agenttesla | 1b294c0b3d277cac6695fc5a3e89f0a151b71233dc56e326cf6adf92a06cda6b

Analysis

max time kernel
149s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-09-2024 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TaliBanStealerInstaller (1).exe
Size

3.5MB
MD5

5850298f6013269a36759882dc81e7e8
SHA1

1a008cbb6de09bb87a4ba2f84ec55870b138bd3a
SHA256

1b294c0b3d277cac6695fc5a3e89f0a151b71233dc56e326cf6adf92a06cda6b
SHA512

26c92d1b4382364060d3acfdc0b322cc9e84c57e6fcf3aa9adde896cd69e8be508c104f94890bb4d9707a06bc7a47a454f7ad1f4700ed493e51511825b1da2da
SSDEEP

98304:ygYQtfcZK0KtZogGCTFQN8FY2X6uzJ4o8:dco09x2ZYOfd4o8

Score

10^/10

agenttesla xworm defense_evasion discovery execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001ac08-620.dat	family_xworm
behavioral1/memory/2500-623-0x00000000002A0000-0x00000000002C2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/528-26-0x000001884BC00000-0x000001884BE16000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
992	powershell.exe
2648	powershell.exe
4056	powershell.exe
3636	powershell.exe
4164	powershell.exe
1096	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe

Executes dropped EXE 8 IoCs

pid	Process
3640	Windows Security.exe
528	TalibanStealerInstaller.exe
5112	c9IDU7463.exe
4680	Client Server Runtime Process.exe
2416	Windows Security.exe
2500	Windows Security Notification.exe
4604	malware builder
2436	malware builder

