agenttesla | 52124dea5ce1c6296873462826b58cf7ced4bc5bff6092af5950769482962339

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Byte_Guard_Cracked.exe
Size

4.3MB
MD5

d7936c64138b924d63901cedb2c6cd09
SHA1

b525dd212eac4c808b5166880976b1817caf826b
SHA256

52124dea5ce1c6296873462826b58cf7ced4bc5bff6092af5950769482962339
SHA512

3c2e8b6b1de63baeda4fb714ab3f4104f820cf81d2bbe9d4177631246b7627ac1e76c709a57504ca777dfdbcc74aab95602184a270120f653832f37e4965d3f7
SSDEEP

98304:dnsmtk2a2052wnEFsuU8agxdazsYXhDqgAdXt2:BL4n7uB8zpXcnb2

Score

10^/10

agenttesla umbral credential_access defense_evasion discovery execution keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000800000002341c-102.dat	family_umbral
behavioral2/memory/4720-113-0x00000213F5860000-0x00000213F58A0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/4296-261-0x0000000006450000-0x0000000006662000-memory.dmp	family_agenttesla

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3944	powershell.exe
2728	powershell.exe
3840	powershell.exe
3840	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Byte Guard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Byte Guard.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Byte_Guard_Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	._cache_Byte_Guard_Cracked.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 9 IoCs

pid	Process
3040	._cache_Byte_Guard_Cracked.exe
4720	Umbral.exe
2120	Synaptics.exe
3548	Byte Guard.exe
2880	._cache_Synaptics.exe
4296	._cache_Byte Guard.exe
4988	Umbral.exe
4360	Byte Guard.exe
1672	._cache_Byte Guard.exe

Loads dropped DLL 2 IoCs

pid	Process
4360	Byte Guard.exe
4360	Byte Guard.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Byte_Guard_Cracked.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
45	discord.com
47	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Byte_Guard_Cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Byte Guard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Byte Guard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Byte Guard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Byte_Guard_Cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Byte Guard.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3188	cmd.exe
2408	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3340	wmic.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_Byte Guard.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_Byte Guard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_Byte Guard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_Byte Guard.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_Byte Guard.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_Byte Guard.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Byte_Guard_Cracked.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Byte Guard.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Byte Guard.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2408	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2188	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1504	powershell.exe
1504	powershell.exe
1596	powershell.exe
1596	powershell.exe
4720	Umbral.exe
4720	Umbral.exe
3840	powershell.exe
3840	powershell.exe
3840	powershell.exe
3944	powershell.exe
3944	powershell.exe
3944	powershell.exe
2728	powershell.exe
2728	powershell.exe
2728	powershell.exe
1352	powershell.exe
1352	powershell.exe
3840	powershell.exe
3840	powershell.exe
3840	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	Umbral.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeIncreaseQuotaPrivilege	4952	wmic.exe
Token: SeSecurityPrivilege	4952	wmic.exe
Token: SeTakeOwnershipPrivilege	4952	wmic.exe
Token: SeLoadDriverPrivilege	4952	wmic.exe
Token: SeSystemProfilePrivilege	4952	wmic.exe
Token: SeSystemtimePrivilege	4952	wmic.exe
Token: SeProfSingleProcessPrivilege	4952	wmic.exe
Token: SeIncBasePriorityPrivilege	4952	wmic.exe
Token: SeCreatePagefilePrivilege	4952	wmic.exe
Token: SeBackupPrivilege	4952	wmic.exe
Token: SeRestorePrivilege	4952	wmic.exe
Token: SeShutdownPrivilege	4952	wmic.exe
Token: SeDebugPrivilege	4952	wmic.exe
Token: SeSystemEnvironmentPrivilege	4952	wmic.exe
Token: SeRemoteShutdownPrivilege	4952	wmic.exe
Token: SeUndockPrivilege	4952	wmic.exe
Token: SeManageVolumePrivilege	4952	wmic.exe
Token: 33	4952	wmic.exe
Token: 34	4952	wmic.exe
Token: 35	4952	wmic.exe
Token: 36	4952	wmic.exe
Token: SeIncreaseQuotaPrivilege	4952	wmic.exe
Token: SeSecurityPrivilege	4952	wmic.exe
Token: SeTakeOwnershipPrivilege	4952	wmic.exe
Token: SeLoadDriverPrivilege	4952	wmic.exe
Token: SeSystemProfilePrivilege	4952	wmic.exe
Token: SeSystemtimePrivilege	4952	wmic.exe
Token: SeProfSingleProcessPrivilege	4952	wmic.exe
Token: SeIncBasePriorityPrivilege	4952	wmic.exe
Token: SeCreatePagefilePrivilege	4952	wmic.exe
Token: SeBackupPrivilege	4952	wmic.exe
Token: SeRestorePrivilege	4952	wmic.exe
Token: SeShutdownPrivilege	4952	wmic.exe
Token: SeDebugPrivilege	4952	wmic.exe
Token: SeSystemEnvironmentPrivilege	4952	wmic.exe
Token: SeRemoteShutdownPrivilege	4952	wmic.exe
Token: SeUndockPrivilege	4952	wmic.exe
Token: SeManageVolumePrivilege	4952	wmic.exe
Token: 33	4952	wmic.exe
Token: 34	4952	wmic.exe
Token: 35	4952	wmic.exe
Token: 36	4952	wmic.exe
Token: SeDebugPrivilege	3840	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeIncreaseQuotaPrivilege	4956	wmic.exe
Token: SeSecurityPrivilege	4956	wmic.exe
Token: SeTakeOwnershipPrivilege	4956	wmic.exe
Token: SeLoadDriverPrivilege	4956	wmic.exe
Token: SeSystemProfilePrivilege	4956	wmic.exe
Token: SeSystemtimePrivilege	4956	wmic.exe
Token: SeProfSingleProcessPrivilege	4956	wmic.exe
Token: SeIncBasePriorityPrivilege	4956	wmic.exe
Token: SeCreatePagefilePrivilege	4956	wmic.exe
Token: SeBackupPrivilege	4956	wmic.exe
Token: SeRestorePrivilege	4956	wmic.exe
Token: SeShutdownPrivilege	4956	wmic.exe
Token: SeDebugPrivilege	4956	wmic.exe
Token: SeSystemEnvironmentPrivilege	4956	wmic.exe
Token: SeRemoteShutdownPrivilege	4956	wmic.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2188	EXCEL.EXE
2188	EXCEL.EXE
2188	EXCEL.EXE
2188	EXCEL.EXE
2188	EXCEL.EXE

