agenttesla | hxxp://files[.]catbox[.]moe/8c0yhu[.]zip

Analysis

max time kernel
164s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://files.catbox.moe/8c0yhu.zip

Score

10^/10

agenttesla execution keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.jalcepsac.com
Port:
587
Username:
[email protected]
Password:
@jalcepsac.com

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.jalcepsac.com
Port:
587
Username:
[email protected]
Password:
@jalcepsac.com
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1572	powershell.exe
5620	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	20240509 (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	20240509 (1).exe

Executes dropped EXE 6 IoCs

pid	Process
1132	20240509 (1).exe
3548	20240509 (1).exe
4112	20240509 (1).exe
5740	20240509 (1).exe
1436	20240509 (1).exe
5228	20240509 (1).exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1132 set thread context of 4112	1132	20240509 (1).exe	121
PID 4112 set thread context of 5740	4112	20240509 (1).exe	127
PID 5740 set thread context of 1436	5740	20240509 (1).exe	129
PID 1436 set thread context of 5228	1436	20240509 (1).exe	130

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4316	schtasks.exe
5644	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133598357304784109"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4412	chrome.exe
4412	chrome.exe
1132	20240509 (1).exe
1132	20240509 (1).exe
1132	20240509 (1).exe
1132	20240509 (1).exe
1132	20240509 (1).exe
1132	20240509 (1).exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
4112	20240509 (1).exe
4112	20240509 (1).exe
4112	20240509 (1).exe
5620	powershell.exe
5620	powershell.exe
5620	powershell.exe
5228	20240509 (1).exe
5228	20240509 (1).exe
5228	20240509 (1).exe
5484	chrome.exe
5484	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeRestorePrivilege	224	7zG.exe
Token: 35	224	7zG.exe
Token: SeSecurityPrivilege	224	7zG.exe
Token: SeSecurityPrivilege	224	7zG.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe
Token: SeShutdownPrivilege	4412	chrome.exe
Token: SeCreatePagefilePrivilege	4412	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
224	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe
4412	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 3604	4412	chrome.exe	91
PID 4412 wrote to memory of 3604	4412	chrome.exe	91
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4988	4412	chrome.exe	93
PID 4412 wrote to memory of 4540	4412	chrome.exe	94
PID 4412 wrote to memory of 4540	4412	chrome.exe	94
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95
PID 4412 wrote to memory of 2020	4412	chrome.exe	95

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://files.catbox.moe/8c0yhu.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea4379758,0x7ffea4379768,0x7ffea4379778
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1984,i,3812143605938578543,6320590349858658162,131072 /prefetch:2
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1984,i,3812143605938578543,6320590349858658162,131072 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1984,i,3812143605938578543,6320590349858658162,131072 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1984,i,3812143605938578543,6320590349858658162,131072 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1984,i,3812143605938578543,6320590349858658162,131072 /prefetch:1
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1984,i,3812143605938578543,6320590349858658162,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1984,i,3812143605938578543,6320590349858658162,131072 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5072 --field-trial-handle=1984,i,3812143605938578543,6320590349858658162,131072 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 --field-trial-handle=1984,i,3812143605938578543,6320590349858658162,131072 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3276 --field-trial-handle=1984,i,3812143605938578543,6320590349858658162,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5484

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1752

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\8c0yhu\" -spe -an -ai#7zMap31797:74:7zEvent25348
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:224

C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe
"C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pJlDdUQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pJlDdUQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7D59.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:4316
- C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe
  "C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe"
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe
  "C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:4112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PwrtvLGqv.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5620
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PwrtvLGqv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF05.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5644
- - C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe
    "C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5740
  - - C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe
      "C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1436
    - - C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe
        
        "C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3400 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5b9e372e-5eef-4e03-a7ee-f761d3ff5fba.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
bf063038c81870ff4ccffaebdd22afdc

SHA1
239a2aa135014c6357230c1c6a541dfb788828cc

SHA256
a69edd64bd50ca2e31d0138aefe416022c99adb30b56b18a19a196f7f25d8051

SHA512
f56db54708fb029a08f04961229ae304706b62a19cfa4c6717d8804c0ef388ae08309635c292aa0dde00eb008941a17331f7da8f06db48a8db9cf2cabae71c8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
832B

