Malware Analysis Report

2024-11-30 07:45

Sample ID 240603-gwf4aafd53
Target SOA APR-MAY 2024.zip
SHA256 26a854eec44fdf4a15204c2e9c34aba7cd5affa0b834cd93f5c4af68daaffa17
Tags
agenttesla execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26a854eec44fdf4a15204c2e9c34aba7cd5affa0b834cd93f5c4af68daaffa17

Threat Level: Known bad

The file SOA APR-MAY 2024.zip was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads WinSCP keys stored on the system

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 06:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 06:09

Reported

2024-06-03 06:11

Platform

win7-20240221-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\YxAesh = "C:\\Users\\Admin\\AppData\\Roaming\\YxAesh\\YxAesh.exe" C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2836 set thread context of 1936 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 190000000100000010000000e843ac3b52ec8c297fa948c9b1fb2819030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d461d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67080b00000001000000140000005500530045005200540072007500730074000000140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d8090000000100000016000000301406082b0601050507030306082b060105050703080f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb20000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2836 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2836 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2836 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2836 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2836 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2836 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2836 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2836 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 2836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 2836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 2836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 2836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 2836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 2836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 2836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 2836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 2836 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe

"C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xVclFITYpVbZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xVclFITYpVbZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp50E2.tmp"

C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe

"C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp

Files

memory/2836-0-0x000000007429E000-0x000000007429F000-memory.dmp

memory/2836-1-0x0000000000FF0000-0x00000000010CA000-memory.dmp

memory/2836-2-0x0000000074290000-0x000000007497E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2553.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2836-100-0x0000000000A30000-0x0000000000A46000-memory.dmp

memory/2836-101-0x0000000000D60000-0x0000000000D6E000-memory.dmp

memory/2836-102-0x0000000000D70000-0x0000000000D80000-memory.dmp

memory/2836-103-0x0000000006690000-0x0000000006712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp50E2.tmp

MD5 c55a19328d5d48051cebc30ef1863fe2
SHA1 8afacf284300b66ef0caf78da918d10939cf8781
SHA256 2b62094d9a4fa75bdc846dcf171c41f9090543e851e015b4c13849eb11da3dae
SHA512 205ab20f18573f42c04c1d5b4d8588dd0b32af36c30d08e10692b354c9b387317e9a34fa18ee925595bfb623149376f103f9f90963f87f1f94d70079ddb33943

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 4c4feb978c5aadfbdca25d3095f34efd
SHA1 6216c579496150d77a37b6f3bc75d20079cf9234
SHA256 f8225d93fc2067ca45c93f03664272459a50261b300070c5ab5343db04c67d59
SHA512 c28c2e3ab393caf024e5c7d33f9846b7063a8f059afa6c38da9aa8bf9bae7993a3a9344dea4ed632f3610fed0c25c9d3aa0b4cdbda67d4caec08c57269c5d9d0

memory/1936-116-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1936-122-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1936-127-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1936-126-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1936-125-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1936-124-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1936-118-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1936-120-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2836-128-0x0000000074290000-0x000000007497E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 06:09

Reported

2024-06-03 06:11

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YxAesh = "C:\\Users\\Admin\\AppData\\Roaming\\YxAesh\\YxAesh.exe" C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4552 set thread context of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4552 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 4552 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 4552 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Windows\SysWOW64\schtasks.exe
PID 4552 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 4552 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 4552 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 4552 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 4552 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 4552 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 4552 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe
PID 4552 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe

"C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xVclFITYpVbZ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xVclFITYpVbZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A43.tmp"