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 3040	4376	Byte_Guard_Cracked.exe	87
PID 4376 wrote to memory of 3040	4376	Byte_Guard_Cracked.exe	87
PID 4376 wrote to memory of 3040	4376	Byte_Guard_Cracked.exe	87
PID 3040 wrote to memory of 1504	3040	._cache_Byte_Guard_Cracked.exe	88
PID 3040 wrote to memory of 1504	3040	._cache_Byte_Guard_Cracked.exe	88
PID 3040 wrote to memory of 1504	3040	._cache_Byte_Guard_Cracked.exe	88
PID 3040 wrote to memory of 4720	3040	._cache_Byte_Guard_Cracked.exe	91
PID 3040 wrote to memory of 4720	3040	._cache_Byte_Guard_Cracked.exe	91
PID 4376 wrote to memory of 2120	4376	Byte_Guard_Cracked.exe	90
PID 4376 wrote to memory of 2120	4376	Byte_Guard_Cracked.exe	90
PID 4376 wrote to memory of 2120	4376	Byte_Guard_Cracked.exe	90
PID 3040 wrote to memory of 3548	3040	._cache_Byte_Guard_Cracked.exe	92
PID 3040 wrote to memory of 3548	3040	._cache_Byte_Guard_Cracked.exe	92
PID 3040 wrote to memory of 3548	3040	._cache_Byte_Guard_Cracked.exe	92
PID 2120 wrote to memory of 2880	2120	Synaptics.exe	93
PID 2120 wrote to memory of 2880	2120	Synaptics.exe	93
PID 2120 wrote to memory of 2880	2120	Synaptics.exe	93
PID 3548 wrote to memory of 4296	3548	Byte Guard.exe	95
PID 3548 wrote to memory of 4296	3548	Byte Guard.exe	95
PID 3548 wrote to memory of 4296	3548	Byte Guard.exe	95
PID 2880 wrote to memory of 1596	2880	._cache_Synaptics.exe	96
PID 2880 wrote to memory of 1596	2880	._cache_Synaptics.exe	96
PID 2880 wrote to memory of 1596	2880	._cache_Synaptics.exe	96
PID 2880 wrote to memory of 4988	2880	._cache_Synaptics.exe	98
PID 2880 wrote to memory of 4988	2880	._cache_Synaptics.exe	98
PID 2880 wrote to memory of 4360	2880	._cache_Synaptics.exe	99
PID 2880 wrote to memory of 4360	2880	._cache_Synaptics.exe	99
PID 2880 wrote to memory of 4360	2880	._cache_Synaptics.exe	99
PID 4720 wrote to memory of 4952	4720	Umbral.exe	100
PID 4720 wrote to memory of 4952	4720	Umbral.exe	100
PID 4360 wrote to memory of 1672	4360	Byte Guard.exe	103
PID 4360 wrote to memory of 1672	4360	Byte Guard.exe	103
PID 4360 wrote to memory of 1672	4360	Byte Guard.exe	103
PID 4720 wrote to memory of 2388	4720	Umbral.exe	104
PID 4720 wrote to memory of 2388	4720	Umbral.exe	104
PID 4720 wrote to memory of 3840	4720	Umbral.exe	122
PID 4720 wrote to memory of 3840	4720	Umbral.exe	122
PID 4720 wrote to memory of 3944	4720	Umbral.exe	109
PID 4720 wrote to memory of 3944	4720	Umbral.exe	109
PID 4720 wrote to memory of 2728	4720	Umbral.exe	112
PID 4720 wrote to memory of 2728	4720	Umbral.exe	112
PID 4720 wrote to memory of 1352	4720	Umbral.exe	114
PID 4720 wrote to memory of 1352	4720	Umbral.exe	114
PID 4720 wrote to memory of 4956	4720	Umbral.exe	116
PID 4720 wrote to memory of 4956	4720	Umbral.exe	116
PID 4720 wrote to memory of 1880	4720	Umbral.exe	118
PID 4720 wrote to memory of 1880	4720	Umbral.exe	118
PID 4720 wrote to memory of 984	4720	Umbral.exe	120
PID 4720 wrote to memory of 984	4720	Umbral.exe	120
PID 4720 wrote to memory of 3840	4720	Umbral.exe	122
PID 4720 wrote to memory of 3840	4720	Umbral.exe	122
PID 4720 wrote to memory of 3340	4720	Umbral.exe	124
PID 4720 wrote to memory of 3340	4720	Umbral.exe	124
PID 4720 wrote to memory of 3188	4720	Umbral.exe	129
PID 4720 wrote to memory of 3188	4720	Umbral.exe	129
PID 3188 wrote to memory of 2408	3188	cmd.exe	131
PID 3188 wrote to memory of 2408	3188	cmd.exe	131

