agenttesla | 9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe
Size

1.3MB
MD5

ecd1765ef784d0831b8ba7082f8c2370
SHA1

024b15d7f67fe4312b77735c3a2fc7e41077537b
SHA256

9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66
SHA512

85602ad027c76dfdf28102cd3309df9738fda88934b6de468ab33cd09868473a86defe989f3e4740d9d113ace5db298e2c931099ca1c2286e73b75b5c9f85609
SSDEEP

24576:AoKVs1q893v/9/NJITBjN2MdfxbY6c9NfvqFii2EbBOGwbHXD0AIDN7HupGvbmg:AoLkoH9/NJYxNFxDmCFiBE4GwDoAIDN7

Score

10^/10

agenttesla redline sectoprat newlogs credential_access discovery execution infostealer keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

Newlogs

204.14.75.2:16383

Extracted

Family

agenttesla

https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3620-59-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3620-59-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1528 powershell.exe
3304 powershell.exe
3932 powershell.exe
2804 powershell.exe

pid	process
1528	powershell.exe
3304	powershell.exe
3932	powershell.exe
2804	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe3hKMonGdUEFhnpu.exeo34lLgcDWmNwKh7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation	3hKMonGdUEFhnpu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation	o34lLgcDWmNwKh7.exe

Executes dropped EXE 4 IoCs

Processes:

o34lLgcDWmNwKh7.exe3hKMonGdUEFhnpu.exe3hKMonGdUEFhnpu.exeo34lLgcDWmNwKh7.exe

pid process

4460 o34lLgcDWmNwKh7.exe
4012 3hKMonGdUEFhnpu.exe
3620 3hKMonGdUEFhnpu.exe
928 o34lLgcDWmNwKh7.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com

pid	process
4460	o34lLgcDWmNwKh7.exe
4012	3hKMonGdUEFhnpu.exe
3620	3hKMonGdUEFhnpu.exe
928	o34lLgcDWmNwKh7.exe

flow	ioc
18	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

3hKMonGdUEFhnpu.exeo34lLgcDWmNwKh7.exe

description	pid	process	target process
PID 4012 set thread context of 3620	4012	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 4460 set thread context of 928	4460	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeschtasks.exeschtasks.exepowershell.exeo34lLgcDWmNwKh7.exeo34lLgcDWmNwKh7.exe3hKMonGdUEFhnpu.exepowershell.exe3hKMonGdUEFhnpu.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o34lLgcDWmNwKh7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o34lLgcDWmNwKh7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3hKMonGdUEFhnpu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3hKMonGdUEFhnpu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3636 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1648 schtasks.exe
5072 schtasks.exe

pid	process
3636	timeout.exe

pid	process
1648	schtasks.exe
5072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe3hKMonGdUEFhnpu.exeo34lLgcDWmNwKh7.exepowershell.exepowershell.exepowershell.exepowershell.exeo34lLgcDWmNwKh7.exe

pid	process
1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe
4012	3hKMonGdUEFhnpu.exe
4460	o34lLgcDWmNwKh7.exe
4460	o34lLgcDWmNwKh7.exe
4012	3hKMonGdUEFhnpu.exe
4012	3hKMonGdUEFhnpu.exe
4460	o34lLgcDWmNwKh7.exe
4012	3hKMonGdUEFhnpu.exe
4460	o34lLgcDWmNwKh7.exe
3932	powershell.exe
2804	powershell.exe
4012	3hKMonGdUEFhnpu.exe
2804	powershell.exe
3932	powershell.exe
4460	o34lLgcDWmNwKh7.exe
4460	o34lLgcDWmNwKh7.exe
3304	powershell.exe
1528	powershell.exe
4460	o34lLgcDWmNwKh7.exe
928	o34lLgcDWmNwKh7.exe
928	o34lLgcDWmNwKh7.exe
1528	powershell.exe
3304	powershell.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exeWMIC.exe3hKMonGdUEFhnpu.exeo34lLgcDWmNwKh7.exepowershell.exepowershell.exe3hKMonGdUEFhnpu.exepowershell.exepowershell.exeo34lLgcDWmNwKh7.exe

