agenttesla | 273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e

Analysis

max time kernel
118s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe
Size

1.2MB
MD5

9c00a98791d68b0c6a6de0b54c5fb2a4
SHA1

1323ac73e31ca0ab98bf5282be089920544031a1
SHA256

273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e
SHA512

d598b7bba1cc0eb562d382d9d43e127d68ec10d7ae048c432e8d765a9e4d2a991da0b0699184cb57f9fc0ec651a3bf99b01dd2a78aae8a28b10d20bf3061c1b2
SSDEEP

24576:GyzHgPQArY3MY5jdCtv3GhERG7Qnr7lth7sMukjdC6:GyzfArY3MY1d+OhERGsnrJth7fHdv

Score

10^/10

agenttesla redline sectoprat newlogs credential_access discovery execution infostealer keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

Newlogs

204.14.75.2:16383

Extracted

Family

agenttesla

https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2948-46-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2948-43-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2948-41-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2948-48-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2948-50-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2948-46-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2948-43-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2948-41-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2948-48-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2948-50-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1784	powershell.exe
2928	powershell.exe
700	powershell.exe
1676	powershell.exe

Deletes itself 1 IoCs

pid	Process
3012	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2776	qRAxe4BVi4w4QAu.exe
2860	bcZ6UEHjq9RUQie.exe
2400	qRAxe4BVi4w4QAu.exe
2948	qRAxe4BVi4w4QAu.exe
1076	bcZ6UEHjq9RUQie.exe

Loads dropped DLL 3 IoCs

pid	Process
2776	qRAxe4BVi4w4QAu.exe
2776	qRAxe4BVi4w4QAu.exe
2860	bcZ6UEHjq9RUQie.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2776 set thread context of 2948	2776	qRAxe4BVi4w4QAu.exe	47
PID 2860 set thread context of 1076	2860	bcZ6UEHjq9RUQie.exe	55

