agenttesla | 7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe
Size

1.2MB
MD5

57b81f3bfbd7e82065190ea6a2f59849
SHA1

2af119b418045b812b3b05f3d5385b11bfa89e91
SHA256

7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579
SHA512

345ddaa582bce12408cc2468a0f291c81578bf4f8bc4b5544c23b4a1c81fa5eef523bac425f0131237cce94ea04feb39f24226dae0933663473f6b230475d314
SSDEEP

24576:FY14/4rJAmk0U5hQ/Js4KvodVuI14/4r4zSHRm4Fc9R/p7ga1y8VP28ZSB6Q:FYaglZk5y/J3KvmVjagTQpmvyC

Score

10^/10

agenttesla redline sectoprat cetry credential_access discovery execution infostealer keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cetry

204.14.75.2:16383

Extracted

Family

agenttesla

https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1340-42-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1340-40-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1340-45-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1340-48-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1340-47-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/1340-42-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1340-40-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1340-45-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1340-48-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/1340-47-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2948	powershell.exe
2472	powershell.exe
1740	powershell.exe
1032	powershell.exe

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
2612	.o.exe
2548	Lr06aF2.exe
1340	.o.exe
2888	Lr06aF2.exe
2904	Lr06aF2.exe
536	Lr06aF2.exe
948	Lr06aF2.exe