description	pid	process
Token: SeDebugPrivilege	1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe
Token: SeIncreaseQuotaPrivilege	4692	WMIC.exe
Token: SeSecurityPrivilege	4692	WMIC.exe
Token: SeTakeOwnershipPrivilege	4692	WMIC.exe
Token: SeLoadDriverPrivilege	4692	WMIC.exe
Token: SeSystemProfilePrivilege	4692	WMIC.exe
Token: SeSystemtimePrivilege	4692	WMIC.exe
Token: SeProfSingleProcessPrivilege	4692	WMIC.exe
Token: SeIncBasePriorityPrivilege	4692	WMIC.exe
Token: SeCreatePagefilePrivilege	4692	WMIC.exe
Token: SeBackupPrivilege	4692	WMIC.exe
Token: SeRestorePrivilege	4692	WMIC.exe
Token: SeShutdownPrivilege	4692	WMIC.exe
Token: SeDebugPrivilege	4692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4692	WMIC.exe
Token: SeRemoteShutdownPrivilege	4692	WMIC.exe
Token: SeUndockPrivilege	4692	WMIC.exe
Token: SeManageVolumePrivilege	4692	WMIC.exe
Token: 33	4692	WMIC.exe
Token: 34	4692	WMIC.exe
Token: 35	4692	WMIC.exe
Token: 36	4692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4692	WMIC.exe
Token: SeSecurityPrivilege	4692	WMIC.exe
Token: SeTakeOwnershipPrivilege	4692	WMIC.exe
Token: SeLoadDriverPrivilege	4692	WMIC.exe
Token: SeSystemProfilePrivilege	4692	WMIC.exe
Token: SeSystemtimePrivilege	4692	WMIC.exe
Token: SeProfSingleProcessPrivilege	4692	WMIC.exe
Token: SeIncBasePriorityPrivilege	4692	WMIC.exe
Token: SeCreatePagefilePrivilege	4692	WMIC.exe
Token: SeBackupPrivilege	4692	WMIC.exe
Token: SeRestorePrivilege	4692	WMIC.exe
Token: SeShutdownPrivilege	4692	WMIC.exe
Token: SeDebugPrivilege	4692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4692	WMIC.exe
Token: SeRemoteShutdownPrivilege	4692	WMIC.exe
Token: SeUndockPrivilege	4692	WMIC.exe
Token: SeManageVolumePrivilege	4692	WMIC.exe
Token: 33	4692	WMIC.exe
Token: 34	4692	WMIC.exe
Token: 35	4692	WMIC.exe
Token: 36	4692	WMIC.exe
Token: SeDebugPrivilege	4012	3hKMonGdUEFhnpu.exe
Token: SeDebugPrivilege	4460	o34lLgcDWmNwKh7.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	3620	3hKMonGdUEFhnpu.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	3304	powershell.exe
Token: SeDebugPrivilege	928	o34lLgcDWmNwKh7.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

o34lLgcDWmNwKh7.exe

pid process

928 o34lLgcDWmNwKh7.exe

pid	process
928	o34lLgcDWmNwKh7.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.execmd.execmd.exe3hKMonGdUEFhnpu.exeo34lLgcDWmNwKh7.exe

