agenttesla | 6d0e896d138e1e12f3c29a4fe7b91618774a7aa59fe1a818853d32c8b06786f4

General

Target

A007 Termbase.msi
Size

26.4MB
MD5

0d74999e3ce596667b1cef92ebac05fa
SHA1

f4cecf3d7f2563b5c74c86f744061e338d2d3421
SHA256

6d0e896d138e1e12f3c29a4fe7b91618774a7aa59fe1a818853d32c8b06786f4
SHA512

e36740d392e751e94f3273d68e6235b03b96ca5f9a63f33ea0a7b3a19545be1cc889aa245c4a85a318e2b36cbcc31c356911476a58d24c9f16f4a18fd419f245
SSDEEP

786432:UeBHVLpoSprl9J1P2nYOWMzgpEH68ppppppppb:U21poSRPynwMzgpEa8ppppppppb

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\A007 Termbase\A007 Termbase\Guna.UI2.dll	family_agenttesla
behavioral1/memory/1148-108-0x0000000005960000-0x0000000005B56000-memory.dmp	family_agenttesla

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID497.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9C01E35C-F547-45DC-976F-6BBDF8A362E1}	msiexec.exe
File created	C:\Windows\Installer\e57d33e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d33e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID61E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d340.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID37C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

A007 Termbase.exe

pid process

1148 A007 Termbase.exe

pid	process
1148	A007 Termbase.exe

Loads dropped DLL 10 IoCs

Processes:

MsiExec.exeMsiExec.exeA007 Termbase.exe

pid	process
1088	MsiExec.exe
1088	MsiExec.exe
1088	MsiExec.exe
1088	MsiExec.exe
1088	MsiExec.exe
1088	MsiExec.exe
3800	MsiExec.exe
3800	MsiExec.exe
1148	A007 Termbase.exe
1148	A007 Termbase.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

A007 Termbase.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	A007 Termbase.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	A007 Termbase.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	A007 Termbase.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C53E10C9745FCD5479F6B6DB8F3A261E\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C53E10C9745FCD5479F6B6DB8F3A261E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\PackageCode = "C0359BFD083EE1E469F760B9CB1F6CDE"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\Version = "16973824"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D9417B066CD758C4CA3A6229ED164524	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\SourceList\PackageName = "A007 Termbase.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D9417B066CD758C4CA3A6229ED164524\C53E10C9745FCD5479F6B6DB8F3A261E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\ProductName = "A007 Termbase"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C53E10C9745FCD5479F6B6DB8F3A261E\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3588 msiexec.exe
3588 msiexec.exe

