Malware Analysis Report

2024-11-30 06:47

Sample ID 240604-byvfsshd63
Target 72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7
SHA256 72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7
Tags
agenttesla execution keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7

Threat Level: Known bad

The file 72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan

AgentTesla

Command and Scripting Interpreter: PowerShell

Reads data files stored by FTP clients

Reads WinSCP keys stored on the system

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:33

Reported

2024-06-04 01:36

Platform

win7-20240508-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1712 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe

"C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aaxjCeKwADOvbl.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aaxjCeKwADOvbl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEFAC.tmp"

C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe

"C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp

Files

memory/1712-0-0x000000007414E000-0x000000007414F000-memory.dmp

memory/1712-1-0x0000000000F40000-0x0000000001006000-memory.dmp

memory/1712-2-0x0000000074140000-0x000000007482E000-memory.dmp

memory/1712-3-0x00000000004B0000-0x00000000004C6000-memory.dmp

memory/1712-4-0x00000000004E0000-0x00000000004EE000-memory.dmp

memory/1712-5-0x0000000000690000-0x00000000006A0000-memory.dmp

memory/1712-6-0x0000000005A90000-0x0000000005B12000-memory.dmp

memory/1712-7-0x000000007414E000-0x000000007414F000-memory.dmp

memory/1712-8-0x0000000074140000-0x000000007482E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEFAC.tmp

MD5 2ec04586005c03c6672a41f33da88cb2
SHA1 e5073ec61d7ae28731a4d034065b41715609879f
SHA256 5c253e525f3398d593965eb3615c6b013b46766053d56cf678bd612164690835
SHA512 5a5f0cf55f8438fdf12f7489e34e04d8c186094b58874c8fbc0f5d6b00588737476783b3aa8ceb8e7fd46c9d43d694de0d8131d9198cad3df396804d55128b97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IA1UPHUA450S95AZ1Z15.temp

MD5 14ecc6bc18cd4e50556320cbb3dfedb6
SHA1 19486a9d0f2ce68be8fbaf2ff35a3421ff000b4a
SHA256 6ce52c9091c0df96506a0e07e439ac7526e12b11e57bb6211d6d12b2d8c76e2d
SHA512 d701c243b43c31a55865c756c9ad029cec309cb53bff4032daa582fcb4603eee682a7ca23cbf1da1ceb063eba9b87d1f898163a742c808e2ff23e61cb674db67

memory/2772-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2772-32-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2772-31-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2772-30-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2772-27-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2772-25-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2772-23-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2772-21-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1712-33-0x0000000074140000-0x000000007482E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:33

Reported

2024-06-04 01:36

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1992 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1992 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1992 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1992 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1992 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1992 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1992 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe
PID 1992 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe

"C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aaxjCeKwADOvbl.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aaxjCeKwADOvbl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE63.tmp"

C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe

"C:\Users\Admin\AppData\Local\Temp\72e0f06a668b5d4dea9dc3885225ee3f4e93d006db34c4ca7fca7e5410a569b7.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 mail.redsea.so udp
US 192.185.173.31:587 mail.redsea.so tcp
US 8.8.8.8:53 31.173.185.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1992-0-0x000000007467E000-0x000000007467F000-memory.dmp

memory/1992-1-0x0000000000720000-0x00000000007E6000-memory.dmp

memory/1992-2-0x0000000005620000-0x0000000005BC4000-memory.dmp

memory/1992-3-0x0000000005110000-0x00000000051A2000-memory.dmp

memory/1992-4-0x00000000050C0000-0x00000000050CA000-memory.dmp

memory/1992-5-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/1992-6-0x00000000080E0000-0x00000000080F6000-memory.dmp

memory/1992-7-0x00000000062E0000-0x00000000062EE000-memory.dmp

memory/1992-8-0x0000000006300000-0x0000000006310000-memory.dmp

memory/1992-9-0x0000000006340000-0x00000000063C2000-memory.dmp

memory/1992-10-0x00000000065A0000-0x000000000663C000-memory.dmp

memory/1992-11-0x000000007467E000-0x000000007467F000-memory.dmp

memory/1992-12-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/2056-18-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/2056-17-0x00000000050F0000-0x0000000005126000-memory.dmp

memory/2056-19-0x0000000005760000-0x0000000005D88000-memory.dmp

memory/2056-20-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/1384-21-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/1384-23-0x0000000074670000-0x0000000074E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE63.tmp

MD5 ad7a01fe0e4b271b3dd87b056d4ac9fc
SHA1 ac6c668afe84fedd6b15dbc26ad0c7d69c139732
SHA256 422cf7653aa8305146601d05cbb10504938770b0e682ac33e9eb176fc818a263
SHA512 7d1734616f04ac9e199c97eb4a0c5ae0506723b011301034145612ff727ffa9dfab9049e26462e83a97a792f953990cd896bc57d641b6f387b130ecfbbf1494d

memory/1160-25-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1384-24-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/2056-26-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/2056-30-0x0000000006040000-0x00000000060A6000-memory.dmp

memory/2056-29-0x0000000005FD0000-0x0000000006036000-memory.dmp

memory/2056-28-0x0000000005F30000-0x0000000005F52000-memory.dmp

memory/2056-31-0x00000000060B0000-0x0000000006404000-memory.dmp

memory/1992-49-0x0000000074670000-0x0000000074E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2cv0o1b0.xwb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2056-51-0x00000000066A0000-0x00000000066BE000-memory.dmp

memory/2056-52-0x0000000006800000-0x000000000684C000-memory.dmp

memory/2056-53-0x0000000007850000-0x0000000007882000-memory.dmp

memory/2056-54-0x0000000074F10000-0x0000000074F5C000-memory.dmp

memory/2056-64-0x0000000007810000-0x000000000782E000-memory.dmp

memory/1384-65-0x0000000074F10000-0x0000000074F5C000-memory.dmp

memory/2056-66-0x0000000007890000-0x0000000007933000-memory.dmp

memory/1384-76-0x00000000076D0000-0x0000000007D4A000-memory.dmp

memory/1384-77-0x00000000063C0000-0x00000000063DA000-memory.dmp

memory/1384-78-0x0000000007080000-0x000000000708A000-memory.dmp

memory/2056-79-0x0000000007C50000-0x0000000007CE6000-memory.dmp

memory/1384-80-0x0000000007210000-0x0000000007221000-memory.dmp

memory/2056-81-0x0000000007C00000-0x0000000007C0E000-memory.dmp

memory/2056-82-0x0000000007C10000-0x0000000007C24000-memory.dmp

memory/2056-84-0x0000000007D10000-0x0000000007D2A000-memory.dmp

memory/1160-83-0x0000000006D40000-0x0000000006D90000-memory.dmp

memory/1384-85-0x0000000007330000-0x0000000007338000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 df8d9e168234cb07cb02d9fede2ec7d2
SHA1 12131ae5562ff57f393e22bcd05d41fc2f0a084a
SHA256 5c093982b7c081f9c730b881adf1f6888ea01bfdb718ce900e420ed35e97ba77
SHA512 5eeb19d563dd2ccea3dfed8ffafb7e75e141ce86c85276b8f47b55e741ce493259ed81af82f5934ebe776ce6377e3e55c32bc1f09ea7c8daebd70cf19a3a7e35

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2056-92-0x0000000074670000-0x0000000074E20000-memory.dmp

memory/1384-91-0x0000000074670000-0x0000000074E20000-memory.dmp