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qRAxe4BVi4w4QAu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qRAxe4BVi4w4QAu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcZ6UEHjq9RUQie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcZ6UEHjq9RUQie.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2632	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2984	schtasks.exe
568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe
2860	bcZ6UEHjq9RUQie.exe
2776	qRAxe4BVi4w4QAu.exe
2860	bcZ6UEHjq9RUQie.exe
2776	qRAxe4BVi4w4QAu.exe
2776	qRAxe4BVi4w4QAu.exe
2860	bcZ6UEHjq9RUQie.exe
2860	bcZ6UEHjq9RUQie.exe
2776	qRAxe4BVi4w4QAu.exe
2776	qRAxe4BVi4w4QAu.exe
2776	qRAxe4BVi4w4QAu.exe
2776	qRAxe4BVi4w4QAu.exe
2928	powershell.exe
1784	powershell.exe
2860	bcZ6UEHjq9RUQie.exe
2860	bcZ6UEHjq9RUQie.exe
2860	bcZ6UEHjq9RUQie.exe
700	powershell.exe
1676	powershell.exe
2860	bcZ6UEHjq9RUQie.exe
1076	bcZ6UEHjq9RUQie.exe
1076	bcZ6UEHjq9RUQie.exe
2948	qRAxe4BVi4w4QAu.exe
2948	qRAxe4BVi4w4QAu.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe
Token: SeIncreaseQuotaPrivilege	3060	WMIC.exe
Token: SeSecurityPrivilege	3060	WMIC.exe
Token: SeTakeOwnershipPrivilege	3060	WMIC.exe
Token: SeLoadDriverPrivilege	3060	WMIC.exe
Token: SeSystemProfilePrivilege	3060	WMIC.exe
Token: SeSystemtimePrivilege	3060	WMIC.exe
Token: SeProfSingleProcessPrivilege	3060	WMIC.exe
Token: SeIncBasePriorityPrivilege	3060	WMIC.exe
Token: SeCreatePagefilePrivilege	3060	WMIC.exe
Token: SeBackupPrivilege	3060	WMIC.exe
Token: SeRestorePrivilege	3060	WMIC.exe
Token: SeShutdownPrivilege	3060	WMIC.exe
Token: SeDebugPrivilege	3060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3060	WMIC.exe
Token: SeRemoteShutdownPrivilege	3060	WMIC.exe
Token: SeUndockPrivilege	3060	WMIC.exe
Token: SeManageVolumePrivilege	3060	WMIC.exe
Token: 33	3060	WMIC.exe
Token: 34	3060	WMIC.exe
Token: 35	3060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3060	WMIC.exe
Token: SeSecurityPrivilege	3060	WMIC.exe
Token: SeTakeOwnershipPrivilege	3060	WMIC.exe
Token: SeLoadDriverPrivilege	3060	WMIC.exe
Token: SeSystemProfilePrivilege	3060	WMIC.exe
Token: SeSystemtimePrivilege	3060	WMIC.exe
Token: SeProfSingleProcessPrivilege	3060	WMIC.exe
Token: SeIncBasePriorityPrivilege	3060	WMIC.exe
Token: SeCreatePagefilePrivilege	3060	WMIC.exe
Token: SeBackupPrivilege	3060	WMIC.exe
Token: SeRestorePrivilege	3060	WMIC.exe
Token: SeShutdownPrivilege	3060	WMIC.exe
Token: SeDebugPrivilege	3060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3060	WMIC.exe
Token: SeRemoteShutdownPrivilege	3060	WMIC.exe
Token: SeUndockPrivilege	3060	WMIC.exe
Token: SeManageVolumePrivilege	3060	WMIC.exe
Token: 33	3060	WMIC.exe
Token: 34	3060	WMIC.exe
Token: 35	3060	WMIC.exe
Token: SeDebugPrivilege	2860	bcZ6UEHjq9RUQie.exe
Token: SeDebugPrivilege	2776	qRAxe4BVi4w4QAu.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2948	qRAxe4BVi4w4QAu.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1076	bcZ6UEHjq9RUQie.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1076	bcZ6UEHjq9RUQie.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1448	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	30
PID 1380 wrote to memory of 1448	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	30
PID 1380 wrote to memory of 1448	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	30
PID 1448 wrote to memory of 3060	1448	cmd.exe	32
PID 1448 wrote to memory of 3060	1448	cmd.exe	32
PID 1448 wrote to memory of 3060	1448	cmd.exe	32
PID 1380 wrote to memory of 2776	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	34
PID 1380 wrote to memory of 2776	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	34
PID 1380 wrote to memory of 2776	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	34
PID 1380 wrote to memory of 2776	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	34
PID 1380 wrote to memory of 2860	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	35
PID 1380 wrote to memory of 2860	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	35
PID 1380 wrote to memory of 2860	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	35
PID 1380 wrote to memory of 2860	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	35
PID 1380 wrote to memory of 3012	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	36
PID 1380 wrote to memory of 3012	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	36
PID 1380 wrote to memory of 3012	1380	273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe	36
PID 3012 wrote to memory of 2632	3012	cmd.exe	38
PID 3012 wrote to memory of 2632	3012	cmd.exe	38
PID 3012 wrote to memory of 2632	3012	cmd.exe	38
PID 2776 wrote to memory of 1784	2776	qRAxe4BVi4w4QAu.exe	40
PID 2776 wrote to memory of 1784	2776	qRAxe4BVi4w4QAu.exe	40
PID 2776 wrote to memory of 1784	2776	qRAxe4BVi4w4QAu.exe	40
PID 2776 wrote to memory of 1784	2776	qRAxe4BVi4w4QAu.exe	40
PID 2776 wrote to memory of 2928	2776	qRAxe4BVi4w4QAu.exe	42
PID 2776 wrote to memory of 2928	2776	qRAxe4BVi4w4QAu.exe	42
PID 2776 wrote to memory of 2928	2776	qRAxe4BVi4w4QAu.exe	42
PID 2776 wrote to memory of 2928	2776	qRAxe4BVi4w4QAu.exe	42
PID 2776 wrote to memory of 2984	2776	qRAxe4BVi4w4QAu.exe	44
PID 2776 wrote to memory of 2984	2776	qRAxe4BVi4w4QAu.exe	44
PID 2776 wrote to memory of 2984	2776	qRAxe4BVi4w4QAu.exe	44
PID 2776 wrote to memory of 2984	2776	qRAxe4BVi4w4QAu.exe	44
PID 2776 wrote to memory of 2400	2776	qRAxe4BVi4w4QAu.exe	46
PID 2776 wrote to memory of 2400	2776	qRAxe4BVi4w4QAu.exe	46
PID 2776 wrote to memory of 2400	2776	qRAxe4BVi4w4QAu.exe	46
PID 2776 wrote to memory of 2400	2776	qRAxe4BVi4w4QAu.exe	46
PID 2776 wrote to memory of 2948	2776	qRAxe4BVi4w4QAu.exe	47
PID 2776 wrote to memory of 2948	2776	qRAxe4BVi4w4QAu.exe	47
PID 2776 wrote to memory of 2948	2776	qRAxe4BVi4w4QAu.exe	47
PID 2776 wrote to memory of 2948	2776	qRAxe4BVi4w4QAu.exe	47
PID 2776 wrote to memory of 2948	2776	qRAxe4BVi4w4QAu.exe	47
PID 2776 wrote to memory of 2948	2776	qRAxe4BVi4w4QAu.exe	47
PID 2776 wrote to memory of 2948	2776	qRAxe4BVi4w4QAu.exe	47
PID 2776 wrote to memory of 2948	2776	qRAxe4BVi4w4QAu.exe	47
PID 2776 wrote to memory of 2948	2776	qRAxe4BVi4w4QAu.exe	47
PID 2860 wrote to memory of 700	2860	bcZ6UEHjq9RUQie.exe	49
PID 2860 wrote to memory of 700	2860	bcZ6UEHjq9RUQie.exe	49
PID 2860 wrote to memory of 700	2860	bcZ6UEHjq9RUQie.exe	49
PID 2860 wrote to memory of 700	2860	bcZ6UEHjq9RUQie.exe	49
PID 2860 wrote to memory of 1676	2860	bcZ6UEHjq9RUQie.exe	51
PID 2860 wrote to memory of 1676	2860	bcZ6UEHjq9RUQie.exe	51
PID 2860 wrote to memory of 1676	2860	bcZ6UEHjq9RUQie.exe	51
PID 2860 wrote to memory of 1676	2860	bcZ6UEHjq9RUQie.exe	51
PID 2860 wrote to memory of 568	2860	bcZ6UEHjq9RUQie.exe	52
PID 2860 wrote to memory of 568	2860	bcZ6UEHjq9RUQie.exe	52
PID 2860 wrote to memory of 568	2860	bcZ6UEHjq9RUQie.exe	52
PID 2860 wrote to memory of 568	2860	bcZ6UEHjq9RUQie.exe	52
PID 2860 wrote to memory of 1076	2860	bcZ6UEHjq9RUQie.exe	55
PID 2860 wrote to memory of 1076	2860	bcZ6UEHjq9RUQie.exe	55
PID 2860 wrote to memory of 1076	2860	bcZ6UEHjq9RUQie.exe	55
PID 2860 wrote to memory of 1076	2860	bcZ6UEHjq9RUQie.exe	55
PID 2860 wrote to memory of 1076	2860	bcZ6UEHjq9RUQie.exe	55
PID 2860 wrote to memory of 1076	2860	bcZ6UEHjq9RUQie.exe	55
PID 2860 wrote to memory of 1076	2860	bcZ6UEHjq9RUQie.exe	55

