agenttesla | 24ccac765017c273b8b75b27e77dca90feccf19cbd149567fe58b07e87bba443

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NovaManagerInstaller (4).exe
Size

2.8MB
MD5

3055a388e5f9b721da480f312807373f
SHA1

1dbb315c1c6c11248d153957d1eff47db605ce4e
SHA256

24ccac765017c273b8b75b27e77dca90feccf19cbd149567fe58b07e87bba443
SHA512

e7a1dcabdda47f13e2aaf5af02943bd916a17271b9b6c6f954f531aad0e3984788dc7c65bdbc4a1ac528c2a261533a461fe5fdc5106cb2a1d6bbc1a586926010
SSDEEP

49152:MXYD0FANdWDaBYYj5cMX8nal2Wi1LIXQlY8ilFf9F6MA0crNn1c7bT76:MXY2DQj5ca8l3iff9krB8bTW

Score

10^/10

agenttesla xworm defense_evasion discovery execution keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

every-cg.gl.at.ply.gg:5872

Mutex

OwcUM7wMu7X3270J

Attributes

Install_directory
%ProgramData%
install_file
Microsoft OneDrive.exe

aes.plain

Extracted

Family

xworm

lijaligibidu-35558.portmap.host:35558

Attributes

Install_directory
%AppData%
install_file
Windows Security.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000400000000571e-59.dat	family_xworm
behavioral1/memory/2656-69-0x0000000000B90000-0x0000000000BB2000-memory.dmp	family_xworm
behavioral1/files/0x0008000000004e74-73.dat	family_xworm
behavioral1/memory/1692-78-0x0000000000C20000-0x0000000000C3C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/1396-21-0x000000001B740000-0x000000001B956000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1740	powershell.exe
2912	powershell.exe
380	powershell.exe
3008	powershell.exe
2408	powershell.exe
2868	powershell.exe
2468	powershell.exe
1320	powershell.exe
356	powershell.exe
2416	powershell.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	Windows Security.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.lnk	Windows Security.exe

Executes dropped EXE 6 IoCs

pid	Process
2304	NovaManager.exe
1396	NovaManagerInstaller.exe
2016	Desktop Window Manager.exe
1180	Windows Security Notifications.exe
2656	OneDrive.exe
1692	Windows Security.exe