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2388	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Byte_Guard_Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\Byte_Guard_Cracked.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Users\Admin\AppData\Local\Temp\._cache_Byte_Guard_Cracked.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Byte_Guard_Cracked.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAcwBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAaABxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBhACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Users\Admin\AppData\Local\Umbral.exe
    "C:\Users\Admin\AppData\Local\Umbral.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4952
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Umbral.exe"
      4⤵
      Views/modifies file attributes
      PID:2388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Umbral.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2728
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1352
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4956
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:1880
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3840
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3340
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Umbral.exe" && pause
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2408
- - C:\Users\Admin\AppData\Local\Byte Guard.exe
    "C:\Users\Admin\AppData\Local\Byte Guard.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Byte Guard.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Byte Guard.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Enumerates system info in registry
      PID:4296
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAYwBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAcwBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAaABxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAZQBhACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1596
  - - C:\Users\Admin\AppData\Local\Umbral.exe
      "C:\Users\Admin\AppData\Local\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:4988
  - - C:\Users\Admin\AppData\Local\Byte Guard.exe
      "C:\Users\Admin\AppData\Local\Byte Guard.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Byte Guard.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Byte Guard.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:1672

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.3MB

MD5
d7936c64138b924d63901cedb2c6cd09

SHA1
b525dd212eac4c808b5166880976b1817caf826b

SHA256
52124dea5ce1c6296873462826b58cf7ced4bc5bff6092af5950769482962339

SHA512
3c2e8b6b1de63baeda4fb714ab3f4104f820cf81d2bbe9d4177631246b7627ac1e76c709a57504ca777dfdbcc74aab95602184a270120f653832f37e4965d3f7