MD5
5f452c3d0121318396d82a80280a2d00

SHA1
c76eb068ed60bc0d78b510098e00f9cbf1456d21

SHA256
268bcd07a50ae1acc1d5a5b6cace3133f409810c540b777899ffbdf0cfa27b87

SHA512
8bc6c5c772ba86eff48c8cd590479a4dfacba503a2eeced2dd621a8791900167d1cbf76a57b5e2310c87482c82af6fa4e4319b42f26ab912f307a4eda48843c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
83e68bc09662bcac4a7c8b0c1fba24b9

SHA1
b909abf965a46314b4142b5fad8dc5caef511bd7

SHA256
917d4a1d3c2c070603e39757611d566df7918733a4c955873139406eebe8a47f

SHA512
6a5de69e34fae9111eb2434c535f9189e35789f8325dc5f6e2005a89e6252d071a19f267623c653c5e3c13cac021397d735d43ff95de11864de385f6226dc268

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
94ffb337d463f564c622532a7736efbb

SHA1
bac89ead9ddc1489e240081c70037a82276e3c18

SHA256
70565de0e020e86071c5073aeacd2a111b534f841bd6a86b5a5802aa4ad8fed6

SHA512
7e36300ebc6d0244914dbd43c721830b68cf3acf21827bfb5f3ae7b73de6343df9c616b9a7199665366cfdfcda840019ad1856af711316d2181d89aa7e05515a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
03d881a5f0fb3fe876119cc9adb2a7f2

SHA1
8f2f2e7c75280d72dbfe04f66a4a01c4c6f63c0e

SHA256
26148669333dc7704671880a24b63bf4e280b4ccae2059b23ee3533dc2ca0a6b

SHA512
59c6d7e4676a7ceb972054e8a8faf110ec5b1011803e1554d5e84d7c8657c0aeb96c05beaf82e60b3781ee64a76d30035a7d35e1ee82e44bd6f9cdef18fbf8a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
312602ba7f2d2229458bac3b7883a1ed

SHA1
8e6556db5396e29ae495090fd0b4097dfe35b8a2

SHA256
146cc92ed373fbca99c7065aa16c0518fa4efa2ee43d8274ba4330077a018be3

SHA512
ea6fa63089993ebbbf7c90d4b3685a81b044edcadc77b19fdeb016e26fdbace07732efda75ef185e42432501db7f4d405363232dcf8cfc9a9f4687c667f2c874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
17f6350af89709f09586856a6da3257d

SHA1
4a54ae9528c5f7eda50176a6a7047a0e7a810593

SHA256
4bd8b697bbadd25e61c53918d4442d73e6e46fc8007832dbd5c6c1a4a7359771

SHA512
0eeffa327d71cf952353bb7428af904b21c462ca58bd9a31e4d975f7df815656655adcf728321a227854793fcedae0ec070778ccfadb3781d2796d12822c87d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cdbdf029fa1dfe5936fc0c97d3ec2b39

SHA1
3cb97642a09f995b8706d3ab5efed4242d3983cb

SHA256
6b940acda179d8422c4c0ab4b40c9005bb23c7266b4c338f32b0e3a3995e796c

SHA512
9591d67e92aed1547ee767fad9dbde4a277a78b23a032e3a1e53a21b2a890e51cc889d3d58b5b6290e73a81dfd82bf51c4c9f1d06ae00edfab6707a423069e9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
9806b0e34805155ef32860cf52f887ed

SHA1
d34e811635180590d4d32fb6891854267f9de9f2

SHA256
0347b0cde577d0600582dcd33886e3d03a1c2c53d48a47d8b474e31621c0cac7

SHA512
e400942f40ec085d43d9878b9ce3245bec623ed4b90937bab5b6c85bc9cdb2d14c18b3b644765f91b7f9525856fe23083ff395c1425cf7eed6bbadd8da5cf997

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
21e0b2cedf654f8cebaea952f90b2d19

SHA1
2f6f6132ddce8b9b389d9ba0ceedcfae4337d067

SHA256
721328d4bb2b74fa23aa1fc4591109cee307870b12fbfe0345b213d9f341d227

SHA512
cf25fad6dca1e0d7abbee6c1cf8954ed32c44257588833e8ee72c0ebb86cc1c768a08413cdf23e8f653379895f2fdc459afd2270a18b25f1092159243bcb6bd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5826cd.TMP