C:\Users\Admin\AppData\Local\Temp\273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe
"C:\Users\Admin\AppData\Local\Temp\273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\system32\cmd.exe
  "cmd" /C wmic path win32_ComputerSystem get model
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_ComputerSystem get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe
  "C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\myGzDa.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\myGzDa" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF42E.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2984
- - C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe
    "C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe"
    3⤵
    - Executes dropped EXE
    PID:2400
- - C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe
    "C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Users\Admin\AppData\Local\Temp\txlHsPLiXofc\bcZ6UEHjq9RUQie.exe
  "C:\Users\Admin\AppData\Local\Temp\txlHsPLiXofc\bcZ6UEHjq9RUQie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\txlHsPLiXofc\bcZ6UEHjq9RUQie.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:700
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wZQfmZuDNV.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wZQfmZuDNV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC60.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:568
- - C:\Users\Admin\AppData\Local\Temp\txlHsPLiXofc\bcZ6UEHjq9RUQie.exe
    "C:\Users\Admin\AppData\Local\Temp\txlHsPLiXofc\bcZ6UEHjq9RUQie.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\273cbe3cdaa8a8ee98cd7516b3f8511f66d191ee52c1998c43a1d772b002c52e.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PlOkuLXxFh\qRAxe4BVi4w4QAu.exe

