agenttesla | 6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe
Size

4.1MB
MD5

7531fbb7431039bda2b19160e0b9c2d4
SHA1

b7f4a971ebf8128ee1ea7cb764b9582fb73b8002
SHA256

6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8
SHA512

5b8b09d896e12f3da879939f3c925da58ba79c6c1f2559594b1eb11d8fd5f63d3afeb12484b8656e0ba929cb0bb7fbb67a566d3599769c955885ca21b4036487
SSDEEP

98304:51mCYY8UGo4x83fa1lyrd3qNz6VTDwgiLC/sE1:nmCWUUqi1s530+VohE

Score

10^/10

agenttesla xworm defense_evasion discovery execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

lijaligibidu-35558.portmap.host:35558

127.0.0.1:7000

Attributes

Install_directory
%AppData%
install_file
Windows Security.exe

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x00070000000234a3-13.dat	family_xworm
behavioral2/memory/2156-22-0x00000000007F0000-0x0000000000808000-memory.dmp	family_xworm
behavioral2/files/0x00090000000234a3-184.dat	family_xworm
behavioral2/memory/4424-192-0x00000000006E0000-0x0000000000702000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/3540-59-0x000002175F050000-0x000002175F266000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1904	powershell.exe
4488	powershell.exe
1172	powershell.exe
4964	powershell.exe
2356	powershell.exe
4160	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	TalibanStealerInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Windows Security.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	c9IDU7463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Client Server Runtime Process.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Windows Security.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Windows Security Notification.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\malware builder.lnk	Windows Security Notification.exe

Executes dropped EXE 10 IoCs

pid	Process
548	TalibanStealerInstaller.exe
2156	WindowsSecurity.exe
2712	Windows Security.exe
3540	TalibanStealerInstaller.exe
2392	c9IDU7463.exe
4872	Client Server Runtime Process.exe
3736	Windows Security.exe
4424	Windows Security Notification.exe
1556	malware builder
1020	malware builder

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware builder = "C:\\Users\\Admin\\AppData\\Roaming\\malware builder"	Windows Security Notification.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe
File opened for modification	C:\Windows\System32\Client Server Runtime Process.exe	c9IDU7463.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TalibanStealerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1908	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	TalibanStealerInstaller.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	TalibanStealerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	TalibanStealerInstaller.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2956	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4424	Windows Security Notification.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
452	powershell.exe
4904	powershell.exe
452	powershell.exe
4904	powershell.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
2392	c9IDU7463.exe
1904	powershell.exe
1904	powershell.exe
4488	powershell.exe
4488	powershell.exe
4536	powershell.exe
4536	powershell.exe
4536	powershell.exe
1952	powershell.exe
1952	powershell.exe
1952	powershell.exe
1172	powershell.exe
1172	powershell.exe
4964	powershell.exe
4964	powershell.exe
2356	powershell.exe
2356	powershell.exe
4160	powershell.exe
4160	powershell.exe
4424	Windows Security Notification.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	WindowsSecurity.exe
Token: SeDebugPrivilege	2392	c9IDU7463.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeBackupPrivilege	408	vssvc.exe
Token: SeRestorePrivilege	408	vssvc.exe
Token: SeAuditPrivilege	408	vssvc.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	4872	Client Server Runtime Process.exe
Token: SeDebugPrivilege	4872	Client Server Runtime Process.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	4424	Windows Security Notification.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	4424	Windows Security Notification.exe
Token: SeDebugPrivilege	1556	malware builder
Token: SeDebugPrivilege	1020	malware builder

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4424	Windows Security Notification.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 548	2088	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	85
PID 2088 wrote to memory of 548	2088	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	85
PID 2088 wrote to memory of 548	2088	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	85
PID 2088 wrote to memory of 2156	2088	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	87
PID 2088 wrote to memory of 2156	2088	6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe	87
PID 548 wrote to memory of 452	548	TalibanStealerInstaller.exe	88
PID 548 wrote to memory of 452	548	TalibanStealerInstaller.exe	88
PID 548 wrote to memory of 452	548	TalibanStealerInstaller.exe	88
PID 548 wrote to memory of 2712	548	TalibanStealerInstaller.exe	90
PID 548 wrote to memory of 2712	548	TalibanStealerInstaller.exe	90
PID 548 wrote to memory of 2712	548	TalibanStealerInstaller.exe	90
PID 548 wrote to memory of 3540	548	TalibanStealerInstaller.exe	91
PID 548 wrote to memory of 3540	548	TalibanStealerInstaller.exe	91
PID 2712 wrote to memory of 4904	2712	Windows Security.exe	92
PID 2712 wrote to memory of 4904	2712	Windows Security.exe	92
PID 2712 wrote to memory of 4904	2712	Windows Security.exe	92
PID 2712 wrote to memory of 2392	2712	Windows Security.exe	94
PID 2712 wrote to memory of 2392	2712	Windows Security.exe	94
PID 2392 wrote to memory of 1904	2392	c9IDU7463.exe	99
PID 2392 wrote to memory of 1904	2392	c9IDU7463.exe	99
PID 2392 wrote to memory of 4488	2392	c9IDU7463.exe	101
PID 2392 wrote to memory of 4488	2392	c9IDU7463.exe	101
PID 2392 wrote to memory of 208	2392	c9IDU7463.exe	107
PID 2392 wrote to memory of 208	2392	c9IDU7463.exe	107
PID 208 wrote to memory of 1908	208	cmd.exe	109
PID 208 wrote to memory of 1908	208	cmd.exe	109
PID 4872 wrote to memory of 4536	4872	Client Server Runtime Process.exe	110
PID 4872 wrote to memory of 4536	4872	Client Server Runtime Process.exe	110
PID 4872 wrote to memory of 3736	4872	Client Server Runtime Process.exe	112
PID 4872 wrote to memory of 3736	4872	Client Server Runtime Process.exe	112
PID 3736 wrote to memory of 1952	3736	Windows Security.exe	113
PID 3736 wrote to memory of 1952	3736	Windows Security.exe	113
PID 3736 wrote to memory of 4424	3736	Windows Security.exe	115
PID 3736 wrote to memory of 4424	3736	Windows Security.exe	115
PID 4424 wrote to memory of 1172	4424	Windows Security Notification.exe	117
PID 4424 wrote to memory of 1172	4424	Windows Security Notification.exe	117
PID 4424 wrote to memory of 4964	4424	Windows Security Notification.exe	119
PID 4424 wrote to memory of 4964	4424	Windows Security Notification.exe	119
PID 4424 wrote to memory of 2356	4424	Windows Security Notification.exe	121
PID 4424 wrote to memory of 2356	4424	Windows Security Notification.exe	121
PID 4424 wrote to memory of 4160	4424	Windows Security Notification.exe	123
PID 4424 wrote to memory of 4160	4424	Windows Security Notification.exe	123
PID 4424 wrote to memory of 2956	4424	Windows Security Notification.exe	127
PID 4424 wrote to memory of 2956	4424	Windows Security Notification.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe
"C:\Users\Admin\AppData\Local\Temp\6a93c6b6467f2e24918f9c39f2b0d91a14974b3af096d39dda126c02f3299bc8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe
  "C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdAByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAYwBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAdwBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBjACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:452
- - C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAbQBrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAYwB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZgBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdwBiACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe
      "C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Client Server Runtime Process.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Client Server Runtime Process.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDCF2.tmp.bat""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:208
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:1908
- - C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates system info in registry
    PID:3540
- C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
  "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:408

C:\Windows\System32\Client Server Runtime Process.exe
"C:\Windows\System32\Client Server Runtime Process.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGkAeABoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAdQBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGoAYgBqACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Users\Admin\AppData\Local\Temp\Windows Security.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Security.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAZQBuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHEAdQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAegB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdQBuACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Security Notification.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\malware builder'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'malware builder'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4160
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "malware builder" /tr "C:\Users\Admin\AppData\Roaming\malware builder"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2956

C:\Users\Admin\AppData\Roaming\malware builder
"C:\Users\Admin\AppData\Roaming\malware builder"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Users\Admin\AppData\Roaming\malware builder
"C:\Users\Admin\AppData\Roaming\malware builder"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\malware builder.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0ba7e6e0aae91f57de03aecb50e06449

SHA1
d8e67329087c6053007aeeaee3e6e9e385ffc51c

SHA256
03aceaf7ddbb39db24cd6ca20a4975561aa1ea56048cfe823726f9a56c0de769

SHA512
9835b2bba4fd9f1802fb99e39fae3fd1887a3e183d339d9fa43f0f1e83518bd44044f6b3aae67f0572c90a5991233f3be1f9cf678a79c74c01014deeff05a8a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
11448f7fd9089a7f2e9680de527a417d

SHA1
3fbc9b9230a49915b3f490e4a9dbd421a17ba7d2

SHA256
93c27aa400d50a24a0a414f3458fab4ad857f745a4996befd0c34f35cc525cef

SHA512
1c3fbbeefaa6ac489f374f7e3cba428ebc1eecfddb6154fdda9c33535c32db1c321eaab75dbc3879583168fbc282ff7a82376170deaa0be375ca832dc6bf7fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04f1d68afbed6b13399edfae1e9b1472

