agenttesla | 16e79b3ea5478b6dc1e6664b912ce29abcf1a40860137cfcd08f2c2c6886e82e

Analysis

max time kernel
95s
max time network
113s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Design Specification.exe
Size

1.2MB
MD5

9c00a98791d68b0c6a6de0b54c5fb2a4
SHA1

1323ac73e31ca0ab98bf5282be089920544031a1
SHA256

273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e
SHA512

d598b7bba1cc0eb562d382d9d43e127d68ec10d7ae048c432e8d765a9e4d2a991da0b0699184cb57f9fc0ec651a3bf99b01dd2a78aae8a28b10d20bf3061c1b2
SSDEEP

24576:GyzHgPQArY3MY5jdCtv3GhERG7Qnr7lth7sMukjdC6:GyzfArY3MY1d+OhERGsnrJth7fHdv

Score

10^/10

agenttesla redline sectoprat newlogs credential_access discovery execution infostealer keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/

Extracted

Family

redline

Botnet

Newlogs

204.14.75.2:16383

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/820-77-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/820-74-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/820-72-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/820-79-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/820-81-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/820-77-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/820-74-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/820-72-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/820-79-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/820-81-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1800	powershell.exe
2944	powershell.exe
2180	powershell.exe
896	powershell.exe

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2876	qRAxe4BVi4w4QAu.exe
2936	bcZ6UEHjq9RUQie.exe
2144	bcZ6UEHjq9RUQie.exe
2576	bcZ6UEHjq9RUQie.exe
820	qRAxe4BVi4w4QAu.exe