Loads dropped DLL 4 IoCs

pid	Process
2104	NovaManagerInstaller (4).exe
2104	NovaManagerInstaller (4).exe
2104	NovaManagerInstaller (4).exe
1180	Windows Security Notifications.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Desktop Window Manager.exe	NovaManager.exe
File opened for modification	C:\Windows\System32\Desktop Window Manager.exe	NovaManager.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security Notifications.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NovaManagerInstaller (4).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1124	timeout.exe
2488	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	NovaManagerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	NovaManagerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	NovaManagerInstaller.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3000	powershell.exe
1740	powershell.exe
2912	powershell.exe
1336	powershell.exe
2320	powershell.exe
2468	powershell.exe
380	powershell.exe
3008	powershell.exe
2408	powershell.exe
2656	OneDrive.exe
2868	powershell.exe
1320	powershell.exe
356	powershell.exe
2416	powershell.exe
1692	Windows Security.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	NovaManager.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeBackupPrivilege	1980	vssvc.exe
Token: SeRestorePrivilege	1980	vssvc.exe
Token: SeAuditPrivilege	1980	vssvc.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2016	Desktop Window Manager.exe
Token: SeDebugPrivilege	2016	Desktop Window Manager.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	2656	OneDrive.exe
Token: SeDebugPrivilege	1692	Windows Security.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2656	OneDrive.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	356	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1692	Windows Security.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2656	OneDrive.exe
1692	Windows Security.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 3000	2104	NovaManagerInstaller (4).exe	30
PID 2104 wrote to memory of 3000	2104	NovaManagerInstaller (4).exe	30
PID 2104 wrote to memory of 3000	2104	NovaManagerInstaller (4).exe	30
PID 2104 wrote to memory of 3000	2104	NovaManagerInstaller (4).exe	30
PID 2104 wrote to memory of 2304	2104	NovaManagerInstaller (4).exe	32
PID 2104 wrote to memory of 2304	2104	NovaManagerInstaller (4).exe	32
PID 2104 wrote to memory of 2304	2104	NovaManagerInstaller (4).exe	32
PID 2104 wrote to memory of 2304	2104	NovaManagerInstaller (4).exe	32
PID 2104 wrote to memory of 1396	2104	NovaManagerInstaller (4).exe	33
PID 2104 wrote to memory of 1396	2104	NovaManagerInstaller (4).exe	33
PID 2104 wrote to memory of 1396	2104	NovaManagerInstaller (4).exe	33
PID 2104 wrote to memory of 1396	2104	NovaManagerInstaller (4).exe	33
PID 2304 wrote to memory of 1740	2304	NovaManager.exe	39
PID 2304 wrote to memory of 1740	2304	NovaManager.exe	39
PID 2304 wrote to memory of 1740	2304	NovaManager.exe	39
PID 2304 wrote to memory of 2912	2304	NovaManager.exe	41
PID 2304 wrote to memory of 2912	2304	NovaManager.exe	41
PID 2304 wrote to memory of 2912	2304	NovaManager.exe	41
PID 2304 wrote to memory of 1784	2304	NovaManager.exe	44
PID 2304 wrote to memory of 1784	2304	NovaManager.exe	44
PID 2304 wrote to memory of 1784	2304	NovaManager.exe	44
PID 1784 wrote to memory of 1124	1784	cmd.exe	46
PID 1784 wrote to memory of 1124	1784	cmd.exe	46
PID 1784 wrote to memory of 1124	1784	cmd.exe	46
PID 1968 wrote to memory of 2016	1968	taskeng.exe	47
PID 1968 wrote to memory of 2016	1968	taskeng.exe	47
PID 1968 wrote to memory of 2016	1968	taskeng.exe	47
PID 2016 wrote to memory of 1336	2016	Desktop Window Manager.exe	48
PID 2016 wrote to memory of 1336	2016	Desktop Window Manager.exe	48
PID 2016 wrote to memory of 1336	2016	Desktop Window Manager.exe	48
PID 2016 wrote to memory of 1180	2016	Desktop Window Manager.exe	50
PID 2016 wrote to memory of 1180	2016	Desktop Window Manager.exe	50
PID 2016 wrote to memory of 1180	2016	Desktop Window Manager.exe	50
PID 2016 wrote to memory of 1180	2016	Desktop Window Manager.exe	50
PID 2016 wrote to memory of 2656	2016	Desktop Window Manager.exe	51
PID 2016 wrote to memory of 2656	2016	Desktop Window Manager.exe	51
PID 2016 wrote to memory of 2656	2016	Desktop Window Manager.exe	51
PID 1180 wrote to memory of 2320	1180	Windows Security Notifications.exe	52
PID 1180 wrote to memory of 2320	1180	Windows Security Notifications.exe	52
PID 1180 wrote to memory of 2320	1180	Windows Security Notifications.exe	52
PID 1180 wrote to memory of 2320	1180	Windows Security Notifications.exe	52
PID 1180 wrote to memory of 1692	1180	Windows Security Notifications.exe	54
PID 1180 wrote to memory of 1692	1180	Windows Security Notifications.exe	54
PID 1180 wrote to memory of 1692	1180	Windows Security Notifications.exe	54
PID 1180 wrote to memory of 1692	1180	Windows Security Notifications.exe	54
PID 2656 wrote to memory of 2468	2656	OneDrive.exe	55
PID 2656 wrote to memory of 2468	2656	OneDrive.exe	55
PID 2656 wrote to memory of 2468	2656	OneDrive.exe	55
PID 2656 wrote to memory of 380	2656	OneDrive.exe	57
PID 2656 wrote to memory of 380	2656	OneDrive.exe	57
PID 2656 wrote to memory of 380	2656	OneDrive.exe	57
PID 2656 wrote to memory of 3008	2656	OneDrive.exe	59
PID 2656 wrote to memory of 3008	2656	OneDrive.exe	59
PID 2656 wrote to memory of 3008	2656	OneDrive.exe	59
PID 2656 wrote to memory of 2408	2656	OneDrive.exe	61
PID 2656 wrote to memory of 2408	2656	OneDrive.exe	61
PID 2656 wrote to memory of 2408	2656	OneDrive.exe	61
PID 1692 wrote to memory of 2868	1692	Windows Security.exe	63
PID 1692 wrote to memory of 2868	1692	Windows Security.exe	63
PID 1692 wrote to memory of 2868	1692	Windows Security.exe	63
PID 1692 wrote to memory of 1320	1692	Windows Security.exe	65
PID 1692 wrote to memory of 1320	1692	Windows Security.exe	65
PID 1692 wrote to memory of 1320	1692	Windows Security.exe	65
PID 1692 wrote to memory of 356	1692	Windows Security.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\NovaManagerInstaller (4).exe
"C:\Users\Admin\AppData\Local\Temp\NovaManagerInstaller (4).exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAcQBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAdQBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAcgBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAZwBuACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\NovaManager.exe
  "C:\Users\Admin\AppData\Local\Temp\NovaManager.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Desktop Window Manager.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Desktop Window Manager.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1124
- C:\Users\Admin\AppData\Local\Temp\NovaManagerInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\NovaManagerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:1396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\taskeng.exe
taskeng.exe {08F812DD-44D4-44A3-B97C-96E63259867B} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\System32\Desktop Window Manager.exe
  "C:\Windows\System32\Desktop Window Manager.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAZQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAaABiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAYQB0ACMAPgA="
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Notifications.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Notifications.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAeABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAcgBiACMAPgA="
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Security.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.bat""
        5⤵
        