SHA1
8bfdcb687a995e4a63a8c32df2c66dc89f91a8b0

SHA256
f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de

SHA512
30c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa1d071c64c11da056441908be218eb9

SHA1
829685d5759d0c6408cdb49d768319340911259b

SHA256
b441de653f1db11fdcb7756e853676af9c07fc2bdedf51aad9bd48efca291d3a

SHA512
809f7622cc311eb6476454804d323cc3fa993f7ef4cab5edce15d72d8c9cd8d56023f59877fc7346e6d27c90e53d11e96185568aa69a7acc1cff318028d594a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8e25538ec8924dedf0284ba670e736d6

SHA1
45d2926ea3b7f0e9d581bfe20e5c00b1f0689447

SHA256
7608a129cc2fa7c623970f4cbc0a0390527b945a6ab1ffc02f4268d0ebb6a43a

SHA512
c7f0bdf40060dbbbfec30ee4c65d2c6baf084dd7384d5a0178c31a10789ccac6eddc0b8d28b2702597490c1c154eebcc85b1e29fb0d3fc2ce993570d2dce529d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cae60f0ddddac635da71bba775a2c5b4

SHA1
386f1a036af61345a7d303d45f5230e2df817477

SHA256
b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16

SHA512
28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

Download Submit
C:\Users\Admin\AppData\Local\Temp\TalibanStealerInstaller.exe

Filesize
2.5MB

MD5
cdfcc41584dcd2a57da70353cb9955a8

SHA1
78b0a8cda3187d7ba842c9148446da5c628370b5

SHA256
be453771400d21a320f759b3b99bd7cf07d9d8301db6bce115bafae1aff79fb3

SHA512
4db311aac921a20b9be5c28e66b54912065ac5aeb56b45c20fe7383ff69aa50622e6da383f029a6291525457439cd2e6ac403860af4d82bd61a86df3aad9e7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security Notification.exe

Filesize
114KB

MD5
d59bcf447ab9a90d1c6e9701d85d5700

SHA1
c7eff0f1d56e71a601cff1e161879ea520886a32

SHA256
50738407f70e37470182a0da6b44e78eb9cd2be3f7c43e066ea85f92388c79ae

SHA512
4a33de1700a6740c354d79b6e2f706dbc924805b6c8aae03d68cf17427e52a58e65a177622266f4d4e9d0d0904d8ab7a55af2576d555bcc5868b9084730e7180

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
164KB

MD5
9efb0ca4f150666bedbc6ef91e0e6f4b

SHA1
13b140227e709d3a534d4158111c9256b14474b3

SHA256
5ff4fc5985d8d9877dd5b4abe081ee91681b187e99a466b802a8795fd9e500ab

SHA512
7e16155776a1431eda8da3b2fe134b52863c0917170dc64ded710c5133705a0c019c930f696d5972a0a63270f59900cfca4b776631c0b5442c62696db4f7ca36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Security.exe

Filesize
1018KB

MD5
d8cdeec022d5fda0ab78a7ecc9efa3ae

SHA1
3cb31d1646d3f63019a0c3745d3f2c62bdaab243

SHA256
e5b7e580db8476b8e4d2ae806288984df4eb0c5a061bed61c77157a2628ae1ea

SHA512
4ddd191a8c352cef83ba3dee0a2ba15fcd95c397fc13af152c2ef9731ec66c7ee332c8079567ee03e77a38225a8453aee798f573d25c35cb98921d09597ed63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5tt0bdu4.dov.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c9IDU7463.exe

Filesize
971KB

MD5
26efc684ddd0782b295a6ee4a76e3256

SHA1
08cc73ef5c1b02e09765181a5acee1a7018dcffc

SHA256
bf832f28b8d9f2ff077f691bd7e8a2cf46f3a4ac0ee8ee2d2f2944089abd20ab

SHA512
20ba9e73514148613943db974cf88874907f9fe19e1cf5d81d9bf83ffbd233be80e925c62a5430a7ef69099e603ae54d60680020e0de58e632897f8c4aecfb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDCF2.tmp.bat

Filesize
161B

MD5
e100b4553a71008321ab86e5fde08b0f

SHA1
c122b075ea7521a563cf4e61895d232c84d7f5e7

SHA256
c9134e610a61a2513edee50ca7ddb00bb135e9fa3ae5c843a3747774908f211f

SHA512
71ec9de5264a1233f7d4030be2e31e9b6ad99a5a0c75278238e61254d3228de4fef0f801c806085bd591e7d7b319fe7e990e3618683c1d3fbbfa038e978fa694

Download Submit
C:\Users\Admin\AppData\Roaming\TalibanStealerInstaller.exe

Filesize
3.7MB

MD5
0bd9c3971db333e1ccc5c327c4b06baa

SHA1
2e319ceb3f8fd1cd61d5e40002e493117ed9321d

SHA256
651b7894bf375daa0ec4d1fe71ba43f5fd3fcf62363d4141a767f7c8abedb216

SHA512
997b7356d55218f72e289b95b6170fb7c8998a2caedc19614d118f6566453301403339a3db6a0a9b8b9d73feb17947661571040a458e938c7db649b637bb39bb

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe

Filesize
75KB

MD5
cf219a189dae4a022f26dd58cd5367e6

SHA1
76c2e7b756e894afc4e5fd7267fce398d58c518f

SHA256
725c0bcdb953e39e96a0192d2712b261541647259e494c583d19697a10d2ffbe

SHA512
21dc7cdd5ea07be708a5c696708207a1760851d2fbb608969254a8f3e806bbb87b6b27a4d5f4cecf1b5d90f6fc81759fd9f6222ddafdb955d41b0333ea085f1f

Download Submit
memory/452-109-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/452-110-0x0000000007A40000-0x0000000007A5A000-memory.dmp

Filesize
104KB

Download
memory/452-83-0x0000000006720000-0x000000000673E000-memory.dmp

Filesize
120KB

Download
memory/452-84-0x0000000006750000-0x000000000679C000-memory.dmp

Filesize
304KB

Download
memory/452-53-0x0000000003140000-0x0000000003176000-memory.dmp

Filesize
216KB

Download
memory/452-96-0x0000000006D50000-0x0000000006D6E000-memory.dmp

Filesize
120KB

Download
memory/452-98-0x0000000007910000-0x00000000079B3000-memory.dmp

Filesize
652KB

Download
memory/452-86-0x00000000748C0000-0x000000007490C000-memory.dmp

Filesize
304KB

Download
memory/452-85-0x0000000006CE0000-0x0000000006D12000-memory.dmp

Filesize
200KB

Download
memory/452-55-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/452-78-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/452-62-0x0000000006060000-0x00000000060C6000-memory.dmp

Filesize
408KB

Download
memory/452-111-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

Filesize
40KB

Download
memory/452-112-0x0000000007CD0000-0x0000000007D66000-memory.dmp

Filesize
600KB

Download
memory/452-113-0x0000000007C40000-0x0000000007C51000-memory.dmp

Filesize
68KB

Download
memory/452-61-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/452-115-0x0000000007C90000-0x0000000007CA4000-memory.dmp

Filesize
80KB

Download
memory/452-116-0x0000000007D70000-0x0000000007D8A000-memory.dmp

Filesize
104KB

Download
memory/452-117-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

Filesize
32KB

Download
memory/452-63-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/1904-122-0x0000019B29530000-0x0000019B29552000-memory.dmp

Filesize
136KB

Download
memory/2088-0-0x00007FFAA7F43000-0x00007FFAA7F45000-memory.dmp

Filesize
8KB

Download
memory/2088-1-0x0000000000840000-0x0000000000C54000-memory.dmp

Filesize
4.1MB

Download
memory/2156-22-0x00000000007F0000-0x0000000000808000-memory.dmp

Filesize
96KB

Download
memory/2156-23-0x00007FFAA7F40000-0x00007FFAA8A01000-memory.dmp

Filesize
10.8MB

Download
memory/2156-97-0x00007FFAA7F40000-0x00007FFAA8A01000-memory.dmp

Filesize
10.8MB

Download
memory/2392-60-0x0000000000F40000-0x000000000103A000-memory.dmp

Filesize
1000KB

Download
memory/3540-49-0x000002175E370000-0x000002175E4BE000-memory.dmp

Filesize
1.3MB

Download
memory/3540-59-0x000002175F050000-0x000002175F266000-memory.dmp

Filesize
2.1MB

Download
memory/3540-54-0x0000021744260000-0x0000021744274000-memory.dmp

Filesize
80KB

Download
memory/3540-43-0x0000021743C50000-0x0000021743ECE000-memory.dmp

Filesize
2.5MB

Download
memory/3736-169-0x0000000000940000-0x000000000096E000-memory.dmp

Filesize
184KB

Download
memory/4424-192-0x00000000006E0000-0x0000000000702000-memory.dmp

Filesize
136KB

Download
memory/4872-156-0x000000001BBA0000-0x000000001BC68000-memory.dmp

Filesize
800KB

Download
memory/4872-157-0x000000001C1C0000-0x000000001C1FC000-memory.dmp

Filesize
240KB

Download
memory/4904-114-0x0000000007E60000-0x0000000007E6E000-memory.dmp

Filesize
56KB

Download
memory/4904-99-0x00000000748C0000-0x000000007490C000-memory.dmp

Filesize
304KB

Download