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\malware builder = "C:\\Users\\Admin\\AppData\\Roaming\\malware builder"	Windows Security Notification.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe
File opened for modification	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaliBanStealerInstaller (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1308	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	TalibanStealerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	TalibanStealerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	TalibanStealerInstaller.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
380	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2500	Windows Security Notification.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3404	powershell.exe
312	powershell.exe
3404	powershell.exe
312	powershell.exe
3404	powershell.exe
312	powershell.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
5112	c9IDU7463.exe
992	powershell.exe
992	powershell.exe
992	powershell.exe
2648	powershell.exe
2648	powershell.exe
2648	powershell.exe
2460	powershell.exe
2460	powershell.exe
2460	powershell.exe
4772	powershell.exe
4772	powershell.exe
4772	powershell.exe
4056	powershell.exe
4056	powershell.exe
4056	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
1096	powershell.exe
1096	powershell.exe
1096	powershell.exe
2500	Windows Security Notification.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	c9IDU7463.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeBackupPrivilege	4496	vssvc.exe
Token: SeRestorePrivilege	4496	vssvc.exe
Token: SeAuditPrivilege	4496	vssvc.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeIncreaseQuotaPrivilege	992	powershell.exe
Token: SeSecurityPrivilege	992	powershell.exe
Token: SeTakeOwnershipPrivilege	992	powershell.exe
Token: SeLoadDriverPrivilege	992	powershell.exe
Token: SeSystemProfilePrivilege	992	powershell.exe
Token: SeSystemtimePrivilege	992	powershell.exe
Token: SeProfSingleProcessPrivilege	992	powershell.exe
Token: SeIncBasePriorityPrivilege	992	powershell.exe
Token: SeCreatePagefilePrivilege	992	powershell.exe
Token: SeBackupPrivilege	992	powershell.exe
Token: SeRestorePrivilege	992	powershell.exe
Token: SeShutdownPrivilege	992	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeSystemEnvironmentPrivilege	992	powershell.exe
Token: SeRemoteShutdownPrivilege	992	powershell.exe
Token: SeUndockPrivilege	992	powershell.exe
Token: SeManageVolumePrivilege	992	powershell.exe
Token: 33	992	powershell.exe
Token: 34	992	powershell.exe
Token: 35	992	powershell.exe
Token: 36	992	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeIncreaseQuotaPrivilege	2648	powershell.exe
Token: SeSecurityPrivilege	2648	powershell.exe
Token: SeTakeOwnershipPrivilege	2648	powershell.exe
Token: SeLoadDriverPrivilege	2648	powershell.exe
Token: SeSystemProfilePrivilege	2648	powershell.exe
Token: SeSystemtimePrivilege	2648	powershell.exe
Token: SeProfSingleProcessPrivilege	2648	powershell.exe
Token: SeIncBasePriorityPrivilege	2648	powershell.exe
Token: SeCreatePagefilePrivilege	2648	powershell.exe
Token: SeBackupPrivilege	2648	powershell.exe
Token: SeRestorePrivilege	2648	powershell.exe
Token: SeShutdownPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeSystemEnvironmentPrivilege	2648	powershell.exe
Token: SeRemoteShutdownPrivilege	2648	powershell.exe
Token: SeUndockPrivilege	2648	powershell.exe
Token: SeManageVolumePrivilege	2648	powershell.exe
Token: 33	2648	powershell.exe
Token: 34	2648	powershell.exe
Token: 35	2648	powershell.exe
Token: 36	2648	powershell.exe
Token: SeDebugPrivilege	4680	Client Server Runtime Process.exe
Token: SeDebugPrivilege	4680	Client Server Runtime Process.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2500	Windows Security Notification.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeIncreaseQuotaPrivilege	4772	powershell.exe
Token: SeSecurityPrivilege	4772	powershell.exe
Token: SeTakeOwnershipPrivilege	4772	powershell.exe
Token: SeLoadDriverPrivilege	4772	powershell.exe
Token: SeSystemProfilePrivilege	4772	powershell.exe
Token: SeSystemtimePrivilege	4772	powershell.exe
Token: SeProfSingleProcessPrivilege	4772	powershell.exe
Token: SeIncBasePriorityPrivilege	4772	powershell.exe
Token: SeCreatePagefilePrivilege	4772	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2500	Windows Security Notification.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 312	2544	TaliBanStealerInstaller (1).exe	73
PID 2544 wrote to memory of 312	2544	TaliBanStealerInstaller (1).exe	73
PID 2544 wrote to memory of 312	2544	TaliBanStealerInstaller (1).exe	73
PID 2544 wrote to memory of 3640	2544	TaliBanStealerInstaller (1).exe	75
PID 2544 wrote to memory of 3640	2544	TaliBanStealerInstaller (1).exe	75
PID 2544 wrote to memory of 3640	2544	TaliBanStealerInstaller (1).exe	75
PID 2544 wrote to memory of 528	2544	TaliBanStealerInstaller (1).exe	76
PID 2544 wrote to memory of 528	2544	TaliBanStealerInstaller (1).exe	76
PID 3640 wrote to memory of 3404	3640	Windows Security.exe	77
PID 3640 wrote to memory of 3404	3640	Windows Security.exe	77
PID 3640 wrote to memory of 3404	3640	Windows Security.exe	77
PID 3640 wrote to memory of 5112	3640	Windows Security.exe	79
PID 3640 wrote to memory of 5112	3640	Windows Security.exe	79
PID 5112 wrote to memory of 992	5112	c9IDU7463.exe	84
PID 5112 wrote to memory of 992	5112	c9IDU7463.exe	84
PID 5112 wrote to memory of 2648	5112	c9IDU7463.exe	87
PID 5112 wrote to memory of 2648	5112	c9IDU7463.exe	87
PID 5112 wrote to memory of 700	5112	c9IDU7463.exe	90
PID 5112 wrote to memory of 700	5112	c9IDU7463.exe	90
PID 700 wrote to memory of 1308	700	cmd.exe	92
PID 700 wrote to memory of 1308	700	cmd.exe	92
PID 4680 wrote to memory of 2460	4680	Client Server Runtime Process.exe	93
PID 4680 wrote to memory of 2460	4680	Client Server Runtime Process.exe	93
PID 4680 wrote to memory of 2416	4680	Client Server Runtime Process.exe	95
PID 4680 wrote to memory of 2416	4680	Client Server Runtime Process.exe	95
PID 2416 wrote to memory of 4772	2416	Windows Security.exe	96
PID 2416 wrote to memory of 4772	2416	Windows Security.exe	96
PID 2416 wrote to memory of 2500	2416	Windows Security.exe	98
PID 2416 wrote to memory of 2500	2416	Windows Security.exe	98
PID 2500 wrote to memory of 4056	2500	Windows Security Notification.exe	99
PID 2500 wrote to memory of 4056	2500	Windows Security Notification.exe	99
PID 2500 wrote to memory of 3636	2500	Windows Security Notification.exe	101
PID 2500 wrote to memory of 3636	2500	Windows Security Notification.exe	101
PID 2500 wrote to memory of 4164	2500	Windows Security Notification.exe	103
PID 2500 wrote to memory of 4164	2500	Windows Security Notification.exe	103
PID 2500 wrote to memory of 1096	2500	Windows Security Notification.exe	105
PID 2500 wrote to memory of 1096	2500	Windows Security Notification.exe	105
PID 2500 wrote to memory of 380	2500	Windows Security Notification.exe	107
PID 2500 wrote to memory of 380	2500	Windows Security Notification.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TaliBanStealerInstaller (1).exe
"C:\Users\Admin\AppData\Local\Temp\TaliBanStealerInstaller (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAdwBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAagB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAcQB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAaABqACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:312
- C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbQBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdwBiACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
- - C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe
    "C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client Server Runtime Process.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client Server Runtime Process.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:700
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1308
- C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\System32\Client Server Runtime Process.exe
"C:\Windows\System32\Client Server Runtime Process.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAeABoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAYgBqACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAZQBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAegB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdQBuACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4056
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Notification.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\malware builder'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'malware builder'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1096
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "malware builder" /tr "C:\Users\Admin\AppData\Roaming\malware builder"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:380

C:\Users\Admin\AppData\Roaming\malware builder
"C:\Users\Admin\AppData\Roaming\malware builder"
1⤵
- Executes dropped EXE
PID:4604

C:\Users\Admin\AppData\Roaming\malware builder
"C:\Users\Admin\AppData\Roaming\malware builder"
1⤵
- Executes dropped EXE
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\malware builder.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c50b6a6e6c7fd20a5cc301c90864f139

SHA1
9b4f585d27c9dcdd52b86bb654a9a607d59aa77a

SHA256
85b2356afe52266fd2948c1e7c42c25fed62b5b93b32da9bffdb0cc0897c7cc5

SHA512
9fa7750a15f33eb94d6356213abb69cedf3bb34fa82c2de123b03fd9be90e83855a1ac2cb853d244fd0f4e6ad0743f564f64e5667e30718bb683a126706fc863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d26e61b05e1a82bc1ed5078b6f020fbb

SHA1
5a7b374a664e5975e3aacab00e30fb499bbc5dd8

SHA256
7788aceab7325c7eaeb0c7c6ef1def257f8ffe731874f9b9d3247590528b6011

SHA512
75bfdbfc5e79404951e82448f68cb14b70091ba5abf4119029c826b403ca30d0612d3ab8cdb8190f1c8269ccd5cea27e17736b123990c96557d1cbb61f1a5f1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
634f70d0d3d44835d5ad852b1ae73224

SHA1
4b6948ef253a8beea091f25f91ca6eda55238e82

SHA256
e3fc4cc9a91f5d5df468a53337f5316b6f5c565060d6ac3b44e9ee1ab0198146

SHA512
4f83ce34d70b93bd6b4a0c1d46573fb45c8e10ae0da5d67fac41bb764d16e9522a963dec9d287df273d1e021edb3cafc6fa6570f363feef6497eb9fd5c83fb06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8cf83067e7f936bee54cc03dc53fa24