Loads dropped DLL 5 IoCs

pid	Process
2612	.o.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 1340	2612	.o.exe	44
PID 2548 set thread context of 948	2548	Lr06aF2.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lr06aF2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lr06aF2.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2448	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2712	schtasks.exe
2236	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe
2612	.o.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe
2612	.o.exe
2612	.o.exe
2948	powershell.exe
2472	powershell.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe
1740	powershell.exe
1032	powershell.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe
2548	Lr06aF2.exe
948	Lr06aF2.exe
948	Lr06aF2.exe
1340	.o.exe
1340	.o.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe
Token: SeIncreaseQuotaPrivilege	592	WMIC.exe
Token: SeSecurityPrivilege	592	WMIC.exe
Token: SeTakeOwnershipPrivilege	592	WMIC.exe
Token: SeLoadDriverPrivilege	592	WMIC.exe
Token: SeSystemProfilePrivilege	592	WMIC.exe
Token: SeSystemtimePrivilege	592	WMIC.exe
Token: SeProfSingleProcessPrivilege	592	WMIC.exe
Token: SeIncBasePriorityPrivilege	592	WMIC.exe
Token: SeCreatePagefilePrivilege	592	WMIC.exe
Token: SeBackupPrivilege	592	WMIC.exe
Token: SeRestorePrivilege	592	WMIC.exe
Token: SeShutdownPrivilege	592	WMIC.exe
Token: SeDebugPrivilege	592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	592	WMIC.exe
Token: SeRemoteShutdownPrivilege	592	WMIC.exe
Token: SeUndockPrivilege	592	WMIC.exe
Token: SeManageVolumePrivilege	592	WMIC.exe
Token: 33	592	WMIC.exe
Token: 34	592	WMIC.exe
Token: 35	592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	592	WMIC.exe
Token: SeSecurityPrivilege	592	WMIC.exe
Token: SeTakeOwnershipPrivilege	592	WMIC.exe
Token: SeLoadDriverPrivilege	592	WMIC.exe
Token: SeSystemProfilePrivilege	592	WMIC.exe
Token: SeSystemtimePrivilege	592	WMIC.exe
Token: SeProfSingleProcessPrivilege	592	WMIC.exe
Token: SeIncBasePriorityPrivilege	592	WMIC.exe
Token: SeCreatePagefilePrivilege	592	WMIC.exe
Token: SeBackupPrivilege	592	WMIC.exe
Token: SeRestorePrivilege	592	WMIC.exe
Token: SeShutdownPrivilege	592	WMIC.exe
Token: SeDebugPrivilege	592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	592	WMIC.exe
Token: SeRemoteShutdownPrivilege	592	WMIC.exe
Token: SeUndockPrivilege	592	WMIC.exe
Token: SeManageVolumePrivilege	592	WMIC.exe
Token: 33	592	WMIC.exe
Token: 34	592	WMIC.exe
Token: 35	592	WMIC.exe
Token: SeDebugPrivilege	2612	.o.exe
Token: SeDebugPrivilege	2548	Lr06aF2.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1340	.o.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	948	Lr06aF2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
948	Lr06aF2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1644	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	29
PID 1992 wrote to memory of 1644	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	29
PID 1992 wrote to memory of 1644	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	29
PID 1644 wrote to memory of 592	1644	cmd.exe	31
PID 1644 wrote to memory of 592	1644	cmd.exe	31
PID 1644 wrote to memory of 592	1644	cmd.exe	31
PID 1992 wrote to memory of 2612	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	33
PID 1992 wrote to memory of 2612	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	33
PID 1992 wrote to memory of 2612	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	33
PID 1992 wrote to memory of 2612	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	33
PID 1992 wrote to memory of 2548	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	34
PID 1992 wrote to memory of 2548	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	34
PID 1992 wrote to memory of 2548	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	34
PID 1992 wrote to memory of 2548	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	34
PID 1992 wrote to memory of 2664	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	35
PID 1992 wrote to memory of 2664	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	35
PID 1992 wrote to memory of 2664	1992	7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe	35
PID 2664 wrote to memory of 2448	2664	cmd.exe	37
PID 2664 wrote to memory of 2448	2664	cmd.exe	37
PID 2664 wrote to memory of 2448	2664	cmd.exe	37
PID 2612 wrote to memory of 2948	2612	.o.exe	38
PID 2612 wrote to memory of 2948	2612	.o.exe	38
PID 2612 wrote to memory of 2948	2612	.o.exe	38
PID 2612 wrote to memory of 2948	2612	.o.exe	38
PID 2612 wrote to memory of 2472	2612	.o.exe	40
PID 2612 wrote to memory of 2472	2612	.o.exe	40
PID 2612 wrote to memory of 2472	2612	.o.exe	40
PID 2612 wrote to memory of 2472	2612	.o.exe	40
PID 2612 wrote to memory of 2712	2612	.o.exe	42
PID 2612 wrote to memory of 2712	2612	.o.exe	42
PID 2612 wrote to memory of 2712	2612	.o.exe	42
PID 2612 wrote to memory of 2712	2612	.o.exe	42
PID 2612 wrote to memory of 1340	2612	.o.exe	44
PID 2612 wrote to memory of 1340	2612	.o.exe	44
PID 2612 wrote to memory of 1340	2612	.o.exe	44
PID 2612 wrote to memory of 1340	2612	.o.exe	44
PID 2612 wrote to memory of 1340	2612	.o.exe	44
PID 2612 wrote to memory of 1340	2612	.o.exe	44
PID 2612 wrote to memory of 1340	2612	.o.exe	44
PID 2612 wrote to memory of 1340	2612	.o.exe	44
PID 2612 wrote to memory of 1340	2612	.o.exe	44
PID 2548 wrote to memory of 1740	2548	Lr06aF2.exe	46
PID 2548 wrote to memory of 1740	2548	Lr06aF2.exe	46
PID 2548 wrote to memory of 1740	2548	Lr06aF2.exe	46
PID 2548 wrote to memory of 1740	2548	Lr06aF2.exe	46
PID 2548 wrote to memory of 1032	2548	Lr06aF2.exe	48
PID 2548 wrote to memory of 1032	2548	Lr06aF2.exe	48
PID 2548 wrote to memory of 1032	2548	Lr06aF2.exe	48
PID 2548 wrote to memory of 1032	2548	Lr06aF2.exe	48
PID 2548 wrote to memory of 2236	2548	Lr06aF2.exe	50
PID 2548 wrote to memory of 2236	2548	Lr06aF2.exe	50
PID 2548 wrote to memory of 2236	2548	Lr06aF2.exe	50
PID 2548 wrote to memory of 2236	2548	Lr06aF2.exe	50
PID 2548 wrote to memory of 2888	2548	Lr06aF2.exe	52
PID 2548 wrote to memory of 2888	2548	Lr06aF2.exe	52
PID 2548 wrote to memory of 2888	2548	Lr06aF2.exe	52
PID 2548 wrote to memory of 2888	2548	Lr06aF2.exe	52
PID 2548 wrote to memory of 2904	2548	Lr06aF2.exe	53
PID 2548 wrote to memory of 2904	2548	Lr06aF2.exe	53
PID 2548 wrote to memory of 2904	2548	Lr06aF2.exe	53
PID 2548 wrote to memory of 2904	2548	Lr06aF2.exe	53
PID 2548 wrote to memory of 536	2548	Lr06aF2.exe	54
PID 2548 wrote to memory of 536	2548	Lr06aF2.exe	54
PID 2548 wrote to memory of 536	2548	Lr06aF2.exe	54