description	pid	process	target process
PID 1360 wrote to memory of 1548	1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	cmd.exe
PID 1360 wrote to memory of 1548	1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	cmd.exe
PID 1548 wrote to memory of 4692	1548	cmd.exe	WMIC.exe
PID 1548 wrote to memory of 4692	1548	cmd.exe	WMIC.exe
PID 1360 wrote to memory of 4460	1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	o34lLgcDWmNwKh7.exe
PID 1360 wrote to memory of 4460	1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	o34lLgcDWmNwKh7.exe
PID 1360 wrote to memory of 4460	1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	o34lLgcDWmNwKh7.exe
PID 1360 wrote to memory of 4012	1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	3hKMonGdUEFhnpu.exe
PID 1360 wrote to memory of 4012	1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	3hKMonGdUEFhnpu.exe
PID 1360 wrote to memory of 4012	1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	3hKMonGdUEFhnpu.exe
PID 1360 wrote to memory of 4988	1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	cmd.exe
PID 1360 wrote to memory of 4988	1360	9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe	cmd.exe
PID 4988 wrote to memory of 3636	4988	cmd.exe	timeout.exe
PID 4988 wrote to memory of 3636	4988	cmd.exe	timeout.exe
PID 4012 wrote to memory of 3932	4012	3hKMonGdUEFhnpu.exe	powershell.exe
PID 4012 wrote to memory of 3932	4012	3hKMonGdUEFhnpu.exe	powershell.exe
PID 4012 wrote to memory of 3932	4012	3hKMonGdUEFhnpu.exe	powershell.exe
PID 4012 wrote to memory of 2804	4012	3hKMonGdUEFhnpu.exe	powershell.exe
PID 4012 wrote to memory of 2804	4012	3hKMonGdUEFhnpu.exe	powershell.exe
PID 4012 wrote to memory of 2804	4012	3hKMonGdUEFhnpu.exe	powershell.exe
PID 4012 wrote to memory of 1648	4012	3hKMonGdUEFhnpu.exe	schtasks.exe
PID 4012 wrote to memory of 1648	4012	3hKMonGdUEFhnpu.exe	schtasks.exe
PID 4012 wrote to memory of 1648	4012	3hKMonGdUEFhnpu.exe	schtasks.exe
PID 4012 wrote to memory of 3620	4012	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 4012 wrote to memory of 3620	4012	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 4012 wrote to memory of 3620	4012	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 4012 wrote to memory of 3620	4012	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 4012 wrote to memory of 3620	4012	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 4012 wrote to memory of 3620	4012	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 4012 wrote to memory of 3620	4012	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 4012 wrote to memory of 3620	4012	3hKMonGdUEFhnpu.exe	3hKMonGdUEFhnpu.exe
PID 4460 wrote to memory of 1528	4460	o34lLgcDWmNwKh7.exe	powershell.exe
PID 4460 wrote to memory of 1528	4460	o34lLgcDWmNwKh7.exe	powershell.exe
PID 4460 wrote to memory of 1528	4460	o34lLgcDWmNwKh7.exe	powershell.exe
PID 4460 wrote to memory of 3304	4460	o34lLgcDWmNwKh7.exe	powershell.exe
PID 4460 wrote to memory of 3304	4460	o34lLgcDWmNwKh7.exe	powershell.exe
PID 4460 wrote to memory of 3304	4460	o34lLgcDWmNwKh7.exe	powershell.exe
PID 4460 wrote to memory of 5072	4460	o34lLgcDWmNwKh7.exe	schtasks.exe
PID 4460 wrote to memory of 5072	4460	o34lLgcDWmNwKh7.exe	schtasks.exe
PID 4460 wrote to memory of 5072	4460	o34lLgcDWmNwKh7.exe	schtasks.exe
PID 4460 wrote to memory of 928	4460	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 4460 wrote to memory of 928	4460	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 4460 wrote to memory of 928	4460	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 4460 wrote to memory of 928	4460	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 4460 wrote to memory of 928	4460	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 4460 wrote to memory of 928	4460	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 4460 wrote to memory of 928	4460	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe
PID 4460 wrote to memory of 928	4460	o34lLgcDWmNwKh7.exe	o34lLgcDWmNwKh7.exe

C:\Users\Admin\AppData\Local\Temp\9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe
"C:\Users\Admin\AppData\Local\Temp\9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C wmic path win32_ComputerSystem get model
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_ComputerSystem get model
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Users\Admin\AppData\Local\Temp\yHBTnRZSmB\o34lLgcDWmNwKh7.exe
"C:\Users\Admin\AppData\Local\Temp\yHBTnRZSmB\o34lLgcDWmNwKh7.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\yHBTnRZSmB\o34lLgcDWmNwKh7.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fCxtQnYfgFcz.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fCxtQnYfgFcz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp507C.tmp"
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Users\Admin\AppData\Local\Temp\yHBTnRZSmB\o34lLgcDWmNwKh7.exe
"C:\Users\Admin\AppData\Local\Temp\yHBTnRZSmB\o34lLgcDWmNwKh7.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:928

C:\Users\Admin\AppData\Local\Temp\XsKPwrJQHibt\3hKMonGdUEFhnpu.exe
"C:\Users\Admin\AppData\Local\Temp\XsKPwrJQHibt\3hKMonGdUEFhnpu.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\XsKPwrJQHibt\3hKMonGdUEFhnpu.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DexQgHlNOhr.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DexQgHlNOhr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D52.tmp"
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Users\Admin\AppData\Local\Temp\XsKPwrJQHibt\3hKMonGdUEFhnpu.exe
"C:\Users\Admin\AppData\Local\Temp\XsKPwrJQHibt\3hKMonGdUEFhnpu.exe"
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\9c7e4bc6d2c048eb942cfd0fb2089ce190e2f306a35a6cd25f7e0e0896f60f66.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\system32\timeout.exe
TIMEOUT /T 3
3⤵
- Delays execution with timeout.exe
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3hKMonGdUEFhnpu.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4b007ce1bedc6b9ae7b3b736a287cf7e