pid	process
3588	msiexec.exe
3588	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4024	msiexec.exe
Token: SeSecurityPrivilege	3588	msiexec.exe
Token: SeCreateTokenPrivilege	4024	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4024	msiexec.exe
Token: SeLockMemoryPrivilege	4024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4024	msiexec.exe
Token: SeMachineAccountPrivilege	4024	msiexec.exe
Token: SeTcbPrivilege	4024	msiexec.exe
Token: SeSecurityPrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeLoadDriverPrivilege	4024	msiexec.exe
Token: SeSystemProfilePrivilege	4024	msiexec.exe
Token: SeSystemtimePrivilege	4024	msiexec.exe
Token: SeProfSingleProcessPrivilege	4024	msiexec.exe
Token: SeIncBasePriorityPrivilege	4024	msiexec.exe
Token: SeCreatePagefilePrivilege	4024	msiexec.exe
Token: SeCreatePermanentPrivilege	4024	msiexec.exe
Token: SeBackupPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeShutdownPrivilege	4024	msiexec.exe
Token: SeDebugPrivilege	4024	msiexec.exe
Token: SeAuditPrivilege	4024	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4024	msiexec.exe
Token: SeChangeNotifyPrivilege	4024	msiexec.exe
Token: SeRemoteShutdownPrivilege	4024	msiexec.exe
Token: SeUndockPrivilege	4024	msiexec.exe
Token: SeSyncAgentPrivilege	4024	msiexec.exe
Token: SeEnableDelegationPrivilege	4024	msiexec.exe
Token: SeManageVolumePrivilege	4024	msiexec.exe
Token: SeImpersonatePrivilege	4024	msiexec.exe
Token: SeCreateGlobalPrivilege	4024	msiexec.exe
Token: SeCreateTokenPrivilege	4024	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4024	msiexec.exe
Token: SeLockMemoryPrivilege	4024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4024	msiexec.exe
Token: SeMachineAccountPrivilege	4024	msiexec.exe
Token: SeTcbPrivilege	4024	msiexec.exe
Token: SeSecurityPrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeLoadDriverPrivilege	4024	msiexec.exe
Token: SeSystemProfilePrivilege	4024	msiexec.exe
Token: SeSystemtimePrivilege	4024	msiexec.exe
Token: SeProfSingleProcessPrivilege	4024	msiexec.exe
Token: SeIncBasePriorityPrivilege	4024	msiexec.exe
Token: SeCreatePagefilePrivilege	4024	msiexec.exe
Token: SeCreatePermanentPrivilege	4024	msiexec.exe
Token: SeBackupPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeShutdownPrivilege	4024	msiexec.exe
Token: SeDebugPrivilege	4024	msiexec.exe
Token: SeAuditPrivilege	4024	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4024	msiexec.exe
Token: SeChangeNotifyPrivilege	4024	msiexec.exe
Token: SeRemoteShutdownPrivilege	4024	msiexec.exe
Token: SeUndockPrivilege	4024	msiexec.exe
Token: SeSyncAgentPrivilege	4024	msiexec.exe
Token: SeEnableDelegationPrivilege	4024	msiexec.exe
Token: SeManageVolumePrivilege	4024	msiexec.exe
Token: SeImpersonatePrivilege	4024	msiexec.exe
Token: SeCreateGlobalPrivilege	4024	msiexec.exe
Token: SeCreateTokenPrivilege	4024	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4024	msiexec.exe
Token: SeLockMemoryPrivilege	4024	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4024 msiexec.exe
4024 msiexec.exe

pid	process
4024	msiexec.exe
4024	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 3588 wrote to memory of 1088	3588	msiexec.exe	MsiExec.exe
PID 3588 wrote to memory of 1088	3588	msiexec.exe	MsiExec.exe
PID 3588 wrote to memory of 1088	3588	msiexec.exe	MsiExec.exe
PID 3588 wrote to memory of 3268	3588	msiexec.exe	srtasks.exe
PID 3588 wrote to memory of 3268	3588	msiexec.exe	srtasks.exe
PID 3588 wrote to memory of 3800	3588	msiexec.exe	MsiExec.exe
PID 3588 wrote to memory of 3800	3588	msiexec.exe	MsiExec.exe
PID 3588 wrote to memory of 3800	3588	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\A007 Termbase.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4024

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 109964F7E10A18BED8C2C923C5C2FA22 C
2⤵
- Loads dropped DLL
PID:1088

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3268

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BF5C24625A33F6135E45309824739C08
2⤵
- Loads dropped DLL
PID:3800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3716

C:\Users\Admin\AppData\Roaming\A007 Termbase\A007 Termbase\A007 Termbase.exe
"C:\Users\Admin\AppData\Roaming\A007 Termbase\A007 Termbase\A007 Termbase.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d33f.rbs
Filesize
13KB

MD5
78fa415aab84cf37c603013f874171dd

SHA1
dd3405921792f6d0bb9dfa246053895c6f87e5fa

SHA256
ebc951ae904d6bd66b7779d6a96a470c4c18ef213976649cf55ec3b1d5372868

SHA512
b6a679a0354a9b2cf0e144017020bd31e26c4226e302b3eceb42acb11b57775db390820bff129cf6decae39780592e8cd47bb814ea91c5177bceebfde75b14a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5EF8.tmp
Filesize
559KB

MD5
fe4d2f9cad2f30990e8f845d4052c2fd

SHA1
3c2ebd01fdd78f2424d8c76e36404933e4a71a11

SHA256
1e28349bf342dd176ff7a899b73e7a1b5792c95e099212a72d7dfe9e75836695

SHA512
6dd5d5d30002d18d37a1068730657c84142bf0bd81cc9aab6bcb67286b4f4dd5b77e3b8fb3e6356ea86e26a79805e50a33e686859f5d9e065129a34b7cac66f4