Filesize
514KB

MD5
2f861fda2a090853f86410f0ff8d30dc

SHA1
060753fa5cca333b921038e442e68da378b24f3b

SHA256
5db136630ffb44706b82b763fed5f4ad055aa1f23105ec6f3a2705247efec2ef

SHA512
7bccda358f835157e2ba65c315ed8fa2c3f1a65114e659bfb16c147f590a3c443c0a1371c4d72b3a266357aa3d96883905aa5e379467253844f0ca58d33e819d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EEF.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EF5.tmp

Filesize
92KB

MD5
cf00cf5b059b43e29cbde1a36c6209f3

SHA1
9df2f8ef60997e3934fef0d88f9770fb9d19769f

SHA256
9f861e6046979ac19a569747cd17b7e77a8e1301c870691595a68d9a8244a30a

SHA512
16e433a67de26cbf052f2639df05c5d3d2c5ef5d4ef065b45af913174e08415bd6672f6637e8727e88b2e68c74c2ffeabc6673e1506e8ad397edb198e0276399

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC60.tmp

Filesize
1KB

MD5
c1ed209a79e528e0a432fdcd9e23c1cb

SHA1
f3209dba2fe2476f4ecf380b872c2eb1e8ebdbd2

SHA256
8868e73dffac127d929b79db693a5d1b150dce09c97ade498687fed8df8cd18e

SHA512
ab1be2df4d6c101fd62720d856c1fdb0516ac5d96fc87b6aab45b8300da097d08a64ef1df290c168bb9e6091203e166c0e61441a8e7eb4e9328a93e4ea925ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF42E.tmp

Filesize
1KB

MD5
a360a70e3aefa07a66b847ab3c498b54

SHA1
27b5aac78b221321aa21197529a501a850cab8b5

SHA256
c7a8002c3945a962144232e8203d7a08c00f957c8bb3e642b9203fa16e2449f3

SHA512
616e7180bca83842709940a0f4611396ec9b9fad90feb64dcb8eb3ecae14805d84cd46510d012f82ab0a905d93f1d214d068c7ba45bdb5e8ee3175da4d20cdd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\txlHsPLiXofc\bcZ6UEHjq9RUQie.exe

Filesize
675KB

MD5
bbad7a6fee03dcde2ecfd6461f628851

SHA1
7536405200aef02a38bd0d59bbc7920bfb474e53

SHA256
874d65e5a417c725c846a9af3380a3c77442afa50c20929eda3ff715c5b61676

SHA512
1ab1b17295c25e6ac6c74c34fd23904ec10457cfe07d54e5b74f15ba7029689dae1802236f6c09ebdd26bf4d4c91df7620bbe07198057fa5be53c5f5af89255b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e8a7ed1ff2387979ee8f7e46868aaf7f

SHA1
75e401f9770eb82330758e4561b5e4447d15455d

SHA256
c5b8c792cdec6d89be26848cd2eb8053f4b51889415ae3f1737539862f45d4cc

SHA512
7455e17d057755342563a60ae06bbb45bdcfe5c2efd215e0a43083db0d1caa524cc58f777c389122e5e73eb96cc65cd220ad52b16667eff5a99969d074ff849c

Download Submit
memory/1076-70-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-68-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-79-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1076-76-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1076-77-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1380-0-0x000007FEF64E3000-0x000007FEF64E4000-memory.dmp

Filesize
4KB

Download
memory/1380-1-0x0000000000880000-0x00000000009B2000-memory.dmp

Filesize
1.2MB

Download
memory/2776-20-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2776-16-0x0000000000200000-0x0000000000286000-memory.dmp

Filesize
536KB

Download
memory/2776-18-0x0000000000540000-0x0000000000556000-memory.dmp

Filesize
88KB

Download
memory/2860-21-0x0000000002290000-0x0000000002316000-memory.dmp

Filesize
536KB

Download
memory/2860-17-0x0000000000150000-0x0000000000200000-memory.dmp

Filesize
704KB

Download
memory/2860-19-0x0000000000710000-0x000000000071E000-memory.dmp

Filesize
56KB

Download
memory/2948-41-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2948-46-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2948-37-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2948-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2948-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2948-50-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2948-39-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2948-48-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download