Loads dropped DLL 3 IoCs

pid	Process
2936	bcZ6UEHjq9RUQie.exe
2936	bcZ6UEHjq9RUQie.exe
2876	qRAxe4BVi4w4QAu.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2936 set thread context of 2576	2936	bcZ6UEHjq9RUQie.exe	45
PID 2876 set thread context of 820	2876	qRAxe4BVi4w4QAu.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qRAxe4BVi4w4QAu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qRAxe4BVi4w4QAu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcZ6UEHjq9RUQie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcZ6UEHjq9RUQie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2624	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2912	schtasks.exe
2516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2884	Design Specification.exe
2876	qRAxe4BVi4w4QAu.exe
2936	bcZ6UEHjq9RUQie.exe
2876	qRAxe4BVi4w4QAu.exe
2936	bcZ6UEHjq9RUQie.exe
2876	qRAxe4BVi4w4QAu.exe
2936	bcZ6UEHjq9RUQie.exe
1800	powershell.exe
2876	qRAxe4BVi4w4QAu.exe
2936	bcZ6UEHjq9RUQie.exe
2944	powershell.exe
2936	bcZ6UEHjq9RUQie.exe
2936	bcZ6UEHjq9RUQie.exe
2936	bcZ6UEHjq9RUQie.exe
2576	bcZ6UEHjq9RUQie.exe
2576	bcZ6UEHjq9RUQie.exe
2876	qRAxe4BVi4w4QAu.exe
2876	qRAxe4BVi4w4QAu.exe
2180	powershell.exe
896	powershell.exe
2876	qRAxe4BVi4w4QAu.exe
820	qRAxe4BVi4w4QAu.exe
820	qRAxe4BVi4w4QAu.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	Design Specification.exe
Token: SeIncreaseQuotaPrivilege	2208	WMIC.exe
Token: SeSecurityPrivilege	2208	WMIC.exe
Token: SeTakeOwnershipPrivilege	2208	WMIC.exe
Token: SeLoadDriverPrivilege	2208	WMIC.exe
Token: SeSystemProfilePrivilege	2208	WMIC.exe
Token: SeSystemtimePrivilege	2208	WMIC.exe
Token: SeProfSingleProcessPrivilege	2208	WMIC.exe
Token: SeIncBasePriorityPrivilege	2208	WMIC.exe
Token: SeCreatePagefilePrivilege	2208	WMIC.exe
Token: SeBackupPrivilege	2208	WMIC.exe
Token: SeRestorePrivilege	2208	WMIC.exe
Token: SeShutdownPrivilege	2208	WMIC.exe
Token: SeDebugPrivilege	2208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2208	WMIC.exe
Token: SeRemoteShutdownPrivilege	2208	WMIC.exe
Token: SeUndockPrivilege	2208	WMIC.exe
Token: SeManageVolumePrivilege	2208	WMIC.exe
Token: 33	2208	WMIC.exe
Token: 34	2208	WMIC.exe
Token: 35	2208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2208	WMIC.exe
Token: SeSecurityPrivilege	2208	WMIC.exe
Token: SeTakeOwnershipPrivilege	2208	WMIC.exe
Token: SeLoadDriverPrivilege	2208	WMIC.exe
Token: SeSystemProfilePrivilege	2208	WMIC.exe
Token: SeSystemtimePrivilege	2208	WMIC.exe
Token: SeProfSingleProcessPrivilege	2208	WMIC.exe
Token: SeIncBasePriorityPrivilege	2208	WMIC.exe
Token: SeCreatePagefilePrivilege	2208	WMIC.exe
Token: SeBackupPrivilege	2208	WMIC.exe
Token: SeRestorePrivilege	2208	WMIC.exe
Token: SeShutdownPrivilege	2208	WMIC.exe
Token: SeDebugPrivilege	2208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2208	WMIC.exe
Token: SeRemoteShutdownPrivilege	2208	WMIC.exe
Token: SeUndockPrivilege	2208	WMIC.exe
Token: SeManageVolumePrivilege	2208	WMIC.exe
Token: 33	2208	WMIC.exe
Token: 34	2208	WMIC.exe
Token: 35	2208	WMIC.exe
Token: SeDebugPrivilege	2876	qRAxe4BVi4w4QAu.exe
Token: SeDebugPrivilege	2936	bcZ6UEHjq9RUQie.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2576	bcZ6UEHjq9RUQie.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	820	qRAxe4BVi4w4QAu.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2576	bcZ6UEHjq9RUQie.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2412	2884	Design Specification.exe	29
PID 2884 wrote to memory of 2412	2884	Design Specification.exe	29
PID 2884 wrote to memory of 2412	2884	Design Specification.exe	29
PID 2412 wrote to memory of 2208	2412	cmd.exe	31
PID 2412 wrote to memory of 2208	2412	cmd.exe	31
PID 2412 wrote to memory of 2208	2412	cmd.exe	31
PID 2884 wrote to memory of 2876	2884	Design Specification.exe	33
PID 2884 wrote to memory of 2876	2884	Design Specification.exe	33
PID 2884 wrote to memory of 2876	2884	Design Specification.exe	33
PID 2884 wrote to memory of 2876	2884	Design Specification.exe	33
PID 2884 wrote to memory of 2936	2884	Design Specification.exe	34
PID 2884 wrote to memory of 2936	2884	Design Specification.exe	34
PID 2884 wrote to memory of 2936	2884	Design Specification.exe	34
PID 2884 wrote to memory of 2936	2884	Design Specification.exe	34
PID 2884 wrote to memory of 2748	2884	Design Specification.exe	35
PID 2884 wrote to memory of 2748	2884	Design Specification.exe	35
PID 2884 wrote to memory of 2748	2884	Design Specification.exe	35
PID 2748 wrote to memory of 2624	2748	cmd.exe	37
PID 2748 wrote to memory of 2624	2748	cmd.exe	37
PID 2748 wrote to memory of 2624	2748	cmd.exe	37
PID 2936 wrote to memory of 1800	2936	bcZ6UEHjq9RUQie.exe	38
PID 2936 wrote to memory of 1800	2936	bcZ6UEHjq9RUQie.exe	38
PID 2936 wrote to memory of 1800	2936	bcZ6UEHjq9RUQie.exe	38
PID 2936 wrote to memory of 1800	2936	bcZ6UEHjq9RUQie.exe	38
PID 2936 wrote to memory of 2944	2936	bcZ6UEHjq9RUQie.exe	40
PID 2936 wrote to memory of 2944	2936	bcZ6UEHjq9RUQie.exe	40
PID 2936 wrote to memory of 2944	2936	bcZ6UEHjq9RUQie.exe	40
PID 2936 wrote to memory of 2944	2936	bcZ6UEHjq9RUQie.exe	40
PID 2936 wrote to memory of 2912	2936	bcZ6UEHjq9RUQie.exe	42
PID 2936 wrote to memory of 2912	2936	bcZ6UEHjq9RUQie.exe	42
PID 2936 wrote to memory of 2912	2936	bcZ6UEHjq9RUQie.exe	42
PID 2936 wrote to memory of 2912	2936	bcZ6UEHjq9RUQie.exe	42
PID 2936 wrote to memory of 2144	2936	bcZ6UEHjq9RUQie.exe	44
PID 2936 wrote to memory of 2144	2936	bcZ6UEHjq9RUQie.exe	44
PID 2936 wrote to memory of 2144	2936	bcZ6UEHjq9RUQie.exe	44
PID 2936 wrote to memory of 2144	2936	bcZ6UEHjq9RUQie.exe	44
PID 2936 wrote to memory of 2576	2936	bcZ6UEHjq9RUQie.exe	45
PID 2936 wrote to memory of 2576	2936	bcZ6UEHjq9RUQie.exe	45
PID 2936 wrote to memory of 2576	2936	bcZ6UEHjq9RUQie.exe	45
PID 2936 wrote to memory of 2576	2936	bcZ6UEHjq9RUQie.exe	45
PID 2936 wrote to memory of 2576	2936	bcZ6UEHjq9RUQie.exe	45
PID 2936 wrote to memory of 2576	2936	bcZ6UEHjq9RUQie.exe	45
PID 2936 wrote to memory of 2576	2936	bcZ6UEHjq9RUQie.exe	45
PID 2936 wrote to memory of 2576	2936	bcZ6UEHjq9RUQie.exe	45
PID 2936 wrote to memory of 2576	2936	bcZ6UEHjq9RUQie.exe	45
PID 2876 wrote to memory of 2180	2876	qRAxe4BVi4w4QAu.exe	46
PID 2876 wrote to memory of 2180	2876	qRAxe4BVi4w4QAu.exe	46
PID 2876 wrote to memory of 2180	2876	qRAxe4BVi4w4QAu.exe	46
PID 2876 wrote to memory of 2180	2876	qRAxe4BVi4w4QAu.exe	46
PID 2876 wrote to memory of 896	2876	qRAxe4BVi4w4QAu.exe	48
PID 2876 wrote to memory of 896	2876	qRAxe4BVi4w4QAu.exe	48
PID 2876 wrote to memory of 896	2876	qRAxe4BVi4w4QAu.exe	48
PID 2876 wrote to memory of 896	2876	qRAxe4BVi4w4QAu.exe	48
PID 2876 wrote to memory of 2516	2876	qRAxe4BVi4w4QAu.exe	50
PID 2876 wrote to memory of 2516	2876	qRAxe4BVi4w4QAu.exe	50
PID 2876 wrote to memory of 2516	2876	qRAxe4BVi4w4QAu.exe	50
PID 2876 wrote to memory of 2516	2876	qRAxe4BVi4w4QAu.exe	50
PID 2876 wrote to memory of 820	2876	qRAxe4BVi4w4QAu.exe	52
PID 2876 wrote to memory of 820	2876	qRAxe4BVi4w4QAu.exe	52
PID 2876 wrote to memory of 820	2876	qRAxe4BVi4w4QAu.exe	52
PID 2876 wrote to memory of 820	2876	qRAxe4BVi4w4QAu.exe	52
PID 2876 wrote to memory of 820	2876	qRAxe4BVi4w4QAu.exe	52
PID 2876 wrote to memory of 820	2876	qRAxe4BVi4w4QAu.exe	52
PID 2876 wrote to memory of 820	2876	qRAxe4BVi4w4QAu.exe	52