Download Submit
C:\Users\Admin\AppData\Roaming\A007 Termbase\A007 Termbase\A007 Termbase.exe
Filesize
3.8MB

MD5
91c5f605ef08f598a67a2a656e1c8372

SHA1
615fd9322152a8f47915ff7004fb5c4e4334df75

SHA256
430bb0f33e20b9c05a8176a851fe32165c35d0ae2e7d9ba88ad4eb5d7f298936

SHA512
3752720cb2480f2aa6231a286b9d369718a60f68a1aeb0aede8b0c2239fdcdc8be71e5f805b7b2908c5a3bbc104b44cc2b60cfbc6dcac09b97cf5f7883291310

Download Submit
C:\Users\Admin\AppData\Roaming\A007 Termbase\A007 Termbase\A007 Termbase.exe.config
Filesize
1KB

MD5
3088574e97b18a8ee6e0397a9e8764cb

SHA1
40b7cbcbf07d7fdd1f806fb134f230b359ce9264

SHA256
424be48e945b4e0b5ece9a811babafe83a1e5027d084433af5001de0b60330af

SHA512
bb0f0d46eb419aac3a9202999cb11c98a8bf960f8f520639f2ae551c0bfeacf82c58b68df04baecf3d3d6b73f7abafd494b30c8d971e7ba4db8701b8068ad166

Download Submit
C:\Users\Admin\AppData\Roaming\A007 Termbase\A007 Termbase\Guna.UI2.dll
Filesize
1.9MB

MD5
a6c5c5d8f6a0e33f789c1c9c070a38d6

SHA1
f36efdf71e737c78e83d8d284ba03b5d5aff95f1

SHA256
cf423a447e5c1dc8bc0b84ef005e2e942fa149ba4f9caf7e2f12f672cad55385

SHA512
fd679781213be3b7ec6a39b2dacb2b96c356d4276e8b23995f243cbda88f56e311f2933244f50e50a27c72d664b67bb337ab0053c5e83fd934bbb67d6576a124

Download Submit
C:\Windows\Installer\e57d33e.msi
Filesize
26.4MB

MD5
0d74999e3ce596667b1cef92ebac05fa

SHA1
f4cecf3d7f2563b5c74c86f744061e338d2d3421

SHA256
6d0e896d138e1e12f3c29a4fe7b91618774a7aa59fe1a818853d32c8b06786f4

SHA512
e36740d392e751e94f3273d68e6235b03b96ca5f9a63f33ea0a7b3a19545be1cc889aa245c4a85a318e2b36cbcc31c356911476a58d24c9f16f4a18fd419f245

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
26.0MB

MD5
4670455441e9030336cd7a0c529e6fee

SHA1
5c855ef59662b9d076353780f428e194e84c7bd7

SHA256
abe8510325d3a6f20e884902f2e87fc8a0cb572bf1831d43987d96668c16a22a

SHA512
228273890d34e091d96c80f55e4caaffd362d6b021a5c0604a321f3ddc6bb1449a37811010de725d1372db26a581127175ac39dff2202393513567130d9a3748

Download Submit
\??\Volume{38fc7460-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e3f55898-5092-47e5-8dd4-bd207754d250}_OnDiskSnapshotProp
Filesize
5KB

MD5
e69d564a5bce8160701387a080319587

SHA1
30011a0c0beda7254d9cba5979d4db67eaac89a2

SHA256
342fb8fe2cf747dd64f6f2c0901322ec2cc7921396cc9cbb643bb24c1f87a63c

SHA512
ef91173e0a3802939c60393f0fb16ec9066a44a8c433c695fb306cf5d6a026dc9693410f27b0796c560178b1a911042fb0ca91b9825fbd5a3588e3ed741c32af

Download Submit
memory/1148-102-0x0000000005460000-0x000000000595E000-memory.dmp

Filesize
5.0MB

Download
memory/1148-103-0x0000000004F60000-0x0000000004FF2000-memory.dmp

Filesize
584KB

Download
memory/1148-104-0x0000000004F40000-0x0000000004F4A000-memory.dmp

Filesize
40KB

Download
memory/1148-101-0x0000000000320000-0x00000000006F0000-memory.dmp

Filesize
3.8MB

Download
memory/1148-108-0x0000000005960000-0x0000000005B56000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads