agenttesla | 9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66

General

Target

9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe
Size

1.3MB
MD5

ecd1765ef784d0831b8ba7082f8c2370
SHA1

024b15d7f67fe4312b77735c3a2fc7e41077537b
SHA256

9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66
SHA512

85602ad027c76dfdf28102cd3309df9738fda88934b6de468ab33cd09868473a86defe989f3e4740d9d113ace5db298e2c931099ca1c2286e73b75b5c9f85609
SSDEEP

24576:AoKVs1q893v/9/NJITBjN2MdfxbY6c9NfvqFii2EbBOGwbHXD0AIDN7HupGvbmg:AoLkoH9/NJYxNFxDmCFiBE4GwDoAIDN7

Score

10^/10

agenttesla redline sectoprat newlogs credential_access discovery execution infostealer keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/

Extracted

Family

redline

Botnet

Newlogs

C2

204.14.75.2:16383

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/284-76-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/284-73-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/284-71-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/284-80-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/284-79-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/284-76-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/284-73-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/284-71-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/284-80-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/284-79-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2416 powershell.exe
1940 powershell.exe
1600 powershell.exe
1724 powershell.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2880 cmd.exe
Executes dropped EXE 5 IoCs

Processes:

o34lLgcDWmNwKh7.exe3hKMonGdUEFhnpu.exeo34lLgcDWmNwKh7.exe3hKMonGdUEFhnpu.exe3hKMonGdUEFhnpu.exe

pid process

2696 o34lLgcDWmNwKh7.exe
2748 3hKMonGdUEFhnpu.exe
1604 o34lLgcDWmNwKh7.exe
284 3hKMonGdUEFhnpu.exe
592 3hKMonGdUEFhnpu.exe
Loads dropped DLL 3 IoCs

Processes:

o34lLgcDWmNwKh7.exe3hKMonGdUEFhnpu.exe

pid process

2696 o34lLgcDWmNwKh7.exe
2748 3hKMonGdUEFhnpu.exe
2748 3hKMonGdUEFhnpu.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

pid	process
2416	powershell.exe
1940	powershell.exe
1600	powershell.exe
1724	powershell.exe

pid	process
2880	cmd.exe

pid	process
2696	o34lLgcDWmNwKh7.exe
2748	3hKMonGdUEFhnpu.exe
1604	o34lLgcDWmNwKh7.exe
284	3hKMonGdUEFhnpu.exe
592	3hKMonGdUEFhnpu.exe

pid	process
2696	o34lLgcDWmNwKh7.exe
2748	3hKMonGdUEFhnpu.exe
2748	3hKMonGdUEFhnpu.exe

flow	ioc
4	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

o34lLgcDWmNwKh7.exe3hKMonGdUEFhnpu.exe

description	pid	process	target process
PID 2696 set thread context of 1604	2696	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 2748 set thread context of 284	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

o34lLgcDWmNwKh7.exe3hKMonGdUEFhnpu.exepowershell.exepowershell.exepowershell.exepowershell.exe3hKMonGdUEFhnpu.exeschtasks.exeo34lLgcDWmNwKh7.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o34lLgcDWmNwKh7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3hKMonGdUEFhnpu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3hKMonGdUEFhnpu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o34lLgcDWmNwKh7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2892 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1592 schtasks.exe
1428 schtasks.exe

pid	process
2892	timeout.exe

pid	process
1592	schtasks.exe
1428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe3hKMonGdUEFhnpu.exeo34lLgcDWmNwKh7.exeo34lLgcDWmNwKh7.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe
2748	3hKMonGdUEFhnpu.exe
2696	o34lLgcDWmNwKh7.exe
2748	3hKMonGdUEFhnpu.exe
2696	o34lLgcDWmNwKh7.exe
2748	3hKMonGdUEFhnpu.exe
2696	o34lLgcDWmNwKh7.exe
2748	3hKMonGdUEFhnpu.exe
2696	o34lLgcDWmNwKh7.exe
2696	o34lLgcDWmNwKh7.exe
1604	o34lLgcDWmNwKh7.exe
1604	o34lLgcDWmNwKh7.exe
1940	powershell.exe
1600	powershell.exe
2748	3hKMonGdUEFhnpu.exe
2748	3hKMonGdUEFhnpu.exe
2748	3hKMonGdUEFhnpu.exe
1724	powershell.exe
2416	powershell.exe
2748	3hKMonGdUEFhnpu.exe
2748	3hKMonGdUEFhnpu.exe
2748	3hKMonGdUEFhnpu.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exeWMIC.exe3hKMonGdUEFhnpu.exeo34lLgcDWmNwKh7.exeo34lLgcDWmNwKh7.exepowershell.exepowershell.exepowershell.exepowershell.exe3hKMonGdUEFhnpu.exe

description	pid	process
Token: SeDebugPrivilege	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeSecurityPrivilege	2488	WMIC.exe
Token: SeTakeOwnershipPrivilege	2488	WMIC.exe
Token: SeLoadDriverPrivilege	2488	WMIC.exe
Token: SeSystemProfilePrivilege	2488	WMIC.exe
Token: SeSystemtimePrivilege	2488	WMIC.exe
Token: SeProfSingleProcessPrivilege	2488	WMIC.exe
Token: SeIncBasePriorityPrivilege	2488	WMIC.exe
Token: SeCreatePagefilePrivilege	2488	WMIC.exe
Token: SeBackupPrivilege	2488	WMIC.exe
Token: SeRestorePrivilege	2488	WMIC.exe
Token: SeShutdownPrivilege	2488	WMIC.exe
Token: SeDebugPrivilege	2488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2488	WMIC.exe
Token: SeRemoteShutdownPrivilege	2488	WMIC.exe
Token: SeUndockPrivilege	2488	WMIC.exe
Token: SeManageVolumePrivilege	2488	WMIC.exe
Token: 33	2488	WMIC.exe
Token: 34	2488	WMIC.exe
Token: 35	2488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeSecurityPrivilege	2488	WMIC.exe
Token: SeTakeOwnershipPrivilege	2488	WMIC.exe
Token: SeLoadDriverPrivilege	2488	WMIC.exe
Token: SeSystemProfilePrivilege	2488	WMIC.exe
Token: SeSystemtimePrivilege	2488	WMIC.exe
Token: SeProfSingleProcessPrivilege	2488	WMIC.exe
Token: SeIncBasePriorityPrivilege	2488	WMIC.exe
Token: SeCreatePagefilePrivilege	2488	WMIC.exe
Token: SeBackupPrivilege	2488	WMIC.exe
Token: SeRestorePrivilege	2488	WMIC.exe
Token: SeShutdownPrivilege	2488	WMIC.exe
Token: SeDebugPrivilege	2488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2488	WMIC.exe
Token: SeRemoteShutdownPrivilege	2488	WMIC.exe
Token: SeUndockPrivilege	2488	WMIC.exe
Token: SeManageVolumePrivilege	2488	WMIC.exe
Token: 33	2488	WMIC.exe
Token: 34	2488	WMIC.exe
Token: 35	2488	WMIC.exe
Token: SeDebugPrivilege	2748	3hKMonGdUEFhnpu.exe
Token: SeDebugPrivilege	2696	o34lLgcDWmNwKh7.exe
Token: SeDebugPrivilege	1604	o34lLgcDWmNwKh7.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	284	3hKMonGdUEFhnpu.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

o34lLgcDWmNwKh7.exe

pid process

1604 o34lLgcDWmNwKh7.exe

pid	process
1604	o34lLgcDWmNwKh7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.execmd.execmd.exeo34lLgcDWmNwKh7.exe3hKMonGdUEFhnpu.exe

description	pid	process	target process
PID 1700 wrote to memory of 2480	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	cmd.exe
PID 1700 wrote to memory of 2480	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	cmd.exe
PID 1700 wrote to memory of 2480	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	cmd.exe
PID 2480 wrote to memory of 2488	2480	cmd.exe	WMIC.exe
PID 2480 wrote to memory of 2488	2480	cmd.exe	WMIC.exe
PID 2480 wrote to memory of 2488	2480	cmd.exe	WMIC.exe
PID 1700 wrote to memory of 2696	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	o34lLgcDWmNwKh7.exe
PID 1700 wrote to memory of 2696	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	o34lLgcDWmNwKh7.exe
PID 1700 wrote to memory of 2696	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	o34lLgcDWmNwKh7.exe
PID 1700 wrote to memory of 2696	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	o34lLgcDWmNwKh7.exe
PID 1700 wrote to memory of 2748	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	3hKMonGdUEFhnpu.exe
PID 1700 wrote to memory of 2748	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	3hKMonGdUEFhnpu.exe
PID 1700 wrote to memory of 2748	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	3hKMonGdUEFhnpu.exe
PID 1700 wrote to memory of 2748	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	3hKMonGdUEFhnpu.exe
PID 1700 wrote to memory of 2880	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	cmd.exe
PID 1700 wrote to memory of 2880	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	cmd.exe
PID 1700 wrote to memory of 2880	1700	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	cmd.exe
PID 2880 wrote to memory of 2892	2880	cmd.exe	timeout.exe
PID 2880 wrote to memory of 2892	2880	cmd.exe	timeout.exe
PID 2880 wrote to memory of 2892	2880	cmd.exe	timeout.exe
PID 2696 wrote to memory of 1940	2696	o34lLgcDWmNwKh7.exe	powershell.exe
PID 2696 wrote to memory of 1940	2696	o34lLgcDWmNwKh7.exe	powershell.exe
PID 2696 wrote to memory of 1940	2696	o34lLgcDWmNwKh7.exe	powershell.exe
PID 2696 wrote to memory of 1940	2696	o34lLgcDWmNwKh7.exe	powershell.exe
PID 2696 wrote to memory of 1600	2696	o34lLgcDWmNwKh7.exe	powershell.exe
PID 2696 wrote to memory of 1600	2696	o34lLgcDWmNwKh7.exe	powershell.exe
PID 2696 wrote to memory of 1600	2696	o34lLgcDWmNwKh7.exe	powershell.exe
PID 2696 wrote to memory of 1600	2696	o34lLgcDWmNwKh7.exe	powershell.exe
PID 2696 wrote to memory of 1592	2696	o34lLgcDWmNwKh7.exe	schtasks.exe
PID 2696 wrote to memory of 1592	2696	o34lLgcDWmNwKh7.exe	schtasks.exe
PID 2696 wrote to memory of 1592	2696	o34lLgcDWmNwKh7.exe	schtasks.exe
PID 2696 wrote to memory of 1592	2696	o34lLgcDWmNwKh7.exe	schtasks.exe
PID 2696 wrote to memory of 1604	2696	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 2696 wrote to memory of 1604	2696	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 2696 wrote to memory of 1604	2696	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 2696 wrote to memory of 1604	2696	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 2696 wrote to memory of 1604	2696	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 2696 wrote to memory of 1604	2696	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 2696 wrote to memory of 1604	2696	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 2696 wrote to memory of 1604	2696	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 2696 wrote to memory of 1604	2696	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 2748 wrote to memory of 1724	2748	3hKMonGdUEFhnpu.exe	powershell.exe
PID 2748 wrote to memory of 1724	2748	3hKMonGdUEFhnpu.exe	powershell.exe
PID 2748 wrote to memory of 1724	2748	3hKMonGdUEFhnpu.exe	powershell.exe
PID 2748 wrote to memory of 1724	2748	3hKMonGdUEFhnpu.exe	powershell.exe
PID 2748 wrote to memory of 2416	2748	3hKMonGdUEFhnpu.exe	powershell.exe
PID 2748 wrote to memory of 2416	2748	3hKMonGdUEFhnpu.exe	powershell.exe
PID 2748 wrote to memory of 2416	2748	3hKMonGdUEFhnpu.exe	powershell.exe
PID 2748 wrote to memory of 2416	2748	3hKMonGdUEFhnpu.exe	powershell.exe
PID 2748 wrote to memory of 1428	2748	3hKMonGdUEFhnpu.exe	schtasks.exe
PID 2748 wrote to memory of 1428	2748	3hKMonGdUEFhnpu.exe	schtasks.exe
PID 2748 wrote to memory of 1428	2748	3hKMonGdUEFhnpu.exe	schtasks.exe
PID 2748 wrote to memory of 1428	2748	3hKMonGdUEFhnpu.exe	schtasks.exe
PID 2748 wrote to memory of 592	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 2748 wrote to memory of 592	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 2748 wrote to memory of 592	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 2748 wrote to memory of 592	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 2748 wrote to memory of 284	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 2748 wrote to memory of 284	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 2748 wrote to memory of 284	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 2748 wrote to memory of 284	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 2748 wrote to memory of 284	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 2748 wrote to memory of 284	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 2748 wrote to memory of 284	2748	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe

C:\Users\Admin\AppData\Local\Temp\9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe
"C:\Users\Admin\AppData\Local\Temp\9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\cmd.exe
"cmd" /C wmic path win32_ComputerSystem get model
2⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_ComputerSystem get model
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Users\Admin\AppData\Local\Temp\ngMUaQVwAa\o34lLgcDWmNwKh7.exe
"C:\Users\Admin\AppData\Local\Temp\ngMUaQVwAa\o34lLgcDWmNwKh7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ngMUaQVwAa\o34lLgcDWmNwKh7.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fCxtQnYfgFcz.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fCxtQnYfgFcz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp510.tmp"
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Users\Admin\AppData\Local\Temp\ngMUaQVwAa\o34lLgcDWmNwKh7.exe
"C:\Users\Admin\AppData\Local\Temp\ngMUaQVwAa\o34lLgcDWmNwKh7.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Users\Admin\AppData\Local\Temp\rHTytMkJkBQH\3hKMonGdUEFhnpu.exe
"C:\Users\Admin\AppData\Local\Temp\rHTytMkJkBQH\3hKMonGdUEFhnpu.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\rHTytMkJkBQH\3hKMonGdUEFhnpu.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DexQgHlNOhr.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DexQgHlNOhr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D31.tmp"
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Users\Admin\AppData\Local\Temp\rHTytMkJkBQH\3hKMonGdUEFhnpu.exe
"C:\Users\Admin\AppData\Local\Temp\rHTytMkJkBQH\3hKMonGdUEFhnpu.exe"
3⤵
- Executes dropped EXE
PID:592

C:\Users\Admin\AppData\Local\Temp\rHTytMkJkBQH\3hKMonGdUEFhnpu.exe
"C:\Users\Admin\AppData\Local\Temp\rHTytMkJkBQH\3hKMonGdUEFhnpu.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\system32\timeout.exe
TIMEOUT /T 3
3⤵
- Delays execution with timeout.exe
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

3

T1552.001

Credentials in Registry

1

T1552.002

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

4

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ngMUaQVwAa\o34lLgcDWmNwKh7.exe

Filesize
803KB

MD5
87f540d9a1c681a3e42ffb39b87b23ea

SHA1
b70b6fc89f6bc24199184fb8c23056d74e0e5fa4

SHA256
51c03b679d6f9ac835ec6a37e6877dea493e4c1f9708c9f0d56d71e040d61dd5

SHA512
8497ba919fc98e0e8047eeb2259a345501bf263aeea1d7ff43b03e01059a57ab0a333b663da61c502864a1a871d94593dcbb2f6ea16319623d81e532440c6422

Download Submit
C:\Users\Admin\AppData\Local\Temp\rHTytMkJkBQH\3hKMonGdUEFhnpu.exe

Filesize
558KB

MD5
7ecf05e5e74bb2c9c3b8d59d51cb1e05

SHA1
85f7f896b0856e1c7cd40c5d90d32ef4a3af34b4

SHA256
efe225b212324072ef3be52b5523e029037599ee7151b1653d87d6265b706751

SHA512
c202f5bda5fa2777bd4befead901301e74de925089786cf18a6ab9fdfabe81bbabe027ea4814afe118f26ccd7425203646c5ace0b8fc56d404284c5fa27f65f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1D31.tmp

Filesize
1KB

MD5
2e709f407ae2faf4e32e08fe7bdf003e

SHA1
76a75d8abe7ac18fb528f4ceb14211f778b7a8aa

SHA256
3b79bcd95f682b1096d70513b1b6b622e1d27c58b9826dea7615055cdeeba752

SHA512
6163c65ee85583a1b22f79db38c779f776496e34a688b68754091e8848d9b41934d9434c99aa6b078328f695b4ed04ebd48b09305c4703eab5cf64b8033b3b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp510.tmp

Filesize
1KB

MD5
4d7c42f2b66c895aeed3c61cca99a33b

SHA1
e29ee9373bef26b3b0034e8b6d0fd9b0e03fb148

SHA256
4a554b45261900d4360f205fa22bbc5d22784692562684c8833feb714c306444

SHA512
d3cff24aa6ddc422a1bf28cb85b5b04707b794885429960f10ea9e1721b529ea5af821eb9182300ff260c986668259cb422315813bd01b62379219e843259d73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0e704ecae4c015d416d2f04021db83b2

SHA1
308ee198b799c4b51172de3ed37734dfe6b7f3a0

SHA256
76a94cea2064c9ad3070b2cc5ae9c24da3ba1009c3c04602f29289a241df5227

SHA512
eaae6a695c84f027833f8b4358838165bb6892fac81dbd2af27631028ea0837edc7e2f2d164447152bc39292948c2c749cbb2aa57d0fb2e02fa455b1152d6492

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/284-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/284-71-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/284-73-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/284-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/284-76-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/284-67-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/284-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/284-79-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1604-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-45-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1604-42-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-38-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-36-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1604-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-1-0x0000000000C20000-0x0000000000D7C000-memory.dmp

Filesize
1.4MB

Download
memory/1700-0-0x000007FEF51E3000-0x000007FEF51E4000-memory.dmp

Filesize
4KB

Download
memory/2696-22-0x0000000004750000-0x00000000047D6000-memory.dmp

Filesize
536KB

Download
memory/2696-20-0x0000000000700000-0x000000000070E000-memory.dmp

Filesize
56KB

Download
memory/2696-18-0x0000000000610000-0x0000000000626000-memory.dmp

Filesize
88KB

Download
memory/2696-17-0x0000000000190000-0x000000000025E000-memory.dmp

Filesize
824KB

Download
memory/2748-19-0x0000000004080000-0x000000000410E000-memory.dmp

Filesize
568KB

Download
memory/2748-16-0x00000000008A0000-0x0000000000932000-memory.dmp

Filesize
584KB

Download
memory/2748-21-0x0000000004820000-0x0000000004880000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads