agenttesla | 06b9ec5bcbddaf19ad375e5f7216b7fbcc0a854867d301a2e13b683b5908ec6c

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe
Size

382KB
MD5

daba34ee91d71e27825d0e34dca5aa1c
SHA1

e18bb4bbf084e39d8f12765bdeefee694783a55b
SHA256

06b9ec5bcbddaf19ad375e5f7216b7fbcc0a854867d301a2e13b683b5908ec6c
SHA512

dcfe1b3d05a1ac88929d96478e02c235c66b900c5a52a470aeb0b922ba0f671f7980a205ba791c09eecbdb9e93e51afe76447462ec6d4d53987719de12a944dc
SSDEEP

6144:3K6g8ITLkw7HKIBHyFguPnPZZWzPLSQjMrNabcgM8u5hOVHrK/C62wRi/KEmz7ao:3KLkw2i4L3ZiCr4bcgMLOVHma7ipKo

Score

10^/10

agenttesla collection credential_access discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
server252.web-hosting.com
Port:
587
Username:
[email protected]
Password:
)nf%CWKJ[FaW

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 3 IoCs

resource	yara_rule
behavioral1/memory/2924-47-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2924-46-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla
behavioral1/memory/2924-45-0x0000000000400000-0x000000000044C000-memory.dmp	family_agenttesla

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	nZqhVHCwzXpXRKSJma5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	nZqhVHCwzXpXRKSJma5.exe

Executes dropped EXE 3 IoCs

pid	Process
2528	nZqhVHCwzXpXRKSJma5.exe
1900	nZqhVHCwzXpXRKSJma5.exe
2836	nZqhVHCwzXpXRKSJma5.exe

Loads dropped DLL 10 IoCs

pid	Process
2112	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe
2112	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
1900	nZqhVHCwzXpXRKSJma5.exe
1900	nZqhVHCwzXpXRKSJma5.exe
2836	nZqhVHCwzXpXRKSJma5.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2528 set thread context of 2924	2528	nZqhVHCwzXpXRKSJma5.exe	37
PID 1900 set thread context of 1732	1900	nZqhVHCwzXpXRKSJma5.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1072	2836	WerFault.exe	47

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nZqhVHCwzXpXRKSJma5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe
2528	nZqhVHCwzXpXRKSJma5.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2528	nZqhVHCwzXpXRKSJma5.exe
1900	nZqhVHCwzXpXRKSJma5.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	nZqhVHCwzXpXRKSJma5.exe
Token: SeDebugPrivilege	1900	nZqhVHCwzXpXRKSJma5.exe
Token: SeDebugPrivilege	2924	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2924	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2528	2112	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2528	2112	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2528	2112	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2528	2112	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2528	2112	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2528	2112	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2528	2112	daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2704	2528	nZqhVHCwzXpXRKSJma5.exe	31
PID 2528 wrote to memory of 2704	2528	nZqhVHCwzXpXRKSJma5.exe	31
PID 2528 wrote to memory of 2704	2528	nZqhVHCwzXpXRKSJma5.exe	31
PID 2528 wrote to memory of 2704	2528	nZqhVHCwzXpXRKSJma5.exe	31
PID 2528 wrote to memory of 2704	2528	nZqhVHCwzXpXRKSJma5.exe	31
PID 2528 wrote to memory of 2704	2528	nZqhVHCwzXpXRKSJma5.exe	31
PID 2528 wrote to memory of 2704	2528	nZqhVHCwzXpXRKSJma5.exe	31
PID 2704 wrote to memory of 764	2704	csc.exe	33
PID 2704 wrote to memory of 764	2704	csc.exe	33
PID 2704 wrote to memory of 764	2704	csc.exe	33
PID 2704 wrote to memory of 764	2704	csc.exe	33
PID 2704 wrote to memory of 764	2704	csc.exe	33
PID 2704 wrote to memory of 764	2704	csc.exe	33
PID 2704 wrote to memory of 764	2704	csc.exe	33
PID 2528 wrote to memory of 2876	2528	nZqhVHCwzXpXRKSJma5.exe	34
PID 2528 wrote to memory of 2876	2528	nZqhVHCwzXpXRKSJma5.exe	34
PID 2528 wrote to memory of 2876	2528	nZqhVHCwzXpXRKSJma5.exe	34
PID 2528 wrote to memory of 2876	2528	nZqhVHCwzXpXRKSJma5.exe	34
PID 2528 wrote to memory of 2876	2528	nZqhVHCwzXpXRKSJma5.exe	34
PID 2528 wrote to memory of 2876	2528	nZqhVHCwzXpXRKSJma5.exe	34
PID 2528 wrote to memory of 2876	2528	nZqhVHCwzXpXRKSJma5.exe	34
PID 2876 wrote to memory of 2776	2876	csc.exe	36
PID 2876 wrote to memory of 2776	2876	csc.exe	36
PID 2876 wrote to memory of 2776	2876	csc.exe	36
PID 2876 wrote to memory of 2776	2876	csc.exe	36
PID 2876 wrote to memory of 2776	2876	csc.exe	36
PID 2876 wrote to memory of 2776	2876	csc.exe	36
PID 2876 wrote to memory of 2776	2876	csc.exe	36
PID 2528 wrote to memory of 2924	2528	nZqhVHCwzXpXRKSJma5.exe	37
PID 2528 wrote to memory of 2924	2528	nZqhVHCwzXpXRKSJma5.exe	37
PID 2528 wrote to memory of 2924	2528	nZqhVHCwzXpXRKSJma5.exe	37
PID 2528 wrote to memory of 2924	2528	nZqhVHCwzXpXRKSJma5.exe	37
PID 2528 wrote to memory of 2924	2528	nZqhVHCwzXpXRKSJma5.exe	37
PID 2528 wrote to memory of 2924	2528	nZqhVHCwzXpXRKSJma5.exe	37
PID 2528 wrote to memory of 2924	2528	nZqhVHCwzXpXRKSJma5.exe	37
PID 2528 wrote to memory of 2924	2528	nZqhVHCwzXpXRKSJma5.exe	37
PID 2528 wrote to memory of 1900	2528	nZqhVHCwzXpXRKSJma5.exe	38
PID 2528 wrote to memory of 1900	2528	nZqhVHCwzXpXRKSJma5.exe	38
PID 2528 wrote to memory of 1900	2528	nZqhVHCwzXpXRKSJma5.exe	38
PID 2528 wrote to memory of 1900	2528	nZqhVHCwzXpXRKSJma5.exe	38
PID 2528 wrote to memory of 1900	2528	nZqhVHCwzXpXRKSJma5.exe	38
PID 2528 wrote to memory of 1900	2528	nZqhVHCwzXpXRKSJma5.exe	38
PID 2528 wrote to memory of 1900	2528	nZqhVHCwzXpXRKSJma5.exe	38
PID 1900 wrote to memory of 1736	1900	nZqhVHCwzXpXRKSJma5.exe	40
PID 1900 wrote to memory of 1736	1900	nZqhVHCwzXpXRKSJma5.exe	40
PID 1900 wrote to memory of 1736	1900	nZqhVHCwzXpXRKSJma5.exe	40
PID 1900 wrote to memory of 1736	1900	nZqhVHCwzXpXRKSJma5.exe	40
PID 1900 wrote to memory of 1736	1900	nZqhVHCwzXpXRKSJma5.exe	40
PID 1900 wrote to memory of 1736	1900	nZqhVHCwzXpXRKSJma5.exe	40
PID 1900 wrote to memory of 1736	1900	nZqhVHCwzXpXRKSJma5.exe	40
PID 1736 wrote to memory of 2544	1736	csc.exe	42
PID 1736 wrote to memory of 2544	1736	csc.exe	42
PID 1736 wrote to memory of 2544	1736	csc.exe	42
PID 1736 wrote to memory of 2544	1736	csc.exe	42
PID 1736 wrote to memory of 2544	1736	csc.exe	42
PID 1736 wrote to memory of 2544	1736	csc.exe	42
PID 1736 wrote to memory of 2544	1736	csc.exe	42

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\daba34ee91d71e27825d0e34dca5aa1c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\30xvlsu0\30xvlsu0.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC68A.tmp" "c:\Users\Admin\AppData\Local\Temp\30xvlsu0\CSCCDCC9A1B49F24684AC3DA79547BA7E.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:764
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l4zynasa\l4zynasa.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC735.tmp" "c:\Users\Admin\AppData\Local\Temp\l4zynasa\CSC948B8B0D9D7B4445B66CB86F5E2CC238.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:2924
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lt3fl420\lt3fl420.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD2E.tmp" "c:\Users\Admin\AppData\Local\Temp\lt3fl420\CSC722A67CE41FA44059BBF17F4A071C0A5.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqduytvm\wqduytvm.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1632
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDF9.tmp" "c:\Users\Admin\AppData\Local\Temp\wqduytvm\CSCF46FE2ED507E4E0AA8F5CA7D7ED1BAC6.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe
      "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 672
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\30xvlsu0\30xvlsu0.dll

Filesize
832KB

MD5
09064723e71954fbe3286c26a4f77b15

SHA1
c2fa077f798514905ac930b30fee11201e28153e

SHA256
0c3cae4ccb20b5600a47d30138de77bf290382d48bfdb8fda76e789e71a8e518

SHA512
cbd96807c03f028893a92389adaa1ea083ffc835a0c04059283f1ee45a4c65cece373c8a4d9a24d54524bc994c2d4a3ef62a42bae5fd2e2a6f3bfb91e262111e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJm

Filesize
1.2MB

MD5
06fe80691fd6f72282c16b19e63ae9e5

SHA1
e240304306779e9c3478601698e345cb5d76000a

SHA256
5b41dc0d5d556a3d51bebafeee7576d68961ba11f1e417e58d03817fa1f7d05e

SHA512
1f4905e92beb725a2ba941c82e3a7907a217c1cbe96eb8224d7842fefd02b8e410e5dac1116949d1a37f1f825faf45ed522c88e6583da249e29bd60efffae672

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC68A.tmp

Filesize
1KB

MD5
cb0ba4932746141475a636c37d770c55

SHA1
8efe0be93d5addf4e6d854a46fb7823dcc3babe4

SHA256
06f56a215160e605906fce4f25c0ab23f6f9277050292d2123ecb53d83879774

SHA512
38e58b26beeeaf3e862caa72ac7224a634f06e891ceb356b1c170272a2b86e79b1f8f3193685b5c2818a83efa94fc33005136fc2abe7e29ff100a04b0311d8c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC735.tmp

Filesize
1KB

MD5
a24e59ca9664c0d5f99dd40fc8f2519d

SHA1
528d185be66db76dbe28e3a472fb1ba21ff54e3f

SHA256
72e1eecf9c57b1c090db5d2f9263bddba9de1c7121f9a5a8c42077ff3cf1ed19

SHA512
131733bb7e0a372786fa2160d82dc36c4bc9e773581c8841a9121907c73e52101711da658b0ceff64b515aa408f44dba683f819dc88c20620b8ce80566b3a67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCD2E.tmp

Filesize
1KB

MD5
5029579c0687c26208c317b61195ece2

SHA1
46249b9ce001b728d07d678418cbec03ee51a834

SHA256
61a7fb96eb6fc95c6deffc4c136fd9e863b9545aa0521dad863ecae7eb8f5546

SHA512
9fe8bf68c47918b13db3260460736286f246c295a817d41dcc5534463963de8b402ebb65984f58dfad8af8b047f491a065a4b225c7dffb3c3dc36509e045984a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCDF9.tmp

Filesize
1KB

MD5
b3200f78b701a66db8f0369f91845bde

SHA1
edff950951fb618882b30bd8afc023d8e3f40fb3

SHA256
9d6ced4297afb8669ac910d2107ef75691e0c4959a20bbd8c643c384aac830c8

SHA512
d06cab794da0fd7801937ded4d907df0e9a713b4b8f1ac9ed4ca0279bf5a3dc69aa88cd1076a30670a0a2af5eae0172fb0c4116c3a9352545c956d914ddf3bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4zynasa\l4zynasa.dll