Download Submit
C:\Users\Admin\AppData\Local\Byte Guard.exe

Filesize
3.2MB

MD5
7ea9fbcf5b737365ff4ad08f7fca0aeb

SHA1
de3e974d43c058e74f20f67d2d5b781852264226

SHA256
6ef4c90c8d8bf9d1b96fecb2d8a49820bac15d0f9c3628e101f24994ebd2b2f3

SHA512
2d0a117207bd2510ff6ee872e5f4d3ec471705c0f3d3a52cf113376306110491702c09d477026b0bda45a7b105f8aab9ec1c0a57d0a8e9c2be014eca3da402e1

Download Submit
C:\Users\Admin\AppData\Local\Byte Guard.exe

Filesize
3.2MB

MD5
5d317aa06f8daf4558eb1a48f20a67bd

SHA1
e574b2144d7e64ad354074460eb10d6a8d55ef7b

SHA256
d76287c021bc3320cd53e42b62a86e3064f56f80158066381d57dfadd64b5a79

SHA512
8576d946d69cfbea20b5d4bba7e2620c78017de38cb4fdd6e7d8b768c7e3f21291314aa2b27eb9939c7ddeea08e44e36bb828e53ace370f52ee28ecb6e90ad24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5e2fd95470c50743ba121fd6bd03a7b

SHA1
75545ed499d9dde51a1fc1cf535eb4f50ec79250

SHA256
d9c961aaf784b9ce81b0a3aac7a39bd41e9f2702d9c28deb20e786d385b88288

SHA512
76bdc793f8b38f603b5ad0957474660bb09e963a2496564b8ceac6591d532fc9498214b81c3908bafc13ff0b07028457c6c997998adfd2203304cb1c82899423

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Byte Guard.exe

Filesize
2.5MB

MD5
068b2d1729ce3ea43aca321d35983886

SHA1
1f0265d64f80734687a5abff64163f735933ba40

SHA256
7d356312b37eac1a8c175c3b715b650ef881ba83096d242a87dee1439e14aaa3

SHA512
01241980cbf6d6a2f8935790e7d509e487c541590766a290b7dab889bcea6c367170d2d5c56bead75693b78e596af72b00ee22241c2c5b51e8f5384e393af0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Byte_Guard_Cracked.exe

Filesize
3.6MB

MD5
c53c9140b7d6c214c6d168d34365418c

SHA1
72144ae7d77432b217f73be33eae773f7cc0dcf7

SHA256
8d0405c5776efbedc678af7096a129fea77d1df352a23bf87a9fa3485d2ea143

SHA512
f4f912b5784eacfecbf3fcf6876ed573df519070a2d663eb7985a8544a28b03fade339c2eca93b2da7f1240cec60ae1929b81f217c711e575e2d2908ddb80910

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JbwTE36.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljzkzwfo.dgz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Umbral.exe

Filesize
229KB

MD5
06b38b4286ab07b09e34030a13893cf8

SHA1
1741b0fec5104f2237c84f86e400b34ee457f510

SHA256
426f84b164f029d25bd87377d930c1532dd9fb1f490f0ddb2906f2c8006a2f8f

SHA512
e752bfa062a46682209dc8d5685b583a523af9a594ed92cb1ce97fda652ded92cffa032b1b69110ca04d7f52a7532aaa3011facfdd90baaeec91515424573df4

Download Submit
memory/1504-284-0x0000000007520000-0x00000000075C3000-memory.dmp

Filesize
652KB

Download
memory/1504-291-0x00000000078D0000-0x00000000078DA000-memory.dmp

Filesize
40KB

Download
memory/1504-232-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/1504-322-0x0000000007BB0000-0x0000000007BCA000-memory.dmp