C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe

"C:\Users\Admin\AppData\Local\Temp\SOA APR-MAY 2024.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 mail.formosabag.co.id udp
ID 122.102.44.2:587 mail.formosabag.co.id tcp
US 8.8.8.8:53 2.44.102.122.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4552-0-0x00000000750BE000-0x00000000750BF000-memory.dmp

memory/4552-1-0x0000000000E20000-0x0000000000EFA000-memory.dmp

memory/4552-2-0x0000000005ED0000-0x0000000006474000-memory.dmp

memory/4552-3-0x0000000005920000-0x00000000059B2000-memory.dmp

memory/4552-4-0x00000000059C0000-0x0000000005D14000-memory.dmp

memory/4552-5-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/4552-6-0x0000000005DC0000-0x0000000005DCA000-memory.dmp

memory/4552-7-0x0000000005EC0000-0x0000000005ED6000-memory.dmp

memory/4552-8-0x0000000006E80000-0x0000000006E8E000-memory.dmp

memory/4552-9-0x0000000006E90000-0x0000000006EA0000-memory.dmp

memory/4552-10-0x0000000006F00000-0x0000000006F82000-memory.dmp

memory/4552-11-0x0000000009750000-0x00000000097EC000-memory.dmp

memory/2440-16-0x0000000004FA0000-0x0000000004FD6000-memory.dmp

memory/2440-17-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/2440-18-0x0000000005710000-0x0000000005D38000-memory.dmp

memory/2440-19-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/2440-20-0x00000000750B0000-0x0000000075860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6A43.tmp

MD5 7d3fb8efd9a4ab105b49100fe6c923b0
SHA1 0c762aea6ec9f3d2347e58a4ff79899addbbd99d
SHA256 feff5256488b6bf9df5897f5b5fdb36997dcf9251925c83d5d7ae791a6d97cef
SHA512 0f8eca8c394cafe1e1995aff1cfef45204dbb612a323ab43f9ab1425f87891ade0915da8c67cc541dda35242c8b5761578f9299c5f55d0c90d575c9f706e487a

memory/4016-23-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/2440-22-0x0000000005DA0000-0x0000000005DC2000-memory.dmp

memory/2440-25-0x0000000005EB0000-0x0000000005F16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lxywg2hg.dye.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2440-24-0x0000000005E40000-0x0000000005EA6000-memory.dmp

memory/4016-44-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/4016-46-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/4400-45-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4552-48-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/2440-49-0x0000000006570000-0x000000000658E000-memory.dmp

memory/2440-50-0x0000000006960000-0x00000000069AC000-memory.dmp

memory/2440-62-0x0000000006B00000-0x0000000006B1E000-memory.dmp

memory/2440-52-0x0000000075940000-0x000000007598C000-memory.dmp

memory/2440-51-0x0000000006B20000-0x0000000006B52000-memory.dmp

memory/2440-63-0x0000000007550000-0x00000000075F3000-memory.dmp

memory/4016-64-0x0000000075940000-0x000000007598C000-memory.dmp

memory/4016-75-0x00000000078D0000-0x00000000078EA000-memory.dmp

memory/4016-74-0x0000000007F10000-0x000000000858A000-memory.dmp

memory/4016-76-0x0000000007940000-0x000000000794A000-memory.dmp

memory/2440-77-0x0000000007B30000-0x0000000007BC6000-memory.dmp

memory/4016-78-0x0000000007AD0000-0x0000000007AE1000-memory.dmp

memory/4016-80-0x0000000007B00000-0x0000000007B0E000-memory.dmp

memory/4016-81-0x0000000007B10000-0x0000000007B24000-memory.dmp

memory/4016-82-0x0000000007C10000-0x0000000007C2A000-memory.dmp

memory/4016-83-0x0000000007BF0000-0x0000000007BF8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bcf329bca210ac7e8f5450d8201bdb6d
SHA1 9cf387bfdbed7f027b1a7802f40f97b6e1d1f632
SHA256 8a311b1e852824fc9c768df0d727c0756564921085c3acae1bb7e2fbced43e70
SHA512 84535052638a58377b5e2d0abdc93663ecae278dcfb4d5da66074b47f3658b55029358605b69acecb595a1fb4def7a192cf28c398ea8492365381e7aa1af9d58

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/4016-86-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/2440-90-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/4400-91-0x0000000006AE0000-0x0000000006B30000-memory.dmp