agenttesla | 6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TalibanStealerInstaller.exe
Size

4.1MB
MD5

7531fbb7431039bda2b19160e0b9c2d4
SHA1

b7f4a971ebf8128ee1ea7cb764b9582fb73b8002
SHA256

6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8
SHA512

5b8b09d896e12f3da879939f3c925da58ba79c6c1f2559594b1eb11d8fd5f63d3afeb12484b8656e0ba929cb0bb7fbb67a566d3599769c955885ca21b4036487
SSDEEP

98304:51mCYY8UGo4x83fa1lyrd3qNz6VTDwgiLC/sE1:nmCWUUqi1s530+VohE

Score

10^/10

agenttesla xworm defense_evasion discovery execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

lijaligibidu-35558.portmap.host:35558

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
Windows Security.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0016000000018657-10.dat	family_xworm
behavioral1/memory/2396-12-0x00000000003D0000-0x00000000003E8000-memory.dmp	family_xworm
behavioral1/files/0x001a0000000055b1-91.dat	family_xworm
behavioral1/memory/2728-99-0x0000000000DD0000-0x0000000000DF2000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/2776-45-0x000000001B840000-0x000000001BA56000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
968	powershell.exe
1252	powershell.exe
2288	powershell.exe
2648	powershell.exe
2540	powershell.exe
2128	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe

Executes dropped EXE 8 IoCs

pid	Process
2404	TalibanStealerInstaller.exe
2396	WindowsSecurity.exe
2220	Windows Security.exe
2776	TalibanStealerInstaller.exe
2780	c9IDU7463.exe
1028	Client Server Runtime Process.exe
1612	Windows Security.exe
2728	Windows Security Notification.exe

Loads dropped DLL 4 IoCs

pid	Process
2404	TalibanStealerInstaller.exe
2404	TalibanStealerInstaller.exe
2404	TalibanStealerInstaller.exe
2220	Windows Security.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\malware builder = "C:\\Users\\Admin\\AppData\\Roaming\\malware builder"	Windows Security Notification.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe
File opened for modification	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TalibanStealerInstaller.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
532	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	TalibanStealerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	TalibanStealerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	TalibanStealerInstaller.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1436	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2728	Windows Security Notification.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2884	powershell.exe
1864	powershell.exe
2780	c9IDU7463.exe
2780	c9IDU7463.exe
2780	c9IDU7463.exe
968	powershell.exe
1252	powershell.exe
1512	powershell.exe
788	powershell.exe
2288	powershell.exe
2648	powershell.exe
2540	powershell.exe
2128	powershell.exe
2728	Windows Security Notification.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	WindowsSecurity.exe
Token: SeDebugPrivilege	2780	c9IDU7463.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeBackupPrivilege	1912	vssvc.exe
Token: SeRestorePrivilege	1912	vssvc.exe
Token: SeAuditPrivilege	1912	vssvc.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	1028	Client Server Runtime Process.exe
Token: SeDebugPrivilege	1028	Client Server Runtime Process.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	2728	Windows Security Notification.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2728	Windows Security Notification.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2728	Windows Security Notification.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2404	2104	TalibanStealerInstaller.exe	30
PID 2104 wrote to memory of 2404	2104	TalibanStealerInstaller.exe	30
PID 2104 wrote to memory of 2404	2104	TalibanStealerInstaller.exe	30
PID 2104 wrote to memory of 2404	2104	TalibanStealerInstaller.exe	30
PID 2104 wrote to memory of 2404	2104	TalibanStealerInstaller.exe	30
PID 2104 wrote to memory of 2404	2104	TalibanStealerInstaller.exe	30
PID 2104 wrote to memory of 2404	2104	TalibanStealerInstaller.exe	30
PID 2104 wrote to memory of 2396	2104	TalibanStealerInstaller.exe	31
PID 2104 wrote to memory of 2396	2104	TalibanStealerInstaller.exe	31
PID 2104 wrote to memory of 2396	2104	TalibanStealerInstaller.exe	31
PID 2404 wrote to memory of 1864	2404	TalibanStealerInstaller.exe	32
PID 2404 wrote to memory of 1864	2404	TalibanStealerInstaller.exe	32
PID 2404 wrote to memory of 1864	2404	TalibanStealerInstaller.exe	32
PID 2404 wrote to memory of 1864	2404	TalibanStealerInstaller.exe	32
PID 2404 wrote to memory of 2220	2404	TalibanStealerInstaller.exe	34
PID 2404 wrote to memory of 2220	2404	TalibanStealerInstaller.exe	34
PID 2404 wrote to memory of 2220	2404	TalibanStealerInstaller.exe	34
PID 2404 wrote to memory of 2220	2404	TalibanStealerInstaller.exe	34
PID 2220 wrote to memory of 2884	2220	Windows Security.exe	35
PID 2220 wrote to memory of 2884	2220	Windows Security.exe	35
PID 2220 wrote to memory of 2884	2220	Windows Security.exe	35
PID 2220 wrote to memory of 2884	2220	Windows Security.exe	35
PID 2404 wrote to memory of 2776	2404	TalibanStealerInstaller.exe	37
PID 2404 wrote to memory of 2776	2404	TalibanStealerInstaller.exe	37
PID 2404 wrote to memory of 2776	2404	TalibanStealerInstaller.exe	37
PID 2404 wrote to memory of 2776	2404	TalibanStealerInstaller.exe	37
PID 2220 wrote to memory of 2780	2220	Windows Security.exe	38
PID 2220 wrote to memory of 2780	2220	Windows Security.exe	38
PID 2220 wrote to memory of 2780	2220	Windows Security.exe	38
PID 2220 wrote to memory of 2780	2220	Windows Security.exe	38
PID 2780 wrote to memory of 968	2780	c9IDU7463.exe	44
PID 2780 wrote to memory of 968	2780	c9IDU7463.exe	44
PID 2780 wrote to memory of 968	2780	c9IDU7463.exe	44
PID 2780 wrote to memory of 1252	2780	c9IDU7463.exe	46
PID 2780 wrote to memory of 1252	2780	c9IDU7463.exe	46
PID 2780 wrote to memory of 1252	2780	c9IDU7463.exe	46
PID 2780 wrote to memory of 2072	2780	c9IDU7463.exe	48
PID 2780 wrote to memory of 2072	2780	c9IDU7463.exe	48
PID 2780 wrote to memory of 2072	2780	c9IDU7463.exe	48
PID 2072 wrote to memory of 532	2072	cmd.exe	51
PID 2072 wrote to memory of 532	2072	cmd.exe	51
PID 2072 wrote to memory of 532	2072	cmd.exe	51
PID 2388 wrote to memory of 1028	2388	taskeng.exe	52
PID 2388 wrote to memory of 1028	2388	taskeng.exe	52
PID 2388 wrote to memory of 1028	2388	taskeng.exe	52
PID 1028 wrote to memory of 1512	1028	Client Server Runtime Process.exe	53
PID 1028 wrote to memory of 1512	1028	Client Server Runtime Process.exe	53
PID 1028 wrote to memory of 1512	1028	Client Server Runtime Process.exe	53
PID 1028 wrote to memory of 1612	1028	Client Server Runtime Process.exe	55
PID 1028 wrote to memory of 1612	1028	Client Server Runtime Process.exe	55
PID 1028 wrote to memory of 1612	1028	Client Server Runtime Process.exe	55
PID 1612 wrote to memory of 788	1612	Windows Security.exe	56
PID 1612 wrote to memory of 788	1612	Windows Security.exe	56
PID 1612 wrote to memory of 788	1612	Windows Security.exe	56
PID 1612 wrote to memory of 2728	1612	Windows Security.exe	58
PID 1612 wrote to memory of 2728	1612	Windows Security.exe	58
PID 1612 wrote to memory of 2728	1612	Windows Security.exe	58
PID 2728 wrote to memory of 2288	2728	Windows Security Notification.exe	59
PID 2728 wrote to memory of 2288	2728	Windows Security Notification.exe	59
PID 2728 wrote to memory of 2288	2728	Windows Security Notification.exe	59
PID 2728 wrote to memory of 2648	2728	Windows Security Notification.exe	61
PID 2728 wrote to memory of 2648	2728	Windows Security Notification.exe	61
PID 2728 wrote to memory of 2648	2728	Windows Security Notification.exe	61
PID 2728 wrote to memory of 2540	2728	Windows Security Notification.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe
  "C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYwBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAdwBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBjACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbQBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdwBiACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe
      "C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client Server Runtime Process.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client Server Runtime Process.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF4F9.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:532
- - C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    PID:2776
- C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
  "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\taskeng.exe
taskeng.exe {5539FE50-0C26-4D6C-93C8-04A1D77C82D6} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Windows\System32\Client Server Runtime Process.exe
  "C:\Windows\System32\Client Server Runtime Process.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAeABoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAYgBqACMAPgA="
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAZQBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAegB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdQBuACMAPgA="
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:788
  - - C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Notification.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\malware builder'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'malware builder'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "malware builder" /tr "C:\Users\Admin\AppData\Roaming\malware builder"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe

Filesize
2.5MB

MD5
cdfcc41584dcd2a57da70353cb9955a8

SHA1
78b0a8cda3187d7ba842c9148446da5c628370b5

SHA256
be453771400d21a320f759b3b99bd7cf07d9d8301db6bce115bafae1aff79fb3

SHA512
4db311aac921a20b9be5c28e66b54912065ac5aeb56b45c20fe7383ff69aa50622e6da383f029a6291525457439cd2e6ac403860af4d82bd61a86df3aad9e7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe

Filesize
114KB

MD5
d59bcf447ab9a90d1c6e9701d85d5700

SHA1
c7eff0f1d56e71a601cff1e161879ea520886a32

SHA256
50738407f70e37470182a0da6b44e78eb9cd2be3f7c43e066ea85f92388c79ae

SHA512
4a33de1700a6740c354d79b6e2f706dbc924805b6c8aae03d68cf17427e52a58e65a177622266f4d4e9d0d0904d8ab7a55af2576d555bcc5868b9084730e7180

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
164KB

MD5
9efb0ca4f150666bedbc6ef91e0e6f4b

SHA1
13b140227e709d3a534d4158111c9256b14474b3

SHA256
5ff4fc5985d8d9877dd5b4abe081ee91681b187e99a466b802a8795fd9e500ab

SHA512
7e16155776a1431eda8da3b2fe134b52863c0917170dc64ded710c5133705a0c019c930f696d5972a0a63270f59900cfca4b776631c0b5442c62696db4f7ca36

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe

Filesize
971KB

MD5
26efc684ddd0782b295a6ee4a76e3256

SHA1
08cc73ef5c1b02e09765181a5acee1a7018dcffc

SHA256
bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab

SHA512
20ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF4F9.tmp.bat

Filesize
161B

MD5
3986829e75f6f17570fc2b7a92a48ff2

SHA1
c520ad814974c625eb49e7de0de4264c750e73fa

SHA256
10f9d8f93bb86d61c67fd563a9a19cea2a41708287288b2e9afcb91cc0b90d24

SHA512
f7b36f811b4950029512bb56c26f3f67d1faf33b1355fb9ca4f129a53ec108e90f7d19dd429c2ef61d929870424f3408e044a7b46ded2e575cfc9e21d0fde5ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ee5ae7f53771846069cc3b0f8e968ef7

SHA1
3b87944e0effe7737a89b32e629f2cd102bd9ec4

SHA256
19342c0a8308e37164a0bc0cc6c41fe6960c284d1f655edd4e1df81b2c4aab00

SHA512
4e198959a38216954ebc5542c632b90783198372735285c04caa5c3f11d171fa236edaf21c9cbdffb2122202b54732c4067bd011ee0d7ec49e4c5a1073654d37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5fb97ce87ed242241eb07521c48c79d5

SHA1
29fdc7a6f9f08ad2f628bc9c9446a7d9cfeb10a8

SHA256
7ba568253179e282741ca03b98386ffe9cc84a0727b2bb7d2a025dda63c53573

SHA512
63499ffe1295c4e1681594e4e52f350e385cbe49c208e44ff86f447f6f956d6042694cca86bc8914b0302f5716b3ab74373c1d06281d587466e6c3cf06926443

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c14527d991d61de343f78d69b31feccf

SHA1
5138c43ecef1843be31ae68bcc7d9c2d2f3cac18

SHA256
f35c253911987dbe8640e9b76ecb8d9bedcb24bf68b229389435ace4c9c2b09e

SHA512
3cd828575001e72e64c263ed89557dfdb0b1247c6bf4eecf9fbb4e5770dcd1f05f767b0a5e03a8398838c086c36d8fafe8fbe9b00a8cbcec1fcc0a415af820fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a84273e41907c3850cee3d94fe3f7ac3

SHA1
37b0548c9aec767fcb91b7d8b1c8af238bcf715b

SHA256
522bed0579fb4ee08e766c161aced7e7ce3c7a60cd577ff7f2d5a12ab6301bdf

SHA512
e9913356bf4575c5855239cb4dbf5768336f08ec6512f14c7e3b729553444a01a36e21f169bde6959160665d58b8bdd406425485d0da53267bc1e8c3bd973f93

Download Submit
C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe

Filesize
3.7MB

MD5
0bd9c3971db333e1ccc5c327c4b06baa

SHA1
2e319ceb3f8fd1cd61d5e40002e493117ed9321d

SHA256
651b7894bf375daa0ec4d1fe71ba43f5fd3fcf62363d4141a767f7c8abedb216

SHA512
997b7356d55218f72e289b95b6170fb7c8998a2caedc19614d118f6566453301403339a3db6a0a9b8b9d73feb17947661571040a458e938c7db649b637bb39bb

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
75KB

MD5
cf219a189dae4a022f26dd58cd5367e6

SHA1
76c2e7b756e894afc4e5fd7267fce398d58c518f

SHA256
725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe

SHA512
21dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
1018KB

MD5
d8cdeec022d5fda0ab78a7ecc9efa3ae

SHA1
3cb31d1646d3f63019a0c3745d3f2c62bdaab243

SHA256
e5b7e580db8476b8e4d2ae806288984df4eb0c5a061bed61c77157a2628ae1ea

SHA512
4ddd191a8c352cef83ba3dee0a2ba15fcd95c397fc13af152c2ef9731ec66c7ee332c8079567ee03e77a38225a8453aee798f573d25c35cb98921d09597ed63e

Download Submit
memory/968-51-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/968-50-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1028-73-0x000000001AC10000-0x000000001ACD8000-memory.dmp

Filesize
800KB

Download
memory/1028-72-0x0000000000DB0000-0x0000000000EAA000-memory.dmp

Filesize
1000KB

Download
memory/1028-74-0x0000000000B80000-0x0000000000BBC000-memory.dmp

Filesize
240KB

Download
memory/1252-57-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1252-58-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1612-81-0x0000000000EA0000-0x0000000000ECE000-memory.dmp

Filesize
184KB

Download
memory/2104-1-0x0000000000B30000-0x0000000000F44000-memory.dmp

Filesize
4.1MB

Download
memory/2104-0-0x000007FEF5903000-0x000007FEF5904000-memory.dmp

Filesize
4KB

Download
memory/2396-12-0x00000000003D0000-0x00000000003E8000-memory.dmp

Filesize
96KB

Download
memory/2728-99-0x0000000000DD0000-0x0000000000DF2000-memory.dmp

Filesize
136KB

Download
memory/2776-44-0x00000000001C0000-0x00000000001D4000-memory.dmp

Filesize
80KB

Download
memory/2776-32-0x0000000000DE0000-0x000000000105E000-memory.dmp

Filesize
2.5MB

Download
memory/2776-43-0x000000001B240000-0x000000001B38E000-memory.dmp

Filesize
1.3MB

Download
memory/2776-45-0x000000001B840000-0x000000001BA56000-memory.dmp

Filesize
2.1MB

Download
memory/2780-35-0x0000000000390000-0x000000000048A000-memory.dmp

Filesize
1000KB

Download