f3ecb8111

SHA256
16549dfe004a8744dfe3f39f0f1143020737711f65775aa878f3e7af93c48ef7

SHA512
6cac1ba64968e4c56b5ec6fb16929a70b02aa865f63e77ace6f354cfc688a92a74199db6178aa0b5c99a3bccaf7641289d4498743a5b6525ab933c78065a99ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5268ac3e12f4538660d00c8b59848205

SHA1
7d8ffd0afe72cb1a24b20f64b23906d63a86058c

SHA256
170b2f8b982618df62f7d1d341d2c1dc91e1c6b3b21066b67eed5095514c9693

SHA512
ec0926b91859515924a2e5c2dd33d96e06658533cf9441667ed5cd482dc9afe52bc9d2c4dc97d25ac6b035ab68ac12c3c0d6ccc43901a27a6eda9e84479869bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7431db31165d29851ef639cf8c816315

SHA1
5a9ed2641348aae6d7e72d02379d48a3665721c9

SHA256
4992e57782356082d7cbc02cc37d66cdff6b7fdc729d57e8bb11cabc88b57b61

SHA512
ada83dfd5365269d66d51d484785a342856fc8a2d84b4f6de7a949a460b12310aa373983d26328c371065e4eed8d8071960854aed559f680369e565d4c3095e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b131d3a32622447de486488fba55a93a

SHA1
7132386910fb08cd03cb177e7da38be48617052b

SHA256
b86e72b9bc66120c71eba6ef8b1b9a9a2c33e0d56fcb7cb7df630cd0814bdea0

SHA512
51bdaf73b7d7fa8af7b78a8e90190240a559716bbc8462b4933917a1b9f98fdf9ecf92fa85130990beb851b50c425c84ce2cc7efd424a9a89378db1a02bc7bc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ef17e495d5870f0e7dd56fe7671e3bbb

SHA1
d2a5472688361ba3c5df23d3b7b9b71c457adaf1

SHA256
62e0d16f6cb27fe49eaf0aff6572ea6da8a821b00d584613022f35fbc97a1657

SHA512
c6a75d764a96fe30aa99069f2217fb5b0b062fad5d28cb7ee541f7ce8c76d7c2be1564902061849461420093731428d9c0c4c13f1b823a0f739f381624596488

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b48261ea6938220bd36dcd444650cd03

SHA1
fae4e5935e936a1d498cf792d40017366a58569e

SHA256
07abdd5e759c289fd5daa74c7fda0100fdca1bde4b7c5f8089c52e1a35dead48

SHA512
6045bc30037768ff3371baae35a43f87ff135a0f5955d387b641929022861f9df49e56c7237483909a072976d36e79bc7fbfa391959745e621f8a7f203a44d15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9029962328dd5b9daee01d9b390785bb

SHA1
b0667adc1c0f8341831b9793875d882f12c0f0e1

SHA256
9b9f24a041345b4dc1e85e346a5d0fa05465e0e13c754ce9cc1b7ff580682195

SHA512
891b38f1b5bd4e58a3e5b25342d12ad566d2340a35bfaafc73bf0f4b05672ec5a3bd1cccd84d9a8731fcb91a6349b88a20fa71921801b653b4f81f7ea31b58bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
195529364d8a5cf16af6f1ab5c9d1d32

SHA1
40eb2459e2ffe7ccca1deda8912e33a3944a50d5

SHA256
d7a3349f60baa43e33d71240f5a66e7d2e3070f46b1d1c23d2efb2532b518542

SHA512
d1b4a36f05ce97720ddb43f5756c98e960d80c0cf7d31b527dd29ab83a59c4f933752da8c6d84c8e623e9f35d3f9be90f476e5efb2d3c974dd1e93f5054569e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8425c996744d37304e583b8c2fdd22a7

SHA1
af8af97dcad89db2c94e92957344b6a6a5e05dc3

SHA256
348b4a677606ee8b8948eab7ff2c1e0f442e4e3061663cc216c02c2577a823fa

SHA512
7f78ac1debe98b3b8d21a01b77c34bf737e00b452606d63ef2a50983055cdea9ed62b8dc489735e0f609803cee6d8104f86e6a1f953d44b884d6651f69626705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
15424d97d77cdf1481591645049db7a7

SHA1
4e64633d4d836c1752c45aa483c742f7d31eb6cb

SHA256
7fe6cf6defa4c0c832ba6e11ad0f936d086a5edb60594af3dce391bfa35d236e

SHA512
7754965c6bf7ae0e0909545659be57ef7761d9d7e8a81924d10dc1492d6469154e4e0b6bc91e84b2ba1843bc84f7b972dae7f942d2ad1097f11ba78189b94fe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9A15.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/2072-0-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/2072-1-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-2-0x000000001B0C0000-0x000000001B140000-memory.dmp

Filesize
512KB

Download
memory/2072-861-0x000000001C180000-0x000000001C216000-memory.dmp

Filesize
600KB

Download
memory/2072-130-0x000007FEF58F0000-0x000007FEF62DC000-memory.dmp

Filesize
9.9MB

Download
memory/16748-917-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/16748-919-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/16748-915-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/16748-921-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/16748-923-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/16748-924-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/16748-928-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/16748-926-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/16748-929-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/16748-930-0x0000000004B50000-0x0000000004B90000-memory.dmp

Filesize
256KB

Download
memory/16748-931-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download