SHA1
463ecd763461150bdcd185d48b169fc5f4475c44

SHA256
df10901d14dc948d0d86ef4626efb85efa1ba8e893f3a9978c26ed509d733051

SHA512
721b5218c5d68273798fb83cc119abd9beec88adf1794071dfca7c30d556ef832f7d9886b2c67e87ae754cfadaca7c9b136f19ff8ea74fce5e9374a4f36f955a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8f2edb58fbe7799cb69dbc0492740b3

SHA1
65f2eef0d6c695701939fc66d7bc35ceddb166c6

SHA256
66fc19fd2ce2387be05b0e767c8a453757b1e4a118907d19323eec4f6113bc91

SHA512
a50fc54bdb60db709e460779addedcd0952af338209ea718a0ce120836568811b7a84696f769af4d4d1ef27927657d5d6b063b6e3dba47186c9dc3e6043bfd82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
74067a1dacf4d40eaa14c1904c46f5f7

SHA1
17bcd6dcd8b261f06734903386cdb90054a719cb

SHA256
2ae8b73b8ccabedcd14faee14771db23f120d58437d274d0df8c94c43cdac603

SHA512
9b778deab0ba938a8724181a2a6e85469ddb14813c053cb7afba79cc51c6b478d7b00d053f08f53b8bb0615d6a307c81e5006dbdc7c03e7b244c7e2f7ab99985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04e158f558735e14e3fc7185fb9c4784

SHA1
20489f710122b79a6b0ad2e00f3c9ef3ec0af835

SHA256
05d0b876ac0daa8e65dce21db7d7ea0797d389c778c1c21178be072cf8ac672a

SHA512
3322c7b8f95e4468764bbd8655ee5a8c8b0e99cf6ee375c582d74fcdaafd46a34fa49bc4e15c1841fe12c70eba1912cb9ce9eca5efc7244bb817edb3e229d79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe

Filesize
2.5MB

MD5
cdfcc41584dcd2a57da70353cb9955a8

SHA1
78b0a8cda3187d7ba842c9148446da5c628370b5

SHA256
be453771400d21a320f759b3b99bd7cf07d9d8301db6bce115bafae1aff79fb3

SHA512
4db311aac921a20b9be5c28e66b54912065ac5aeb56b45c20fe7383ff69aa50622e6da383f029a6291525457439cd2e6ac403860af4d82bd61a86df3aad9e7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe

Filesize
114KB

MD5
d59bcf447ab9a90d1c6e9701d85d5700

SHA1
c7eff0f1d56e71a601cff1e161879ea520886a32

SHA256
50738407f70e37470182a0da6b44e78eb9cd2be3f7c43e066ea85f92388c79ae

SHA512
4a33de1700a6740c354d79b6e2f706dbc924805b6c8aae03d68cf17427e52a58e65a177622266f4d4e9d0d0904d8ab7a55af2576d555bcc5868b9084730e7180

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
1018KB

MD5
d8cdeec022d5fda0ab78a7ecc9efa3ae

SHA1
3cb31d1646d3f63019a0c3745d3f2c62bdaab243

SHA256
e5b7e580db8476b8e4d2ae806288984df4eb0c5a061bed61c77157a2628ae1ea

SHA512
4ddd191a8c352cef83ba3dee0a2ba15fcd95c397fc13af152c2ef9731ec66c7ee332c8079567ee03e77a38225a8453aee798f573d25c35cb98921d09597ed63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
164KB

MD5
9efb0ca4f150666bedbc6ef91e0e6f4b

SHA1
13b140227e709d3a534d4158111c9256b14474b3

SHA256
5ff4fc5985d8d9877dd5b4abe081ee91681b187e99a466b802a8795fd9e500ab

SHA512
7e16155776a1431eda8da3b2fe134b52863c0917170dc64ded710c5133705a0c019c930f696d5972a0a63270f59900cfca4b776631c0b5442c62696db4f7ca36

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_44vxqq44.ijl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe

Filesize
971KB

MD5
26efc684ddd0782b295a6ee4a76e3256

SHA1
08cc73ef5c1b02e09765181a5acee1a7018dcffc

SHA256
bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab

SHA512
20ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp885A.tmp.bat

Filesize
161B

MD5
9465f2707eec5479acec8804f459d643

SHA1
79cffb73295c4b86a76da3bb0922eefd561a26e8

SHA256
2bae620f05a0d33eef80cda9b72004cc19464f3a3084716a574c0f0a0f601ff8

SHA512
a89e063b1c3bf42291010eeffe1663770da1ac0dd43b31af2bc2312e2d9c4baab40bcea673873d6309742f601aaec3180888df9dff9f9a61befa0b23085d9333

Download Submit
memory/312-28-0x0000000006CE0000-0x0000000006D46000-memory.dmp

Filesize
408KB

Download
memory/312-25-0x0000000006E20000-0x0000000007448000-memory.dmp

Filesize
6.2MB

Download
memory/312-29-0x0000000006D50000-0x0000000006DB6000-memory.dmp

Filesize
408KB

Download
memory/312-27-0x0000000006C40000-0x0000000006C62000-memory.dmp

Filesize
136KB

Download
memory/312-68-0x0000000073840000-0x000000007388B000-memory.dmp

Filesize
300KB

Download
memory/312-504-0x0000000009270000-0x000000000928A000-memory.dmp

Filesize
104KB

Download
memory/312-79-0x00000000092D0000-0x0000000009364000-memory.dmp

Filesize
592KB

Download
memory/528-26-0x000001884BC00000-0x000001884BE16000-memory.dmp

Filesize
2.1MB

Download
memory/528-10-0x00007FFE6C5C3000-0x00007FFE6C5C4000-memory.dmp

Filesize
4KB

Download
memory/528-11-0x00000188310B0000-0x000001883132E000-memory.dmp

Filesize
2.5MB

Download
memory/528-21-0x00000188316C0000-0x00000188316D4000-memory.dmp

Filesize
80KB

Download
memory/528-15-0x000001884B770000-0x000001884B8BE000-memory.dmp

Filesize
1.3MB

Download
memory/528-611-0x00007FFE6C5C3000-0x00007FFE6C5C4000-memory.dmp

Filesize
4KB

Download
memory/992-220-0x00000195DDD50000-0x00000195DDD72000-memory.dmp

Filesize
136KB

Download
memory/992-223-0x00000195F64A0000-0x00000195F6516000-memory.dmp

Filesize
472KB

Download
memory/2416-610-0x0000000000390000-0x00000000003BE000-memory.dmp

Filesize
184KB

Download
memory/2500-623-0x00000000002A0000-0x00000000002C2000-memory.dmp

Filesize
136KB

Download
memory/3404-33-0x0000000008A40000-0x0000000008AB6000-memory.dmp

Filesize
472KB

Download
memory/3404-67-0x0000000073840000-0x000000007388B000-memory.dmp

Filesize
300KB

Download
memory/3404-69-0x00000000098A0000-0x00000000098BE000-memory.dmp

Filesize
120KB

Download
memory/3404-66-0x00000000098C0000-0x00000000098F3000-memory.dmp

Filesize
204KB

Download
memory/3404-24-0x0000000007290000-0x00000000072C6000-memory.dmp

Filesize
216KB

Download
memory/3404-30-0x00000000082F0000-0x0000000008640000-memory.dmp

Filesize
3.3MB

Download
memory/3404-31-0x00000000081C0000-0x00000000081DC000-memory.dmp

Filesize
112KB

Download
memory/3404-32-0x0000000008B20000-0x0000000008B6B000-memory.dmp

Filesize
300KB

Download
memory/3404-513-0x0000000009D80000-0x0000000009D88000-memory.dmp

Filesize
32KB

Download
memory/3404-78-0x0000000009A40000-0x0000000009AE5000-memory.dmp

Filesize
660KB

Download
memory/4680-604-0x0000000002970000-0x00000000029AC000-memory.dmp

Filesize
240KB

Download
memory/4680-603-0x000000001B6D0000-0x000000001B798000-memory.dmp

Filesize
800KB

Download
memory/5112-20-0x0000000000B30000-0x0000000000C2A000-memory.dmp

Filesize
1000KB

Download