agenttesla | 6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe
Size

4.1MB
MD5

7531fbb7431039bda2b19160e0b9c2d4
SHA1

b7f4a971ebf8128ee1ea7cb764b9582fb73b8002
SHA256

6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8
SHA512

5b8b09d896e12f3da879939f3c925da58ba79c6c1f2559594b1eb11d8fd5f63d3afeb12484b8656e0ba929cb0bb7fbb67a566d3599769c955885ca21b4036487
SSDEEP

98304:51mCYY8UGo4x83fa1lyrd3qNz6VTDwgiLC/sE1:nmCWUUqi1s530+VohE

Score

10^/10

agenttesla xworm defense_evasion discovery execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

lijaligibidu-35558.portmap.host:35558

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
Windows Security.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016edb-10.dat	family_xworm
behavioral1/memory/2064-12-0x00000000008D0000-0x00000000008E8000-memory.dmp	family_xworm
behavioral1/files/0x0008000000004e74-90.dat	family_xworm
behavioral1/memory/2088-92-0x0000000000F60000-0x0000000000F82000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/2832-45-0x000000001B910000-0x000000001BB26000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2824	powershell.exe
1444	powershell.exe
2688	powershell.exe
1448	powershell.exe
1000	powershell.exe
1688	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe

Executes dropped EXE 8 IoCs

pid	Process
3044	TalibanStealerInstaller.exe
2064	WindowsSecurity.exe
536	Windows Security.exe
2832	TalibanStealerInstaller.exe
2016	c9IDU7463.exe
1412	Client Server Runtime Process.exe
2068	Windows Security.exe
2088	Windows Security Notification.exe

Loads dropped DLL 4 IoCs

pid	Process
3044	TalibanStealerInstaller.exe
3044	TalibanStealerInstaller.exe
3044	TalibanStealerInstaller.exe
536	Windows Security.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\malware builder = "C:\\Users\\Admin\\AppData\\Roaming\\malware builder"	Windows Security Notification.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe
File opened for modification	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TalibanStealerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
568	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	TalibanStealerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	TalibanStealerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	TalibanStealerInstaller.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2428	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2088	Windows Security Notification.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2804	powershell.exe
796	powershell.exe
2016	c9IDU7463.exe
2016	c9IDU7463.exe
2016	c9IDU7463.exe
1000	powershell.exe
1688	powershell.exe
2148	powershell.exe
2684	powershell.exe
2824	powershell.exe
1444	powershell.exe
2688	powershell.exe
1448	powershell.exe
2088	Windows Security Notification.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2064	WindowsSecurity.exe
Token: SeDebugPrivilege	2016	c9IDU7463.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeBackupPrivilege	1612	vssvc.exe
Token: SeRestorePrivilege	1612	vssvc.exe
Token: SeAuditPrivilege	1612	vssvc.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1412	Client Server Runtime Process.exe
Token: SeDebugPrivilege	1412	Client Server Runtime Process.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2088	Windows Security Notification.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2088	Windows Security Notification.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2088	Windows Security Notification.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 3044	1620	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	30
PID 1620 wrote to memory of 3044	1620	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	30
PID 1620 wrote to memory of 3044	1620	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	30
PID 1620 wrote to memory of 3044	1620	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	30
PID 1620 wrote to memory of 3044	1620	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	30
PID 1620 wrote to memory of 3044	1620	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	30
PID 1620 wrote to memory of 3044	1620	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	30
PID 1620 wrote to memory of 2064	1620	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	31
PID 1620 wrote to memory of 2064	1620	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	31
PID 1620 wrote to memory of 2064	1620	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	31
PID 3044 wrote to memory of 796	3044	TalibanStealerInstaller.exe	32
PID 3044 wrote to memory of 796	3044	TalibanStealerInstaller.exe	32
PID 3044 wrote to memory of 796	3044	TalibanStealerInstaller.exe	32
PID 3044 wrote to memory of 796	3044	TalibanStealerInstaller.exe	32
PID 3044 wrote to memory of 536	3044	TalibanStealerInstaller.exe	34
PID 3044 wrote to memory of 536	3044	TalibanStealerInstaller.exe	34
PID 3044 wrote to memory of 536	3044	TalibanStealerInstaller.exe	34
PID 3044 wrote to memory of 536	3044	TalibanStealerInstaller.exe	34
PID 536 wrote to memory of 2804	536	Windows Security.exe	35
PID 536 wrote to memory of 2804	536	Windows Security.exe	35
PID 536 wrote to memory of 2804	536	Windows Security.exe	35
PID 536 wrote to memory of 2804	536	Windows Security.exe	35
PID 3044 wrote to memory of 2832	3044	TalibanStealerInstaller.exe	36
PID 3044 wrote to memory of 2832	3044	TalibanStealerInstaller.exe	36
PID 3044 wrote to memory of 2832	3044	TalibanStealerInstaller.exe	36
PID 3044 wrote to memory of 2832	3044	TalibanStealerInstaller.exe	36
PID 536 wrote to memory of 2016	536	Windows Security.exe	38
PID 536 wrote to memory of 2016	536	Windows Security.exe	38
PID 536 wrote to memory of 2016	536	Windows Security.exe	38
PID 536 wrote to memory of 2016	536	Windows Security.exe	38
PID 2016 wrote to memory of 1000	2016	c9IDU7463.exe	44
PID 2016 wrote to memory of 1000	2016	c9IDU7463.exe	44
PID 2016 wrote to memory of 1000	2016	c9IDU7463.exe	44
PID 2016 wrote to memory of 1688	2016	c9IDU7463.exe	46
PID 2016 wrote to memory of 1688	2016	c9IDU7463.exe	46
PID 2016 wrote to memory of 1688	2016	c9IDU7463.exe	46
PID 2016 wrote to memory of 2332	2016	c9IDU7463.exe	49
PID 2016 wrote to memory of 2332	2016	c9IDU7463.exe	49
PID 2016 wrote to memory of 2332	2016	c9IDU7463.exe	49
PID 2332 wrote to memory of 568	2332	cmd.exe	51
PID 2332 wrote to memory of 568	2332	cmd.exe	51
PID 2332 wrote to memory of 568	2332	cmd.exe	51
PID 2340 wrote to memory of 1412	2340	taskeng.exe	52
PID 2340 wrote to memory of 1412	2340	taskeng.exe	52
PID 2340 wrote to memory of 1412	2340	taskeng.exe	52
PID 1412 wrote to memory of 2148	1412	Client Server Runtime Process.exe	53
PID 1412 wrote to memory of 2148	1412	Client Server Runtime Process.exe	53
PID 1412 wrote to memory of 2148	1412	Client Server Runtime Process.exe	53
PID 1412 wrote to memory of 2068	1412	Client Server Runtime Process.exe	55
PID 1412 wrote to memory of 2068	1412	Client Server Runtime Process.exe	55
PID 1412 wrote to memory of 2068	1412	Client Server Runtime Process.exe	55
PID 2068 wrote to memory of 2684	2068	Windows Security.exe	56
PID 2068 wrote to memory of 2684	2068	Windows Security.exe	56
PID 2068 wrote to memory of 2684	2068	Windows Security.exe	56
PID 2068 wrote to memory of 2088	2068	Windows Security.exe	58
PID 2068 wrote to memory of 2088	2068	Windows Security.exe	58
PID 2068 wrote to memory of 2088	2068	Windows Security.exe	58
PID 2088 wrote to memory of 2824	2088	Windows Security Notification.exe	59
PID 2088 wrote to memory of 2824	2088	Windows Security Notification.exe	59
PID 2088 wrote to memory of 2824	2088	Windows Security Notification.exe	59
PID 2088 wrote to memory of 1444	2088	Windows Security Notification.exe	61
PID 2088 wrote to memory of 1444	2088	Windows Security Notification.exe	61
PID 2088 wrote to memory of 1444	2088	Windows Security Notification.exe	61
PID 2088 wrote to memory of 2688	2088	Windows Security Notification.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe
"C:\Users\Admin\AppData\Local\Temp\6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe
  "C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYwBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAdwBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBjACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:796
- - C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbQBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdwBiACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe
      "C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client Server Runtime Process.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client Server Runtime Process.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE6D6.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:568
- - C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    PID:2832
- C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
  "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\taskeng.exe
taskeng.exe {7ABE9C8A-51AE-4255-9893-DFB8C7ABCD8D} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System32\Client Server Runtime Process.exe
  "C:\Windows\System32\Client Server Runtime Process.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAeABoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAYgBqACMAPgA="
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAZQBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAegB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdQBuACMAPgA="
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Notification.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\malware builder'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'malware builder'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "malware builder" /tr "C:\Users\Admin\AppData\Roaming\malware builder"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe

Filesize
2.5MB

MD5
cdfcc41584dcd2a57da70353cb9955a8

SHA1
78b0a8cda3187d7ba842c9148446da5c628370b5

SHA256
be453771400d21a320f759b3b99bd7cf07d9d8301db6bce115bafae1aff79fb3

SHA512
4db311aac921a20b9be5c28e66b54912065ac5aeb56b45c20fe7383ff69aa50622e6da383f029a6291525457439cd2e6ac403860af4d82bd61a86df3aad9e7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe

Filesize
114KB

MD5
d59bcf447ab9a90d1c6e9701d85d5700

SHA1
c7eff0f1d56e71a601cff1e161879ea520886a32

SHA256
50738407f70e37470182a0da6b44e78eb9cd2be3f7c43e066ea85f92388c79ae

SHA512
4a33de1700a6740c354d79b6e2f706dbc924805b6c8aae03d68cf17427e52a58e65a177622266f4d4e9d0d0904d8ab7a55af2576d555bcc5868b9084730e7180

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
164KB

MD5
9efb0ca4f150666bedbc6ef91e0e6f4b

SHA1
13b140227e709d3a534d4158111c9256b14474b3

SHA256
5ff4fc5985d8d9877dd5b4abe081ee91681b187e99a466b802a8795fd9e500ab

SHA512
7e16155776a1431eda8da3b2fe134b52863c0917170dc64ded710c5133705a0c019c930f696d5972a0a63270f59900cfca4b776631c0b5442c62696db4f7ca36

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE6D6.tmp.bat

Filesize
161B

MD5
418aa1ed07f86eb7b11bc1a83b92ede1

SHA1
b9f4faaae072f1c2fea654bf047aad1ee75d45bb

SHA256
9d7ed40f9d84ec144ab56f74ee2c8b0a91c2c99fe30ac99af9cb8fea53258542

SHA512
4232a2ffb9587b0d3c7e14c116be2ece4bd2df4e1794975f8075f4d1e49773a20750b7fbee1e078111e0b158f3120da1684d17826390a0fa12ecf87bd4c63545

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9172ac7f1701803fd755992e5685e726

SHA1
28b7f19c0fe40578f2654efce727eef73969fbe9

SHA256
f0244b6537aa30c2c91d7a28fed0f48d39625f8bd233cf9f8cb72c9fb8f3a967

SHA512
27f4fb0e4783b3e0a6d60097c0fe98dbdd3c16bb09edec7445468ac9665c32e74515afa4753f36ffcc9b0946f840e7bbd6155271dfc27ed183760dc35757a433

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d3e29054a4ab83da17e8aa09906f5b85

SHA1
b57a450797573e71c7fdcd3cd939dd2a3198769d

SHA256
2345a6b187405f7217fc3d951f07339a33a0ffab66571d2b701edd5246ba897d

SHA512
89d48b06a0c8db8e7f918af7f486d3dc2d769cbe3309d7b31be92fd5269abde530ca25d61ff328e8eb53fd6f41b43652a60b9ce8a9f7b901b2fc6ff52bde60aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3bd999d14ee43673d1926b2a46ce6e63

SHA1
207a10020f3ebda3d6ecc86483b84f1a844457ec

SHA256
05a2a88483f4e2b439b9af66101b69637619683d3a8ea2bda806c8d1138281cc

SHA512
c483e33b3002902eab0a9fd3ccbbb1f7c1d9e252bf7ead558b310f6eb559fb29a6a64cdb9b56998bd3e2db7ac0cb42f0cbdefe71a4aee7a64661121a213d74a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
692ff0412050c52ab0c4992556590cb5

SHA1
3d8fe01a6c0d5e6416c73b68ee482c3b283cc5fc

SHA256
76b951b4ff8b3fd3ec418eb52246d8cd1597ca0d480ff1447e96e8cfe89a6816

SHA512
5daf672431e9c1ab348d69b5dbc4b47edc887dcc78140ac6d54118d0f850727362cc18ffb795b29e63e7911d5f0fc693be76e945dfb43276a8e6f374bf91a440

Download Submit
C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe

Filesize
3.7MB

MD5
0bd9c3971db333e1ccc5c327c4b06baa

SHA1
2e319ceb3f8fd1cd61d5e40002e493117ed9321d

SHA256
651b7894bf375daa0ec4d1fe71ba43f5fd3fcf62363d4141a767f7c8abedb216

SHA512
997b7356d55218f72e289b95b6170fb7c8998a2caedc19614d118f6566453301403339a3db6a0a9b8b9d73feb17947661571040a458e938c7db649b637bb39bb

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
75KB

MD5
cf219a189dae4a022f26dd58cd5367e6

SHA1
76c2e7b756e894afc4e5fd7267fce398d58c518f

SHA256
725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe

SHA512
21dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
1018KB

MD5
d8cdeec022d5fda0ab78a7ecc9efa3ae

SHA1
3cb31d1646d3f63019a0c3745d3f2c62bdaab243

SHA256
e5b7e580db8476b8e4d2ae806288984df4eb0c5a061bed61c77157a2628ae1ea

SHA512
4ddd191a8c352cef83ba3dee0a2ba15fcd95c397fc13af152c2ef9731ec66c7ee332c8079567ee03e77a38225a8453aee798f573d25c35cb98921d09597ed63e

Download Submit
\Users\Admin\AppData\Local\Temp\c9IDU7463.exe

Filesize
971KB

MD5
26efc684ddd0782b295a6ee4a76e3256

SHA1
08cc73ef5c1b02e09765181a5acee1a7018dcffc

SHA256
bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab

SHA512
20ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49

Download Submit
memory/1000-50-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1000-51-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1412-73-0x00000000005F0000-0x00000000006B8000-memory.dmp

Filesize
800KB

Download
memory/1412-74-0x0000000000AF0000-0x0000000000B2C000-memory.dmp

Filesize
240KB

Download
memory/1412-72-0x0000000000D70000-0x0000000000E6A000-memory.dmp

Filesize
1000KB

Download
memory/1620-1-0x0000000001290000-0x00000000016A4000-memory.dmp

Filesize
4.1MB

Download
memory/1620-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

Filesize
4KB

Download
memory/1688-57-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/1688-58-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2016-42-0x0000000000980000-0x0000000000A7A000-memory.dmp

Filesize
1000KB

Download
memory/2064-12-0x00000000008D0000-0x00000000008E8000-memory.dmp

Filesize
96KB

Download
memory/2068-86-0x00000000013B0000-0x00000000013DE000-memory.dmp

Filesize
184KB

Download
memory/2088-92-0x0000000000F60000-0x0000000000F82000-memory.dmp

Filesize
136KB

Download
memory/2832-43-0x000000001B540000-0x000000001B68E000-memory.dmp

Filesize
1.3MB

Download
memory/2832-45-0x000000001B910000-0x000000001BB26000-memory.dmp

Filesize
2.1MB

Download
memory/2832-29-0x00000000002D0000-0x000000000054E000-memory.dmp

Filesize
2.5MB

Download
memory/2832-44-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download