Filesize
102KB

MD5
d58231192b1e64926ea1f27d541cf3de

SHA1
d9923e3633f57e2be0fe2012800f49dc1818743f

SHA256
9a4a3b077eeb5f70e59ae257e153e7ac1e0aacabbc47b2602cef7760964d1713

SHA512
b36939299d5cf52caaae7759bc63b3907651e83ea59bfbf1e85749c8d0762ede13ba49f58c74623888b7ba6a93d926461acf80d21538b6b03c631c331fb7ec73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20240509 (1).exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c7ac59e01c489edb5ece532c9a1d04ab

SHA1
58d40f96394426d49cc588d820c3458e1e772f89

SHA256
bb2f289552a7674215d5fa7f5f50538f5a91dcc3a0d6e23b05c2e9d8aca5f2c0

SHA512
e4ac958f24016355fc0f2d880f695ca728a9e51a1f6b17a554bb1d9af27922ab6a1c9a3f3cb3b38ffe66f4ea8a4ec70e029e166d8217a20b28ccbe17314f93b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0nzdtwvb.uhz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7D59.tmp

Filesize
1KB

MD5
49aea8fb004e551518514f17b9867b93

SHA1
f9894b9a945bf94f052fcac90c65645500aebfc2

SHA256
d53a3c2c7fc221dc7c1f1b2b213453470da5e913371adf01184f6845c8f46841

SHA512
fc10322837cd9a2f24554c04e63929330d77a37cb501c13353582094078f8f88f58119da3af6819acfb6f81b4d4ba40a91e8612b3e1ea2fd6393205b9c9f8ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF05.tmp

Filesize
1KB

MD5
55a6a7817e89b0314c73c465470759ea

SHA1
0cb6430fc2a946bf8415047814d414262cca78c7

SHA256
59b353b0b61d9acaa54572b0e3b68ead17a97a062b1af4927552a2b713d5e2c8

SHA512
aac318ff0f65e6dac6f10756ae652710efc80405a1810250f665b424bbaa8107dbff0f67d0f1fa5b1be384bbd6f1022555c9fce833f42ea25e7129fd3731fc87

Download Submit
C:\Users\Admin\Downloads\8c0yhu.zip

Filesize
2.9MB

MD5
25a9a32af4e5873b37b1082d43e23e2f

SHA1
78275b037ddb6744cda7e3da46f0159a6b8dc623

SHA256
a3625036793266877a6c02eec313535a2303e4de0fbc92507dbbdaa8c16a2667

SHA512
bffdbc8cf3f9eb690412f50b81d4f27204b8fb747971b5a86aa14aad865fc1f18fa6b543dbdf5929378411d67e1ceb8742520fbf131531407cb1d48476d60978

Download Submit
C:\Users\Admin\Downloads\8c0yhu\20240509 (1).exe

Filesize
2.9MB

MD5
2ef7bb15b0d13ee4bd6289c254fc856b

SHA1
9149f5d908f206202c3d2121fc9137cc5b101946

SHA256
7f2ce1b563872c87a9bc6dbb894525a36ce8228332b0519340f5698724505ed4

SHA512
f31d5f6ed136ecd8a41e6cc2e4361cef9110f2fc6f9ad952b7f65393171c0fedcea67920bd6a479b0879dd12fb0960f8a90ad8c0a3ae17e89cd52a4231eccfca

Download Submit
memory/1132-92-0x00000000075F0000-0x000000000768C000-memory.dmp

Filesize
624KB

Download
memory/1132-84-0x00000000072F0000-0x0000000007382000-memory.dmp

Filesize
584KB

Download
memory/1132-105-0x0000000008F60000-0x0000000009202000-memory.dmp

Filesize
2.6MB

Download
memory/1132-81-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/1132-103-0x00000000077B0000-0x00000000077C0000-memory.dmp

Filesize
64KB

Download
memory/1132-82-0x00000000000D0000-0x00000000003BE000-memory.dmp

Filesize
2.9MB

Download
memory/1132-83-0x0000000007800000-0x0000000007DA4000-memory.dmp

Filesize
5.6MB

Download
memory/1132-93-0x0000000007550000-0x000000000756E000-memory.dmp

Filesize
120KB

Download
memory/1132-104-0x00000000077E0000-0x00000000077F6000-memory.dmp

Filesize
88KB

Download
memory/1132-91-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/1132-126-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/1132-90-0x0000000074DC0000-0x0000000075570000-memory.dmp