        PID:2248
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:2488
- - C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
    "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2468
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft OneDrive.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
109KB

MD5
59888018eb0267d40f84a4295142fb4f

SHA1
d979b1a73138c5aac1a666834b720463a26d022d

SHA256
4293ba5d4ab7b28e109fd2e70c780bcfd25a26b4bd399996db1938c976997a5c

SHA512
906c84f0439b676eff2fce498253556bbb5cdad42cedcbc6a02eeb28ba9ad3081c20aff4179a0fe96431120a072b01165ecd0e3599fd570b0e984653b1fb1957

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Notifications.exe

Filesize
136KB

MD5
1be22d02244bea07b1772b99f7e6746e

SHA1
f821819f7783ea6a0db8a835a486362ce08bcc32

SHA256
ba37d26273f15eae8ef805bf7efd6743cbc880f5857477d11683ab47df130108

SHA512
aae017608247ad589dea935efdb6b59cae0e21d9503fc9176ec03221f5f171778bf8bb281cb7e7bf7238f810455de604c8b5153ac061a5eee77cd62ce6268558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B43.tmp.bat

Filesize
168B

MD5
7dd7abb419f79ad61f1d0cad03192706

SHA1
0be8964f243465461e5409ae7e3d961025ee9501

SHA256
4e8c98a0709c13397c6515dabb8af3c67fd85ab1766863428312080827af35cb

SHA512
40b8d5c9b9fdfef83b9b21cfcbf939b245a25fef7e856fbd6e3a41ce5417d64854e77eb745a8430f663fdfd2677406288deabf9de624aaebedbd61a59d503735

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE447.tmp.bat

Filesize
163B

MD5
f02717c0fe7b8e7c069939cac9a9192b

SHA1
b389bbc492a1ec1cdcb9493184281fda148bbdeb

SHA256
a4a9a26ce716a05a7fbb9eb83db8425f09200438461417642fbc29310c28aa26

SHA512
47a3b2dcd0ae4e251afb8fb4ab6c4925a4a2ef3a8ca542444a9d7852df8a0593d72767514ae2fa08522d5e8f6912b1d5ee9d088b0d1748e0f37d0b6425fda430

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e486e087c8ce4edea5f83f73cd6160e8

SHA1
bb0df58a28cf06cc8db93e593d2131d24bdc7d0c

SHA256
b422dd259009fdc368fc41e2cb13ac192baf4af0011283a7635a9c0560fd5dbb

SHA512
3f39e3c3afd32ebc7b00fa77022a68bd006281b737e26249e96a693d01105f5e04a7b7abebae01e1974a8b42feb5d127aa711f0c23d0432feab6acfec0b70550

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ad2a6319baa5432caf90d95068863eed