Filesize
104KB

Download
memory/1504-321-0x0000000007B70000-0x0000000007B84000-memory.dmp

Filesize
80KB

Download
memory/1504-310-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

Filesize
56KB

Download
memory/1504-299-0x0000000007A50000-0x0000000007A61000-memory.dmp

Filesize
68KB

Download
memory/1504-292-0x0000000007AD0000-0x0000000007B66000-memory.dmp

Filesize
600KB

Download
memory/1504-323-0x0000000007B90000-0x0000000007B98000-memory.dmp

Filesize
32KB

Download
memory/1504-219-0x0000000006030000-0x0000000006384000-memory.dmp

Filesize
3.3MB

Download
memory/1504-288-0x0000000007EA0000-0x000000000851A000-memory.dmp

Filesize
6.5MB

Download
memory/1504-289-0x0000000007850000-0x000000000786A000-memory.dmp

Filesize
104KB

Download
memory/1504-129-0x0000000002F40000-0x0000000002F76000-memory.dmp

Filesize
216KB

Download
memory/1504-230-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/1504-154-0x0000000005730000-0x0000000005D58000-memory.dmp

Filesize
6.2MB

Download
memory/1504-205-0x0000000005EC0000-0x0000000005F26000-memory.dmp

Filesize
408KB

Download
memory/1504-203-0x0000000005DA0000-0x0000000005DC2000-memory.dmp

Filesize
136KB

Download
memory/1504-273-0x000000006F240000-0x000000006F28C000-memory.dmp

Filesize
304KB

Download
memory/1504-204-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/1504-283-0x0000000007500000-0x000000000751E000-memory.dmp

Filesize
120KB

Download
memory/1504-272-0x0000000006B10000-0x0000000006B42000-memory.dmp

Filesize
200KB

Download
memory/1596-311-0x000000006F240000-0x000000006F28C000-memory.dmp

Filesize
304KB

Download
memory/2120-405-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/2120-441-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/2188-262-0x00007FFC0FF50000-0x00007FFC0FF60000-memory.dmp

Filesize
64KB

Download
memory/2188-257-0x00007FFC0FF50000-0x00007FFC0FF60000-memory.dmp

Filesize
64KB

Download
memory/2188-237-0x00007FFC12350000-0x00007FFC12360000-memory.dmp

Filesize
64KB

Download
memory/2188-238-0x00007FFC12350000-0x00007FFC12360000-memory.dmp

Filesize
64KB

Download
memory/2188-239-0x00007FFC12350000-0x00007FFC12360000-memory.dmp

Filesize
64KB

Download
memory/2188-241-0x00007FFC12350000-0x00007FFC12360000-memory.dmp

Filesize
64KB

Download
memory/2188-240-0x00007FFC12350000-0x00007FFC12360000-memory.dmp

Filesize
64KB

Download
memory/3548-235-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/3840-305-0x000002309CAA0000-0x000002309CAC2000-memory.dmp

Filesize
136KB

Download
memory/4296-261-0x0000000006450000-0x0000000006662000-memory.dmp

Filesize
2.1MB

Download
memory/4296-256-0x0000000006290000-0x0000000006322000-memory.dmp

Filesize
584KB

Download
memory/4296-236-0x00000000002A0000-0x0000000000528000-memory.dmp

Filesize
2.5MB

Download
memory/4296-242-0x0000000005F90000-0x00000000061EC000-memory.dmp

Filesize
2.4MB

Download
memory/4296-254-0x00000000067A0000-0x0000000006D44000-memory.dmp

Filesize
5.6MB

Download
memory/4296-258-0x0000000006200000-0x000000000620A000-memory.dmp

Filesize
40KB

Download
memory/4360-286-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/4376-0-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/4376-122-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/4720-347-0x00000213F75F0000-0x00000213F760E000-memory.dmp

Filesize
120KB

Download
memory/4720-390-0x00000213F7670000-0x00000213F7682000-memory.dmp

Filesize
72KB

Download
memory/4720-113-0x00000213F5860000-0x00000213F58A0000-memory.dmp

Filesize
256KB

Download
memory/4720-406-0x00000213F7D60000-0x00000213F7E62000-memory.dmp

Filesize
1.0MB

Download
memory/4720-389-0x00000213F7640000-0x00000213F764A000-memory.dmp

Filesize
40KB

Download
memory/4720-346-0x00000213F8170000-0x00000213F81C0000-memory.dmp

Filesize
320KB

Download
memory/4720-410-0x00000213F7D60000-0x00000213F7E62000-memory.dmp

Filesize
1.0MB

Download
memory/4720-345-0x00000213F7E70000-0x00000213F7EE6000-memory.dmp

Filesize
472KB

Download