Filesize
7.7MB

Download
memory/1436-249-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/1436-251-0x0000000005680000-0x000000000569C000-memory.dmp

Filesize
112KB

Download
memory/1436-252-0x0000000005760000-0x000000000576E000-memory.dmp

Filesize
56KB

Download
memory/1436-253-0x0000000005780000-0x0000000005796000-memory.dmp

Filesize
88KB

Download
memory/1436-254-0x00000000082D0000-0x0000000008352000-memory.dmp

Filesize
520KB

Download
memory/1572-188-0x0000000007CD0000-0x0000000007CDE000-memory.dmp

Filesize
56KB

Download
memory/1572-181-0x0000000006DB0000-0x0000000006E53000-memory.dmp

Filesize
652KB

Download
memory/1572-110-0x0000000002E70000-0x0000000002EA6000-memory.dmp

Filesize
216KB

Download
memory/1572-112-0x0000000005AA0000-0x00000000060C8000-memory.dmp

Filesize
6.2MB

Download
memory/1572-119-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/1572-118-0x0000000005990000-0x00000000059B2000-memory.dmp

Filesize
136KB

Download
memory/1572-125-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/1572-149-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/1572-191-0x0000000007DC0000-0x0000000007DC8000-memory.dmp

Filesize
32KB

Download
memory/1572-167-0x0000000006C70000-0x0000000006CBC000-memory.dmp

Filesize
304KB

Download
memory/1572-190-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

Filesize
104KB

Download
memory/1572-189-0x0000000007CE0000-0x0000000007CF4000-memory.dmp

Filesize
80KB

Download
memory/1572-187-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

Filesize
68KB

Download
memory/1572-186-0x0000000007D20000-0x0000000007DB6000-memory.dmp

Filesize
600KB

Download
memory/1572-184-0x0000000007AF0000-0x0000000007AFA000-memory.dmp

Filesize
40KB

Download
memory/1572-182-0x00000000080C0000-0x000000000873A000-memory.dmp

Filesize
6.5MB

Download
memory/1572-183-0x0000000007A80000-0x0000000007A9A000-memory.dmp

Filesize
104KB

Download
memory/1572-169-0x0000000006D20000-0x0000000006D52000-memory.dmp

Filesize
200KB

Download
memory/1572-170-0x00000000724D0000-0x000000007251C000-memory.dmp

Filesize
304KB

Download
memory/1572-150-0x0000000006770000-0x000000000678E000-memory.dmp

Filesize
120KB

Download
memory/1572-180-0x0000000006D00000-0x0000000006D1E000-memory.dmp

Filesize
120KB

Download
memory/4112-151-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-142-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-128-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-148-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-153-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-160-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-138-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-154-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-156-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-157-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-140-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-159-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-164-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-166-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-194-0x0000000009490000-0x000000000960A000-memory.dmp

Filesize
1.5MB

Download
memory/4112-163-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-143-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-137-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-136-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-147-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-114-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-135-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-129-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-130-0x0000000000400000-0x000000000065E000-memory.dmp

Filesize
2.4MB

Download
memory/4112-168-0x0000000007DB0000-0x0000000007DCE000-memory.dmp

Filesize
120KB

Download
memory/5228-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5228-257-0x0000000006340000-0x0000000006390000-memory.dmp

Filesize
320KB

Download
memory/5620-235-0x0000000007220000-0x00000000072C3000-memory.dmp

Filesize
652KB

Download
memory/5620-245-0x00000000074B0000-0x00000000074C1000-memory.dmp

Filesize
68KB

Download
memory/5620-246-0x0000000007500000-0x0000000007514000-memory.dmp

Filesize
80KB

Download
memory/5620-225-0x0000000070650000-0x000000007069C000-memory.dmp

Filesize
304KB

Download
memory/5620-214-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

Filesize
304KB

Download
memory/5620-212-0x0000000005A60000-0x0000000005DB4000-memory.dmp

Filesize
3.3MB

Download
memory/5740-248-0x0000000007720000-0x0000000007822000-memory.dmp

Filesize
1.0MB

Download
memory/5740-215-0x00000000072E0000-0x00000000072FE000-memory.dmp

Filesize
120KB

Download
memory/5740-201-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download