C:\Users\Admin\AppData\Local\Temp\Design Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Design Specification.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\system32\cmd.exe
  "cmd" /C wmic path win32_ComputerSystem get model
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_ComputerSystem get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
- C:\Users\Admin\AppData\Local\Temp\XKSfkLbHzH\qRAxe4BVi4w4QAu.exe
  "C:\Users\Admin\AppData\Local\Temp\XKSfkLbHzH\qRAxe4BVi4w4QAu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\XKSfkLbHzH\qRAxe4BVi4w4QAu.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\myGzDa.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:896
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myGzDa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8DAF.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2516
- - C:\Users\Admin\AppData\Local\Temp\XKSfkLbHzH\qRAxe4BVi4w4QAu.exe
    "C:\Users\Admin\AppData\Local\Temp\XKSfkLbHzH\qRAxe4BVi4w4QAu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- C:\Users\Admin\AppData\Local\Temp\qcppiBUtAinE\bcZ6UEHjq9RUQie.exe
  "C:\Users\Admin\AppData\Local\Temp\qcppiBUtAinE\bcZ6UEHjq9RUQie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\qcppiBUtAinE\bcZ6UEHjq9RUQie.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wZQfmZuDNV.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZQfmZuDNV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C61.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2912
- - C:\Users\Admin\AppData\Local\Temp\qcppiBUtAinE\bcZ6UEHjq9RUQie.exe
    "C:\Users\Admin\AppData\Local\Temp\qcppiBUtAinE\bcZ6UEHjq9RUQie.exe"
    3⤵
    - Executes dropped EXE
    PID:2144
- - C:\Users\Admin\AppData\Local\Temp\qcppiBUtAinE\bcZ6UEHjq9RUQie.exe
    "C:\Users\Admin\AppData\Local\Temp\qcppiBUtAinE\bcZ6UEHjq9RUQie.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\Design Specification.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XKSfkLbHzH\qRAxe4BVi4w4QAu.exe