Filesize
832KB

MD5
17d5aed842dc810a561eb7f408717598

SHA1
347a68a3bec9b7978aa9c748af62329af2aa02dd

SHA256
664a17bd27392fe1e396445d711f37ed1f415b2e0238cf119221d026246af658

SHA512
9bcdef31f53c296d91402ce6c6d5e9b7538fcfdc3f7dd9912c9aac7f14f76c2355376cc3934189645f274e6c0bca788eaf62b710fc57c0392434a0bf6b1eb52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lt3fl420\lt3fl420.dll

Filesize
832KB

MD5
b9b70c908cfe22645387c5025dd192bb

SHA1
643175e7494815e16856f359d35eba1f85f66305

SHA256
57178b3fd9c2176cd8dd33bb687abbccb46e345b7311fd23dc721746cb35b0f6

SHA512
5121a79303b539c25e2ddf26a65e5febbc6765e41eac552681cff135bdb5152d281a903398c21a13712aa45a04600171c86e190e79b2e6f60836daeb83d83894

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqduytvm\wqduytvm.dll

Filesize
832KB

MD5
45cb8f71f0a409c313440ba3f22ed865

SHA1
d1461468210deae25b7d7935cdf31894426188c7

SHA256
6f1ad5b175c322eab3f1ac8713b89e993e6a25a16eed5b3ecb3da3f044bc0613

SHA512
c418e6e00072c609219cb05683e329f50deeb84a82b3cf1afa043a05acc56c319b20d0cfb5253afdb5b83ba551525c778c0b6b9dd96a02c54a41b3e7df5fd382

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\30xvlsu0\30xvlsu0.0.cs

Filesize
1.2MB

MD5
134076190ecedd5b5ae653aa1ca82dcd

SHA1
3a2418a4b78942bdc5238c190aafec6f25401df1

SHA256
f34bc0335b156845f2d49d55520d7bab30b5812fbef489798402f089643e8255

SHA512
b89ca747a9f968348cfbc527890da57607ed11254633e28b7450b8169411582d6ed3f3f2229c7e21a6fc5f60eef2561e280419dc6e01ff622c862638e9bfe39e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\30xvlsu0\30xvlsu0.cmdline

Filesize
302B

MD5
ba1603cc139c621adb23ca7f96f40416

SHA1
e1f36cb2b2a849fb10925ebf7609764cc2b13f1c

SHA256
bff74560eb514a1305341e04fe510e20866455c50688fab74ac922e437d1daca

SHA512
90f59e79ea7327c26d74237b3d029d828c242507afe37004f7ee9f27c860b42b7e252c58ad6c6c9f4150d29c1ab16143b886de224398aa2e5ec09184cd7da059

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\30xvlsu0\CSCCDCC9A1B49F24684AC3DA79547BA7E.TMP

Filesize
652B

MD5
344150db9c9d64c64e947c39a0d4a94a

SHA1
ac04ef3eb1806c827f8623b081cc93d499527ce6

SHA256
64cc75649f86923fd734d00b8fa77834632e3746d00550a312aca27c449b23f3

SHA512
e6c5451c2d601d0b6ed0491aacfcc347d16e51c399b46413f6dac12fdf61f3430c64924b8c3588b3c393a2a6c3157d81bad708cda5b464be795fac07f06a611d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l4zynasa\CSC948B8B0D9D7B4445B66CB86F5E2CC238.TMP

Filesize
652B

MD5
00837f75986aa18e73d9e5756fcf96ab

SHA1
e626df72c108f13b42ad32a66f01552b8a93f740

SHA256
59bcb092ef2b3c812db6e5e50f5350fa82668601e0a30462a68694185159d3e0

SHA512
16d2090d75f7939c942380ec75eb58220a5666c84bbc00531339877fb19bc0da04746cbae127d87fb022bc0bb7cde6a663b5f1d7a903ba7647b869298baebd84

