Malware Analysis Report

2024-11-30 06:44

Sample ID 240604-bwlqwage5w
Target c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd
SHA256 c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd
Tags
execution agenttesla keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd

Threat Level: Known bad

The file c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd was found to be: Known bad.

Malicious Activity Summary

execution agenttesla keylogger persistence spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads WinSCP keys stored on the system

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:29

Reported

2024-06-04 01:32

Platform

win7-20240508-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2032 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2032 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 2032 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oZaepUP.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oZaepUP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp61A0.tmp"

C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

Network

N/A

Files

memory/2032-0-0x000000007473E000-0x000000007473F000-memory.dmp

memory/2032-1-0x0000000000020000-0x0000000000140000-memory.dmp

memory/2032-2-0x0000000074730000-0x0000000074E1E000-memory.dmp

memory/2032-3-0x00000000007E0000-0x00000000007F6000-memory.dmp

memory/2032-4-0x0000000004320000-0x000000000432E000-memory.dmp

memory/2032-5-0x0000000004720000-0x0000000004730000-memory.dmp

memory/2032-6-0x0000000005B80000-0x0000000005C38000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 6cad213bb11ce4542f2f1aaba4a4c2c7
SHA1 15bc48bb605ae172d17b6aab6c22fc845d446b2b
SHA256 e3de6081d81fea1f9288006ce55a01f890d88820deb89139da76ac242ec0d17d
SHA512 25ee12effd3781e21115824ecafe40f74a30808bdff8128d748c59f9ac7c08ba7e5a80854e57b1231ca8f0802c801648c50ed52237127ab71e4c63d492a4642d

C:\Users\Admin\AppData\Local\Temp\tmp61A0.tmp

MD5 045a8480927f6e7dc55e34190f4f6bd5
SHA1 efd4246318e5cbb0ae5a0e489453754027fd8925
SHA256 b12d805d96b7f21ea4c31575b798d07530bc088490e0edba00a711db70400a83
SHA512 c84a3f8ddf4110194291ff5146528add063de8e6213fc1e891ca6253b42331e27323968d77c9d82d649e73312cad85c80068228da9fabcc59903167519a44220

memory/2032-19-0x0000000074730000-0x0000000074E1E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:29

Reported

2024-06-04 01:32

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XSafpauirD = "C:\\Users\\Admin\\AppData\\Roaming\\XSafpauirD\\XSafpauirD.exe" C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1984 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1984 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1984 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1984 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe
PID 1984 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\oZaepUP.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oZaepUP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp733C.tmp"

C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe

"C:\Users\Admin\AppData\Local\Temp\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 mail.taqwaknitwear.com udp
AU 103.20.200.209:587 mail.taqwaknitwear.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1984-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

memory/1984-1-0x00000000008F0000-0x0000000000A10000-memory.dmp

memory/1984-2-0x0000000005A80000-0x0000000006024000-memory.dmp

memory/1984-3-0x00000000053E0000-0x0000000005472000-memory.dmp

memory/1984-4-0x00000000054B0000-0x00000000054BA000-memory.dmp

memory/1984-5-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/1984-6-0x0000000005720000-0x0000000005736000-memory.dmp

memory/1984-7-0x0000000006640000-0x000000000664E000-memory.dmp

memory/1984-8-0x0000000006660000-0x0000000006670000-memory.dmp

memory/1984-9-0x00000000066A0000-0x0000000006758000-memory.dmp

memory/1984-10-0x000000000A9E0000-0x000000000AA7C000-memory.dmp

memory/3036-15-0x00000000029E0000-0x0000000002A16000-memory.dmp

memory/3036-16-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/3036-18-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/3036-17-0x0000000005520000-0x0000000005B48000-memory.dmp

memory/3036-19-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/1616-20-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/1616-21-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/3036-25-0x0000000005B50000-0x0000000005BB6000-memory.dmp

memory/3036-24-0x00000000054B0000-0x0000000005516000-memory.dmp

memory/3036-23-0x0000000005410000-0x0000000005432000-memory.dmp

memory/1984-22-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

memory/1616-26-0x0000000074B70000-0x0000000075320000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp733C.tmp

MD5 08f671ca61b3eb14a0f3b69975e65ab7
SHA1 ca37e90ca5052d0a849627dbbf2a928c41596f4a
SHA256 a793451e08fe13d84a4db44a50e84e0683a10aa463b2ffa21420388496cdecf6
SHA512 c5ea80efe1927233d2018fb310b6a0847d6a44ac9b44cabb86fc03d5f04d14b4a53d0f4eadd7d24d64117195b11c71ff26a26da9b7ec8f14f16707e4746080c2

memory/3036-32-0x0000000005CC0000-0x0000000006014000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0gdruiz0.3r1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1852-47-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/1984-50-0x0000000074B70000-0x0000000075320000-memory.dmp

memory/1616-51-0x0000000005F70000-0x0000000005F8E000-memory.dmp

memory/1616-52-0x00000000064D0000-0x000000000651C000-memory.dmp

memory/3036-53-0x0000000007270000-0x00000000072A2000-memory.dmp

memory/3036-64-0x0000000007250000-0x000000000726E000-memory.dmp

memory/3036-54-0x0000000071320000-0x000000007136C000-memory.dmp

memory/3036-66-0x00000000074B0000-0x0000000007553000-memory.dmp

memory/1616-65-0x0000000071320000-0x000000007136C000-memory.dmp

memory/3036-76-0x0000000007C40000-0x00000000082BA000-memory.dmp

memory/1616-77-0x0000000007290000-0x00000000072AA000-memory.dmp

memory/1616-78-0x0000000007300000-0x000000000730A000-memory.dmp

memory/1616-79-0x0000000007510000-0x00000000075A6000-memory.dmp

memory/3036-80-0x0000000007800000-0x0000000007811000-memory.dmp

memory/3036-81-0x0000000007830000-0x000000000783E000-memory.dmp

memory/3036-82-0x0000000007840000-0x0000000007854000-memory.dmp

memory/3036-83-0x0000000007940000-0x000000000795A000-memory.dmp

memory/3036-84-0x0000000007920000-0x0000000007928000-memory.dmp

memory/3036-89-0x0000000074B70000-0x0000000075320000-memory.dmp

C:\Users\Admin\AppData\Roaming\XSafpauirD\XSafpauirD.exe

MD5 281f975dcee5c48aa09c0f74f6af4df1
SHA1 d51d2bd584a3737b98741956c1a06c1c7cfd3208
SHA256 c5592930939e9d89666348470d2e35415a9b04c45d0d2dfef0c0c60d370abffd
SHA512 4a6dae399fd6d5912fbe630510b074a73fc48f337e6ad2f80054533b6b2b9e13aad7ed01c08321d8af4baadba0599641121a9be2766dc590581dae83b694c169

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1616-93-0x0000000074B70000-0x0000000075320000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 93b6642cf9259ab57062f1fcae0c7aa4
SHA1 aa2950e54815c8c406d18fa72f3277ef09820dfb
SHA256 eb93fb50aaae478fc97ebac7ba8bebf673dcb4985041a5e89e8e30ee34cb8fa1
SHA512 719cb589b12999d400b9c6e5b69e559c4c86c3a5746215b14811af7bba07fc6150f1007d94733ea9571405e8dc0eb01573af08f7f63e119425587e762373d031

memory/1852-94-0x0000000006CF0000-0x0000000006D40000-memory.dmp