Filesize
514KB

MD5
2f861fda2a090853f86410f0ff8d30dc

SHA1
060753fa5cca333b921038e442e68da378b24f3b

SHA256
5db136630ffb44706b82b763fed5f4ad055aa1f23105ec6f3a2705247efec2ef

SHA512
7bccda358f835157e2ba65c315ed8fa2c3f1a65114e659bfb16c147f590a3c443c0a1371c4d72b3a266357aa3d96883905aa5e379467253844f0ca58d33e819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcppiBUtAinE\bcZ6UEHjq9RUQie.exe

Filesize
675KB

MD5
bbad7a6fee03dcde2ecfd6461f628851

SHA1
7536405200aef02a38bd0d59bbc7920bfb474e53

SHA256
874d65e5a417c725c846a9af3380a3c77442afa50c20929eda3ff715c5b61676

SHA512
1ab1b17295c25e6ac6c74c34fd23904ec10457cfe07d54e5b74f15ba7029689dae1802236f6c09ebdd26bf4d4c91df7620bbe07198057fa5be53c5f5af89255b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C61.tmp

Filesize
1KB

MD5
c22ad49ca48dce73929dd4b7c3e91608

SHA1
311602602d08562918c957c1d1080bde5087384e

SHA256
d243c67f2b86f557360411fe73de8947c1fa9aee07b3f9cd2c8689d4de08978a

SHA512
c34a18ec8e15290b3de2654bf39e3f8dfadbfa526b80f11ad1de35269b414777b51c7abc05705a88d3f117b74ca8a9a1cc7c9dc2fb8cfd71490df9d3b4843dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DAF.tmp

Filesize
1KB

MD5
803cca05ec4e866d767c9b318c689034

SHA1
26f944d7721034b4b795eccaaa8767bca4bcdf66

SHA256
0318982c26c1aaf409440f1a30d68da6b4d0506c814112bc47cd7fbf02395c54

SHA512
614d9deaffd2fb3782a11588f1067d5a9277889e526f20b6e67649f388314a40683693dfba1b4ff23f59edf0d6c55f5dc4e94e702f927e13e7cc15ea3c7e5b9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE89.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAECE.tmp

Filesize
92KB

MD5
dd6944619a1cff7c63c0e49ed65368ca

SHA1
a055ce9efa2206cdc35b924d43a5d06f453ce777

SHA256
58ea6de2879649260c0a62b6e8e045e88c3311978e993f63a8dfcdb0dba9f05d

SHA512
856d454cd202fc39bec08f7ea7fb9c631e5531c1d5ffc269d3ea4ef2cdd568b176da0f8e00ffd8c80eaad461cecbce213fa4cd46b142a7760fd32815261fddd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2ea205e308e56e0231190dbe4b467d01

SHA1
af8d70c21c937f085dd73eabff81bd5de7b84e6f

SHA256
ae38dcf78496663861214dc508484cf7d2d945605394a622a09d42b2388aac61

SHA512
be4fe609d37ef44126445ad4416be305866ff97fe7756658ebec0f374f68c6efa780b4a47f3d1dc4f755bbcbaa254d7dee7b32679fd641dbac1088ed7f639915

Download Submit
memory/820-70-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/820-72-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/820-68-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/820-79-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/820-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/820-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/820-77-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/820-81-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2576-41-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-46-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-37-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-43-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2576-50-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2876-20-0x0000000004130000-0x0000000004190000-memory.dmp

Filesize
384KB

Download
memory/2876-18-0x00000000005F0000-0x0000000000606000-memory.dmp

Filesize
88KB

Download
memory/2876-16-0x0000000000AF0000-0x0000000000B76000-memory.dmp

Filesize
536KB

Download
memory/2884-0-0x000007FEF5643000-0x000007FEF5644000-memory.dmp

Filesize
4KB

Download
memory/2884-1-0x0000000000C20000-0x0000000000D52000-memory.dmp

Filesize
1.2MB

Download
memory/2936-21-0x0000000004D20000-0x0000000004DA6000-memory.dmp

Filesize
536KB

Download
memory/2936-19-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/2936-17-0x00000000000F0000-0x00000000001A0000-memory.dmp

Filesize
704KB

Download