agenttesla | 1b294c0b3d277cac6695fc5a3e89f0a151b71233dc56e326cf6adf92a06cda6b

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TaliBanStealerInstaller (1).exe
Size

3.5MB
MD5

5850298f6013269a36759882dc81e7e8
SHA1

1a008cbb6de09bb87a4ba2f84ec55870b138bd3a
SHA256

1b294c0b3d277cac6695fc5a3e89f0a151b71233dc56e326cf6adf92a06cda6b
SHA512

26c92d1b4382364060d3acfdc0b322cc9e84c57e6fcf3aa9adde896cd69e8be508c104f94890bb4d9707a06bc7a47a454f7ad1f4700ed493e51511825b1da2da
SSDEEP

98304:ygYQtfcZK0KtZogGCTFQN8FY2X6uzJ4o8:dco09x2ZYOfd4o8

Score

10^/10

agenttesla xworm defense_evasion discovery execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000022ab4-162.dat	family_xworm
behavioral1/memory/2860-169-0x0000000000140000-0x0000000000162000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/3756-38-0x00000145702D0000-0x00000145704E6000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4356	powershell.exe
1636	powershell.exe
2332	powershell.exe
1064	powershell.exe
4796	powershell.exe
4916	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	TaliBanStealerInstaller (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Windows Security.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	c9IDU7463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Client Server Runtime Process.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Windows Security.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Windows Security Notification.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe

Executes dropped EXE 8 IoCs

pid	Process
2624	Windows Security.exe
3756	TalibanStealerInstaller.exe
2284	c9IDU7463.exe
4716	Client Server Runtime Process.exe
2264	Windows Security.exe
2860	Windows Security Notification.exe
4776	malware builder
4448	malware builder

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware builder = "C:\\Users\\Admin\\AppData\\Roaming\\malware builder"	Windows Security Notification.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe
File opened for modification	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaliBanStealerInstaller (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2624	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	TalibanStealerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	TalibanStealerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	TalibanStealerInstaller.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
408	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2860	Windows Security Notification.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4268	powershell.exe
3992	powershell.exe
4268	powershell.exe
3992	powershell.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
2284	c9IDU7463.exe
4796	powershell.exe
4796	powershell.exe
4916	powershell.exe
4916	powershell.exe
1192	powershell.exe
1192	powershell.exe
1492	powershell.exe
1492	powershell.exe
1492	powershell.exe
4356	powershell.exe
4356	powershell.exe
4356	powershell.exe
1636	powershell.exe
1636	powershell.exe
1636	powershell.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe
1064	powershell.exe
1064	powershell.exe
1064	powershell.exe
2860	Windows Security Notification.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2284	c9IDU7463.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeBackupPrivilege	216	vssvc.exe
Token: SeRestorePrivilege	216	vssvc.exe
Token: SeAuditPrivilege	216	vssvc.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	4716	Client Server Runtime Process.exe
Token: SeDebugPrivilege	4716	Client Server Runtime Process.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	2860	Windows Security Notification.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2860	Windows Security Notification.exe
Token: SeDebugPrivilege	4776	malware builder
Token: SeDebugPrivilege	4448	malware builder

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2860	Windows Security Notification.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 4268	4640	TaliBanStealerInstaller (1).exe	84
PID 4640 wrote to memory of 4268	4640	TaliBanStealerInstaller (1).exe	84
PID 4640 wrote to memory of 4268	4640	TaliBanStealerInstaller (1).exe	84
PID 4640 wrote to memory of 2624	4640	TaliBanStealerInstaller (1).exe	86
PID 4640 wrote to memory of 2624	4640	TaliBanStealerInstaller (1).exe	86
PID 4640 wrote to memory of 2624	4640	TaliBanStealerInstaller (1).exe	86
PID 2624 wrote to memory of 3992	2624	Windows Security.exe	87
PID 2624 wrote to memory of 3992	2624	Windows Security.exe	87
PID 2624 wrote to memory of 3992	2624	Windows Security.exe	87
PID 4640 wrote to memory of 3756	4640	TaliBanStealerInstaller (1).exe	88
PID 4640 wrote to memory of 3756	4640	TaliBanStealerInstaller (1).exe	88
PID 2624 wrote to memory of 2284	2624	Windows Security.exe	90
PID 2624 wrote to memory of 2284	2624	Windows Security.exe	90
PID 2284 wrote to memory of 4796	2284	c9IDU7463.exe	95
PID 2284 wrote to memory of 4796	2284	c9IDU7463.exe	95
PID 2284 wrote to memory of 4916	2284	c9IDU7463.exe	97
PID 2284 wrote to memory of 4916	2284	c9IDU7463.exe	97
PID 2284 wrote to memory of 728	2284	c9IDU7463.exe	105
PID 2284 wrote to memory of 728	2284	c9IDU7463.exe	105
PID 728 wrote to memory of 2624	728	cmd.exe	107
PID 728 wrote to memory of 2624	728	cmd.exe	107
PID 4716 wrote to memory of 1192	4716	Client Server Runtime Process.exe	108
PID 4716 wrote to memory of 1192	4716	Client Server Runtime Process.exe	108
PID 4716 wrote to memory of 2264	4716	Client Server Runtime Process.exe	110
PID 4716 wrote to memory of 2264	4716	Client Server Runtime Process.exe	110
PID 2264 wrote to memory of 1492	2264	Windows Security.exe	111
PID 2264 wrote to memory of 1492	2264	Windows Security.exe	111
PID 2264 wrote to memory of 2860	2264	Windows Security.exe	113
PID 2264 wrote to memory of 2860	2264	Windows Security.exe	113
PID 2860 wrote to memory of 4356	2860	Windows Security Notification.exe	117
PID 2860 wrote to memory of 4356	2860	Windows Security Notification.exe	117
PID 2860 wrote to memory of 1636	2860	Windows Security Notification.exe	119
PID 2860 wrote to memory of 1636	2860	Windows Security Notification.exe	119
PID 2860 wrote to memory of 2332	2860	Windows Security Notification.exe	121
PID 2860 wrote to memory of 2332	2860	Windows Security Notification.exe	121
PID 2860 wrote to memory of 1064	2860	Windows Security Notification.exe	123
PID 2860 wrote to memory of 1064	2860	Windows Security Notification.exe	123
PID 2860 wrote to memory of 408	2860	Windows Security Notification.exe	125
PID 2860 wrote to memory of 408	2860	Windows Security Notification.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TaliBanStealerInstaller (1).exe
"C:\Users\Admin\AppData\Local\Temp\TaliBanStealerInstaller (1).exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAdwBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAagB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAcQB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAaABqACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbQBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdwBiACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3992
- - C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe
    "C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client Server Runtime Process.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4796
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client Server Runtime Process.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB3CF.tmp.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:728
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2624
- C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates system info in registry
  PID:3756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\Client Server Runtime Process.exe
"C:\Windows\System32\Client Server Runtime Process.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAeABoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAYgBqACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAZQBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAegB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdQBuACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Notification.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\malware builder'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'malware builder'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1064
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "malware builder" /tr "C:\Users\Admin\AppData\Roaming\malware builder"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:408

C:\Users\Admin\AppData\Roaming\malware builder
"C:\Users\Admin\AppData\Roaming\malware builder"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Users\Admin\AppData\Roaming\malware builder
"C:\Users\Admin\AppData\Roaming\malware builder"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\malware builder.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3161f4edbc9b963debe22e29658050b

SHA1
45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

SHA256
1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

SHA512
006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4f8703667b46839a352a4f54ea240de8

SHA1
5c8b039d0fd3e1f4bb052a7f5241b1e44b63aca8

SHA256
944beee96f2aea8a039b4e58a465e2be70941396814e517e1f9dc40c22e129e0

SHA512
21591b2cdbbf812e27d8c4328065f0d9e77e0697a526b515586c44119cc55dcc3f55b43df179045b955a2044304c3db3dc82a27e16d2fb6a6cbc231953106311

Download Submit
C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe

Filesize
2.5MB

MD5
cdfcc41584dcd2a57da70353cb9955a8

SHA1
78b0a8cda3187d7ba842c9148446da5c628370b5

SHA256
be453771400d21a320f759b3b99bd7cf07d9d8301db6bce115bafae1aff79fb3

SHA512
4db311aac921a20b9be5c28e66b54912065ac5aeb56b45c20fe7383ff69aa50622e6da383f029a6291525457439cd2e6ac403860af4d82bd61a86df3aad9e7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe

Filesize
114KB

MD5
d59bcf447ab9a90d1c6e9701d85d5700

SHA1
c7eff0f1d56e71a601cff1e161879ea520886a32

SHA256
50738407f70e37470182a0da6b44e78eb9cd2be3f7c43e066ea85f92388c79ae

SHA512
4a33de1700a6740c354d79b6e2f706dbc924805b6c8aae03d68cf17427e52a58e65a177622266f4d4e9d0d0904d8ab7a55af2576d555bcc5868b9084730e7180

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
164KB

MD5
9efb0ca4f150666bedbc6ef91e0e6f4b

SHA1
13b140227e709d3a534d4158111c9256b14474b3

SHA256
5ff4fc5985d8d9877dd5b4abe081ee91681b187e99a466b802a8795fd9e500ab

SHA512
7e16155776a1431eda8da3b2fe134b52863c0917170dc64ded710c5133705a0c019c930f696d5972a0a63270f59900cfca4b776631c0b5442c62696db4f7ca36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
1018KB

MD5
d8cdeec022d5fda0ab78a7ecc9efa3ae

SHA1
3cb31d1646d3f63019a0c3745d3f2c62bdaab243

SHA256
e5b7e580db8476b8e4d2ae806288984df4eb0c5a061bed61c77157a2628ae1ea

SHA512
4ddd191a8c352cef83ba3dee0a2ba15fcd95c397fc13af152c2ef9731ec66c7ee332c8079567ee03e77a38225a8453aee798f573d25c35cb98921d09597ed63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hewpj1hn.2fa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe

Filesize
971KB

MD5
26efc684ddd0782b295a6ee4a76e3256

SHA1
08cc73ef5c1b02e09765181a5acee1a7018dcffc

SHA256
bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab

SHA512
20ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB3CF.tmp.bat

Filesize
161B

MD5
76d1503f484fdeb133daa0a45a1e0cc4

SHA1
1fe553fd0a559f290f3a0e1be6ea5f9259c85e58

SHA256
6d51218f5859977b11093cd0839330ea495049999afd5dd071443e1c6e09cf3c

SHA512
e0052795466aa54ee4ae8a38147f55bc322fc12e0be70b6b1462a4d109ed66cdec178f7034f19d6cebcfa775eb0f4db51f16ec54c6d82d7660997e07fbac8a2f

Download Submit
memory/2264-147-0x0000000000FD0000-0x0000000000FFE000-memory.dmp

Filesize
184KB

Download
memory/2284-32-0x0000000000E30000-0x0000000000F2A000-memory.dmp

Filesize
1000KB

Download
memory/2860-169-0x0000000000140000-0x0000000000162000-memory.dmp

Filesize
136KB

Download
memory/3756-135-0x00007FFC5C7E3000-0x00007FFC5C7E5000-memory.dmp

Filesize
8KB

Download
memory/3756-33-0x0000014555890000-0x0000014555B0E000-memory.dmp

Filesize
2.5MB

Download
memory/3756-35-0x0000014570030000-0x000001457017E000-memory.dmp

Filesize
1.3MB

Download
memory/3756-29-0x00007FFC5C7E3000-0x00007FFC5C7E5000-memory.dmp

Filesize
8KB

Download
memory/3756-38-0x00000145702D0000-0x00000145704E6000-memory.dmp

Filesize
2.1MB

Download
memory/3756-37-0x0000014557770000-0x0000014557784000-memory.dmp

Filesize
80KB

Download
memory/3992-63-0x0000000006D70000-0x0000000006DA2000-memory.dmp

Filesize
200KB

Download
memory/3992-74-0x0000000006370000-0x000000000638E000-memory.dmp

Filesize
120KB

Download
memory/3992-64-0x0000000074E20000-0x0000000074E6C000-memory.dmp

Filesize
304KB

Download
memory/3992-104-0x0000000007400000-0x0000000007408000-memory.dmp

Filesize
32KB

Download
memory/3992-89-0x0000000007360000-0x00000000073F6000-memory.dmp

Filesize
600KB

Download
memory/4268-39-0x0000000004C20000-0x0000000004C42000-memory.dmp

Filesize
136KB

Download
memory/4268-85-0x0000000006DC0000-0x0000000006E63000-memory.dmp

Filesize
652KB

Download
memory/4268-28-0x000000007383E000-0x000000007383F000-memory.dmp

Filesize
4KB

Download
memory/4268-92-0x0000000007150000-0x0000000007164000-memory.dmp

Filesize
80KB

Download
memory/4268-91-0x0000000007140000-0x000000000714E000-memory.dmp

Filesize
56KB

Download
memory/4268-90-0x0000000007100000-0x0000000007111000-memory.dmp

Filesize
68KB

Download
memory/4268-88-0x0000000006F70000-0x0000000006F7A000-memory.dmp

Filesize
40KB

Download
memory/4268-87-0x0000000006F00000-0x0000000006F1A000-memory.dmp

Filesize
104KB

Download
memory/4268-34-0x0000000002290000-0x00000000022C6000-memory.dmp

Filesize
216KB

Download
memory/4268-36-0x0000000004E40000-0x0000000005468000-memory.dmp

Filesize
6.2MB

Download
memory/4268-86-0x0000000007540000-0x0000000007BBA000-memory.dmp

Filesize
6.5MB

Download
memory/4268-99-0x0000000007230000-0x000000000724A000-memory.dmp

Filesize
104KB

Download
memory/4268-75-0x0000000074E20000-0x0000000074E6C000-memory.dmp

Filesize
304KB

Download
memory/4268-61-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

Filesize
120KB

Download
memory/4268-62-0x0000000005C10000-0x0000000005C5C000-memory.dmp

Filesize
304KB

Download
memory/4268-51-0x00000000055E0000-0x0000000005934000-memory.dmp

Filesize
3.3MB

Download
memory/4268-40-0x0000000004D40000-0x0000000004DA6000-memory.dmp

Filesize
408KB

Download
memory/4268-41-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/4716-134-0x000000001AD20000-0x000000001AD5C000-memory.dmp

Filesize
240KB

Download
memory/4716-133-0x000000001B260000-0x000000001B328000-memory.dmp

Filesize
800KB

Download
memory/4796-93-0x00000277EA740000-0x00000277EA762000-memory.dmp

Filesize
136KB

Download