SHA1
876bd6ad3b6386c2361ed23677cfc8188496d104

SHA256
2714221a4699b482a9e67cb9dc87df0ea233e1da3114eb890af1138fd8db292d

SHA512
20e815068af41493a5835d7a756ac6962e706b825a0ae6bfc1cfc54a4f4898fb2aa8fcb15d240f7eb39950cb4461b028bf6d02fc445b843049737d98724cf90b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
82e57d832383e7ba33d6194704313632

SHA1
9a6af2f530a18afb42c8038b0b51266c4ea407a5

SHA256
59e25dfef67b37038a1212e9d18bd4ac56539cc545ac136ec86f134a2a5a7caf

SHA512
142cdf8689f8c16bc60449149476c7462d50dba4dfe68280f980cccebb7c2d6ec5f3cfb8b7c3b955ce625b844030c893564290f0a226ed6accc85e6d8ae97d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XsKPwrJQHibt\3hKMonGdUEFhnpu.exe

Filesize
558KB

MD5
7ecf05e5e74bb2c9c3b8d59d51cb1e05

SHA1
85f7f896b0856e1c7cd40c5d90d32ef4a3af34b4

SHA256
efe225b212324072ef3be52b5523e029037599ee7151b1653d87d6265b706751

SHA512
c202f5bda5fa2777bd4befead901301e74de925089786cf18a6ab9fdfabe81bbabe027ea4814afe118f26ccd7425203646c5ace0b8fc56d404284c5fa27f65f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a3r0tra1.ozg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3D52.tmp

Filesize
1KB

MD5
9b096ffc8633b4e95e07b5309e2985ec

SHA1
bf80612dcc99b691dd74354b7e4225af035aa53b

SHA256
55e7fa195514374e4d73775b7ad468080c8143960cf6dd2bddbdb73104a75116

SHA512
b3eb604d851d1a8e26582d2044648c9047f1ca0974420a539f6f282d57c9bee5e8a176cd221c11e05aebf8240a2afcf523bdf24585c1c8fd3d0a6a6056eafa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp507C.tmp

Filesize
1KB

MD5
33040fb855cbf0bf11f32570e2bbb355

SHA1
6a54bf63bd389506bba0af8359e48b1e8ea0c484

SHA256
def5623b57b810c3f502ddf03d7731aea3ad57de23c6ce18359010f51ccfa59d

SHA512
de80ef96d7e24cef00fab28f10492144d6229e34d55506f12f820639bfde92775840b5eb24c80f7ea9047f0e1cc426e897c2b6dabdead23a45edb62520818bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yHBTnRZSmB\o34lLgcDWmNwKh7.exe

Filesize
803KB

MD5
87f540d9a1c681a3e42ffb39b87b23ea

SHA1
b70b6fc89f6bc24199184fb8c23056d74e0e5fa4

SHA256
51c03b679d6f9ac835ec6a37e6877dea493e4c1f9708c9f0d56d71e040d61dd5

SHA512
8497ba919fc98e0e8047eeb2259a345501bf263aeea1d7ff43b03e01059a57ab0a333b663da61c502864a1a871d94593dcbb2f6ea16319623d81e532440c6422

Download Submit
memory/928-170-0x0000000006C00000-0x0000000006C50000-memory.dmp

Filesize
320KB

Download
memory/928-138-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1360-0-0x00000000006A0000-0x00000000007FC000-memory.dmp

Filesize
1.4MB

Download
memory/1360-1-0x00007FF835493000-0x00007FF835495000-memory.dmp

Filesize
8KB

Download
memory/1528-164-0x0000000007240000-0x0000000007254000-memory.dmp

Filesize
80KB

Download
memory/1528-128-0x0000000005670000-0x00000000059C4000-memory.dmp

Filesize
3.3MB

Download
memory/1528-142-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/1528-152-0x0000000006EC0000-0x0000000006F63000-memory.dmp