C:\Users\Admin\AppData\Local\Temp\7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe
"C:\Users\Admin\AppData\Local\Temp\7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\system32\cmd.exe
  "cmd" /C wmic path win32_ComputerSystem get model
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_ComputerSystem get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:592
- C:\Users\Admin\AppData\Local\Temp\xljhUUAZPN\.o.exe
  "C:\Users\Admin\AppData\Local\Temp\xljhUUAZPN\.o.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\xljhUUAZPN\.o.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yrKXjGxQmBWW.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2472
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yrKXjGxQmBWW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2712
- - C:\Users\Admin\AppData\Local\Temp\xljhUUAZPN\.o.exe
    "C:\Users\Admin\AppData\Local\Temp\xljhUUAZPN\.o.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe
  "C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\chdfWgdrBoqaQH.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\chdfWgdrBoqaQH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp647D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2236
- - C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe
    "C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe"
    3⤵
    - Executes dropped EXE
    PID:2888
- - C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe
    "C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe"
    3⤵
    - Executes dropped EXE
    PID:2904
- - C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe
    "C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe"
    3⤵
    - Executes dropped EXE
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe
    "C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eDiSWUCVLtPb\Lr06aF2.exe

Filesize
674KB

MD5
333530d0096c73c47bc96cb7d6a269ee

SHA1
9e723485bb599e115f9c39fc968d203ff4030b4f

SHA256
9c1f7fdc98b26e6050ccc33b618000fb57840aafbeb115cb0f17da5dfb3e5817

SHA512
33165422ef97ff5954642714394a2e1cef99fb8a2037deee2dc5261abdc791856f01a8dec856df2a78f979353a4bcc6d6efd9ded4646955028484eb13a50a4a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp

Filesize
1KB

MD5
2edf5dbe4f4bb1c55cfc4d33041f1e53

SHA1
36b7c3f01b2dc2bfabc6bceac6554ea775f6cd32

SHA256
62bc14fa74a2e9323f88e50b356ecae2b754c5d2f46e33d1a81961b5b759e4b8

SHA512
899edba0d94405f851b29857de2b3c0c8a67bc824f0dd4fd8b9ef60fed92bbb0daa944f97384594f38a2405b456c1c26d306ed4ab0dc4a93077f996922a2d428

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp647D.tmp

Filesize
1KB

MD5
d55d8355c9a265e5a70e37ea5bd028ca

SHA1
89ded311b71f821fed4df52e58978f0b9cd7e716

SHA256
f1f932fe762cb148122aeacbfb753a8cd22354111701e1ad45b105b0f84d7f2d

SHA512
4a2e67d0bd852b2424fe288fc59e9bcd11aea4e900ed5325d2be6cc380cc3a9795cea20c819f13c09161547619f615a80bd2196b414ac881a29edc1b9695856e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7834.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7879.tmp

Filesize
92KB

MD5
c61f0bee83c8a956f2cf4ceba90bebc9

SHA1
f4f61f0e65b7669be468cacaf8e00b2f30cb46cc

SHA256
601c578f842ad1a4c743f3bf049d691225697819abe9b75bfe156264412e28dc

SHA512
e6949a72e8bc26fd2910339ae75f22a36a0ad0bf9579bb2a0ada2ee2b8fb3a1b3891756eec774d4a64263e937c6ae768249e64874c559bb2f1b69d2d38bfceaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\xljhUUAZPN\.o.exe

Filesize
512KB

MD5
2cbdff90aaacac29661f94612f679136

SHA1
51294f2b2bd7e3f881bb195da4d4948455977335

SHA256
d9eb90a7539e5fd28b7852750a26b461b231acd6b93bc6c0085826397f6e5499

SHA512
e8cd38086c32e47616e2db5796462e1e1f7da06bf5e95c635ff6a0eafd20a5b81cf2960743639fadde7f0dfc03a2d2b34923820a9c980549bb0c44a1ad24f15d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2be863613f856ff2cecdc33aaa29ce38

SHA1
0283ebfe4c4a1796564e621a9b981acd755d024d

SHA256
09e7d34478ae6697ebe225c5ccd1bcd820cfc8c498c90ad52ff28b4c70809815

SHA512
57a87bb2b92887d1bd3bcaa229d54edee4a282de774ffcde5122e87117bad5a877222f22226508440268e85db1681f3fb0065ca6b4a424e6649a887b2d945029

Download Submit
memory/948-77-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/948-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-83-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/948-78-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1340-40-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1340-45-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1340-36-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1340-48-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1340-47-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1340-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1340-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1340-38-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1992-0-0x000007FEF5743000-0x000007FEF5744000-memory.dmp

Filesize
4KB

Download
memory/1992-1-0x0000000000A90000-0x0000000000BC2000-memory.dmp

Filesize
1.2MB

Download
memory/2548-18-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2548-21-0x0000000004DB0000-0x0000000004E36000-memory.dmp

Filesize
536KB

Download
memory/2548-17-0x0000000000140000-0x00000000001EE000-memory.dmp

Filesize
696KB

Download
memory/2612-20-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/2612-19-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/2612-16-0x00000000008D0000-0x0000000000956000-memory.dmp

Filesize
536KB

Download
memory/2612-22-0x0000000004880000-0x00000000048E0000-memory.dmp

Filesize
384KB

Download