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l4zynasa\l4zynasa.cmdline

Filesize
302B

MD5
58a3695aa67ddda60627f66f48fe10f6

SHA1
dc9809a2ead6d6960029985ef0b73cdf30baf125

SHA256
50d3985ad26f72be928618edf6953948162af9ed212595ff713df330e6f98dfa

SHA512
a39b844cc466124d524a8ca0f12d38a2958ee670c50da22484edda76db45773ffc18c1a4a5536c8827b6705db4234b784cd83c9a0a93f8a155d7eea9924f8a65

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lt3fl420\CSC722A67CE41FA44059BBF17F4A071C0A5.TMP

Filesize
652B

MD5
9b6c6527a9c984d9be47a3c6fbd9f431

SHA1
beae9ede996fefc50759decde2afaee166b5c9a6

SHA256
c2237ac5ffff19102f19c49e6b3c528d87a0528e90bea50fcf2c81ef76333e9f

SHA512
98067d7148903160526f6f28d5d55fec5e964036c4a89ad719595ba3a62b2e0c513437fc6ba4bad8d26c4faaa52beb2b527397a224ff8d7dee974922b271e8d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lt3fl420\lt3fl420.cmdline

Filesize
302B

MD5
e07544a00e12fd1a7ac9457a5d8837cd

SHA1
9f8d19be3e9b9e7745ac2ac313c381d843a2bb5a

SHA256
b6797f74b46020c19941f0a705f57b552dc1370117136fd1c57ce74c8eb982d8

SHA512
78f9d3af30f22291c3d71533fb0ce0707828d999d3f0657aa5bfb505bb7f9d59126748240e805416ebc452bb52e875c723695d09b19031de51f0f78490223170

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqduytvm\CSCF46FE2ED507E4E0AA8F5CA7D7ED1BAC6.TMP

Filesize
652B

MD5
dfa41036e241b95ee3ea00d38366e275

SHA1
dd3cc23988666d4358298f157615a525a3c3c2a1

SHA256
b05a7712429e141ae74f2620ee58eff9bf3c11518ef5fc4e81cf024ef23f293f

SHA512
ecd68368b0b1f7fe00d80a147fcc40792ca80cde83b9b02b2f7949eca9c234c17feb4adf6c12c6e7ff75ad9a6d70689c74095dc8ba99859775ea545d0d96df80

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqduytvm\wqduytvm.cmdline

Filesize
302B

MD5
6a2446ee5116ce26d4739282f83a6ccc

SHA1
7f0b110c284a5a44b535dd07985e6f81916380b0

SHA256
99081d83767455293928affde38401b20b105420879f41d8c69a982d608bb26e

SHA512
a46dbdc7e7c9962cb42bdf0f5d36a4493511e3b05a8e6f2db6bd8f08ff77c75717bc86aaee97d88b13066fa46175db18dc7eb311d722765a208b047f7874bf26

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\nZqhVHCwzXpXRKSJma5.exe

Filesize
94KB

MD5
a76223c1e216180be838673e3fb5a3ab

SHA1
dd1d667fc79e91e733d23da0e0276986c87edbb8

SHA256
695f4180d6cd2c73464d51387f9d0dc9076fb23d35c659afc2bc0f13fb22ff9d

SHA512
994eb8729d1ec0fe8a7c6dbeb58c00a6a0f7cb36b3da10abe6ee07c0cf0486b1546e35f5d1f1da50191efbbc33b90b7ed83ffa821b092b569909a0081549d89d

Download Submit
memory/1900-63-0x0000000004E90000-0x0000000004F66000-memory.dmp

Filesize
856KB

Download
memory/1900-77-0x0000000005070000-0x0000000005146000-memory.dmp

Filesize
856KB

Download
memory/2528-27-0x0000000004BE0000-0x0000000004CB6000-memory.dmp

Filesize
856KB

Download
memory/2528-13-0x0000000001380000-0x000000000139E000-memory.dmp

Filesize
120KB

Download
memory/2528-43-0x0000000000520000-0x0000000000574000-memory.dmp

Filesize
336KB

Download
memory/2528-41-0x0000000004CC0000-0x0000000004D96000-memory.dmp

Filesize
856KB

Download
memory/2924-45-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2924-46-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2924-47-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download