Filesize
652KB

Download
memory/1528-163-0x0000000007210000-0x0000000007221000-memory.dmp

Filesize
68KB

Download
memory/2804-47-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/2804-108-0x0000000007D50000-0x0000000007D58000-memory.dmp

Filesize
32KB

Download
memory/2804-45-0x0000000005630000-0x0000000005652000-memory.dmp

Filesize
136KB

Download
memory/2804-48-0x00000000060D0000-0x0000000006424000-memory.dmp

Filesize
3.3MB

Download
memory/2804-103-0x0000000007CB0000-0x0000000007D46000-memory.dmp

Filesize
600KB

Download
memory/2804-100-0x0000000008080000-0x00000000086FA000-memory.dmp

Filesize
6.5MB

Download
memory/2804-105-0x0000000007C60000-0x0000000007C6E000-memory.dmp

Filesize
56KB

Download
memory/2804-89-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/2804-46-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/2804-74-0x0000000006710000-0x000000000672E000-memory.dmp

Filesize
120KB

Download
memory/2804-75-0x00000000067A0000-0x00000000067EC000-memory.dmp

Filesize
304KB

Download
memory/3304-153-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/3620-73-0x0000000005620000-0x000000000565C000-memory.dmp

Filesize
240KB

Download
memory/3620-168-0x0000000006BA0000-0x0000000006D62000-memory.dmp

Filesize
1.8MB

Download
memory/3620-76-0x00000000058C0000-0x00000000059CA000-memory.dmp

Filesize
1.0MB

Download
memory/3620-72-0x0000000005580000-0x0000000005592000-memory.dmp

Filesize
72KB

Download
memory/3620-169-0x00000000072A0000-0x00000000077CC000-memory.dmp

Filesize
5.2MB

Download
memory/3620-71-0x0000000005B00000-0x0000000006118000-memory.dmp

Filesize
6.1MB

Download
memory/3620-59-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3932-106-0x0000000007AF0000-0x0000000007B04000-memory.dmp

Filesize
80KB

Download
memory/3932-77-0x0000000007520000-0x0000000007552000-memory.dmp

Filesize
200KB

Download
memory/3932-101-0x00000000078B0000-0x00000000078CA000-memory.dmp

Filesize
104KB

Download
memory/3932-104-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

Filesize
68KB

Download
memory/3932-99-0x0000000007560000-0x0000000007603000-memory.dmp

Filesize
652KB

Download
memory/3932-88-0x0000000007500000-0x000000000751E000-memory.dmp

Filesize
120KB

Download
memory/3932-107-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

Filesize
104KB

Download
memory/3932-102-0x0000000007920000-0x000000000792A000-memory.dmp

Filesize
40KB

Download
memory/3932-78-0x0000000070790000-0x00000000707DC000-memory.dmp

Filesize
304KB

Download
memory/3932-43-0x0000000005760000-0x0000000005D88000-memory.dmp

Filesize
6.2MB

Download
memory/3932-42-0x0000000004FC0000-0x0000000004FF6000-memory.dmp

Filesize
216KB

Download
memory/4012-30-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/4012-36-0x0000000005C80000-0x0000000005D1C000-memory.dmp

Filesize
624KB

Download
memory/4012-35-0x0000000005DE0000-0x0000000005E40000-memory.dmp

Filesize
384KB

Download
memory/4012-28-0x00000000006C0000-0x0000000000752000-memory.dmp

Filesize
584KB

Download
memory/4012-33-0x00000000052E0000-0x000000000536E000-memory.dmp

Filesize
568KB

Download
memory/4460-37-0x0000000005610000-0x0000000005696000-memory.dmp

Filesize
536KB

Download
memory/4460-31-0x0000000005180000-0x000000000518A000-memory.dmp

Filesize
40KB

Download
memory/4460-32-0x0000000005270000-0x0000000005286000-memory.dmp

Filesize
88KB

Download
memory/4460-29-0x0000000005850000-0x0000000005DF4000-memory.dmp

Filesize
5.6MB

Download
memory/4460-27-0x0000000000810000-0x00000000008DE000-memory.dmp

Filesize
824KB

Download
memory/4460-34-0x0000000005430000-0x000000000543E000-memory.dmp

Filesize
56KB

Download