SHA1
f4e3049638c66855d3de015c4e0d36b2d1510044

SHA256
6c3c9eb3b226c33fbe0f74ec367f2dbc39b198f66b6169e3609419c5e430834e

SHA512
c6c4f4da8630ee0653bb6e3e2d80a024fe72ae7177b45257736e8c3133fb245588975b02efd9e3b59291b6926cf08ebdd35080b66bfe8c0b8440707584c54f54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6FSAMRF252GMJXTYBD9S.temp

Filesize
7KB

MD5
1358e218a19dfd53b1c86ffaa891272b

SHA1
63cf85789dfdb94ecfc909391f1fa0d26dc7a7b5

SHA256
d64b2dc36d4e7df8869e57a0192844927ec740ee09ebb3ded433ce67ff07b204

SHA512
1f043d1a7cbfd5397a315304ab3672a2308969384b8630aff58897e8ec76d2407ffc185d8e1f3dd34914841d13f37e01c32d63ab0a9d8b15ed62f78fb4f5a8c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
08bcaea5a3a44d29cc7e49ec8f5edc65

SHA1
3d84271cd3fa28c071cefec9ff77f479154d44b9

SHA256
83e6d48fccc53300e91106a89695c7b930bf65e0bde2eb39bf462587d1178d28

SHA512
9663483bd6b76780e540acd9d5dbfcc8961445ee848e1be240962eaabb516763c3499ae26c221653e18d3f36e8b3425a282b18e41884dae3c732d09941bf8b65

Download Submit
\Users\Admin\AppData\Local\Temp\NovaManager.exe

Filesize
1.1MB

MD5
ecf608cba666fe9bf5e7879809206ccd

SHA1
939e28ef5baa52ea1449368aec1c122f0ec9dcd5

SHA256
6a4d8b4ac0fa5fba11f5dae6f7b414bfb5e6286217d66d2fa1964b93665eca25

SHA512
9f94a8efe31664177165500db2c8933e80560516235af53e8d8bd4b34c0562e99bbcd4b06550ad3d9776d5cfb24c6767436efd5889bb363299cf0e963f4ee6c2

Download Submit
\Users\Admin\AppData\Local\Temp\NovaManagerInstaller.exe

Filesize
1.7MB

MD5
d2360c98d31fc1dddcb633bfbbea4aaf

SHA1
973ccdad0c69ab0d3ea796d0159fb7f41392a982

SHA256
e72078d60776f2d6c2388314618d73c7b45fd5d709190bdfa335613f7fb2d55e

SHA512
43789ab0aeaa20c90f0657ffe086ffb50cf4586e882ebf821e03a8c72a3d31fdb46b21346d6402f5e7fa9f601377422f656f7b38ac7b697936f8bcab5636d91a

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
88KB

MD5
7573e1381c4ff16fa11c4db8e88e2720

SHA1
cb899ced80a3018319ec2cb317043e460f2108f7

SHA256
f717d33bba61beec9416992b223e2ee47c17279b1d6488e5ce580d26f5abc430

SHA512
ed3d85cf3e197c680456ad24580d50b77e46819417aebbe5d15c31db3a74bc2592ce8ecfde0c08ea67fc16d712404c9109c3e7685288c725e00c05608518e579

Download Submit
memory/1336-65-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1336-66-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/1396-20-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/1396-21-0x000000001B740000-0x000000001B956000-memory.dmp

Filesize
2.1MB

Download
memory/1396-18-0x0000000000BF0000-0x0000000000DB4000-memory.dmp

Filesize
1.8MB

Download
memory/1396-19-0x000000001B410000-0x000000001B55E000-memory.dmp

Filesize
1.3MB

Download
memory/1692-78-0x0000000000C20000-0x0000000000C3C000-memory.dmp

Filesize
112KB

Download
memory/1740-26-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1740-27-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2016-49-0x000000001B6C0000-0x000000001B7AC000-memory.dmp

Filesize
944KB

Download
memory/2016-50-0x00000000004D0000-0x0000000000516000-memory.dmp

Filesize
280KB

Download
memory/2016-48-0x00000000011F0000-0x000000000130C000-memory.dmp

Filesize
1.1MB

Download
memory/2304-17-0x0000000000D90000-0x0000000000EAC000-memory.dmp

Filesize
1.1MB

Download
memory/2656-69-0x0000000000B90000-0x0000000000BB2000-memory.dmp

Filesize
136KB

Download
memory/2912-34-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2912-33-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download