agenttesla | 6bc441927968c65a2b9b072d1aa40ee2f17a095f2de8c2a802e64399afaf40f3

Analysis

max time kernel
139s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
Size

1.3MB
MD5

0535d61c633b6dac3e59ec955c2ed86b
SHA1

92441762bc9c5bdf261b62590837af1158762cbb
SHA256

6bc441927968c65a2b9b072d1aa40ee2f17a095f2de8c2a802e64399afaf40f3
SHA512

951efc726866c8997e6b86269ea8f8b6cfb0bea0faabeeecc9773cad8c6023376c407505193a7be4e64853c25f56a9f4a4e6720bc99db1d169ba078540ca993d
SSDEEP

24576:vjTUTc/NguVO/o5Y7N+qbmsbkh6wmB5Be5SfWVlJ1cKaXLK4r3f2:7TUTcbVO/o27kEhkgF5BekfWVlLUPr3

Score

10^/10

agenttesla netwire botnet collection discovery keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

netwire

betterday.duckdns.org:5345

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

agenttesla

https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

NetWire RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2980-16-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2980-18-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2980-20-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2980-22-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2980-25-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/2980-26-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

AgentTesla payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d13-40.dat	family_agenttesla
behavioral1/memory/1936-53-0x00000000012E0000-0x000000000131C000-memory.dmp	family_agenttesla
behavioral1/files/0x0007000000016d2e-62.dat	family_agenttesla

Executes dropped EXE 12 IoCs

pid	Process
2680	muga.exe
2792	all.exe
1936	44444.exe
2120	Qctpxcpure1.exe
1420	2222.exe
696	muga.exe
3560	muga.exe
3592	Qctpxcpure1.exe
3872	muga.exe
3552	Qctpxcpure1.exe
3724	muga.exe
3256	Qctpxcpure1.exe

Loads dropped DLL 10 IoCs

pid	Process
2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
2792	all.exe
2792	all.exe
2792	all.exe
2792	all.exe
1220	dw20.exe
2120	Qctpxcpure1.exe
3592	Qctpxcpure1.exe
3552	Qctpxcpure1.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44444.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44444.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44444.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uytr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uytr\\uytr.exe"	44444.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2084 set thread context of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2680 set thread context of 696	2680	muga.exe	54
PID 3560 set thread context of 3872	3560	muga.exe	64

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qctpxcpure1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qctpxcpure1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	all.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qctpxcpure1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qctpxcpure1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2148	schtasks.exe
3056	schtasks.exe
2652	schtasks.exe
3728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1936	44444.exe
1936	44444.exe
1420	2222.exe
1420	2222.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
Token: SeDebugPrivilege	2680	muga.exe
Token: SeDebugPrivilege	1936	44444.exe
Token: SeDebugPrivilege	1420	2222.exe
Token: SeDebugPrivilege	2120	Qctpxcpure1.exe
Token: SeDebugPrivilege	3560	muga.exe
Token: SeDebugPrivilege	3592	Qctpxcpure1.exe
Token: SeDebugPrivilege	3724	muga.exe
Token: SeDebugPrivilege	3552	Qctpxcpure1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1936	44444.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2960	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2960	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2960	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	30
PID 2084 wrote to memory of 2960	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	30
PID 2084 wrote to memory of 3000	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	31
PID 2084 wrote to memory of 3000	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	31
PID 2084 wrote to memory of 3000	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	31
PID 2084 wrote to memory of 3000	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	31
PID 2084 wrote to memory of 3004	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	33
PID 2084 wrote to memory of 3004	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	33
PID 2084 wrote to memory of 3004	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	33
PID 2084 wrote to memory of 3004	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	33
PID 2960 wrote to memory of 3056	2960	cmd.exe	36
PID 2960 wrote to memory of 3056	2960	cmd.exe	36
PID 2960 wrote to memory of 3056	2960	cmd.exe	36
PID 2960 wrote to memory of 3056	2960	cmd.exe	36
PID 2856 wrote to memory of 2680	2856	taskeng.exe	38
PID 2856 wrote to memory of 2680	2856	taskeng.exe	38
PID 2856 wrote to memory of 2680	2856	taskeng.exe	38
PID 2856 wrote to memory of 2680	2856	taskeng.exe	38
PID 2680 wrote to memory of 2844	2680	muga.exe	39
PID 2680 wrote to memory of 2844	2680	muga.exe	39
PID 2680 wrote to memory of 2844	2680	muga.exe	39
PID 2680 wrote to memory of 2844	2680	muga.exe	39
PID 2680 wrote to memory of 2604	2680	muga.exe	41
PID 2680 wrote to memory of 2604	2680	muga.exe	41
PID 2680 wrote to memory of 2604	2680	muga.exe	41
PID 2680 wrote to memory of 2604	2680	muga.exe	41
PID 2680 wrote to memory of 2748	2680	muga.exe	43
PID 2680 wrote to memory of 2748	2680	muga.exe	43
PID 2680 wrote to memory of 2748	2680	muga.exe	43
PID 2680 wrote to memory of 2748	2680	muga.exe	43
PID 2844 wrote to memory of 2652	2844	cmd.exe	46
PID 2844 wrote to memory of 2652	2844	cmd.exe	46
PID 2844 wrote to memory of 2652	2844	cmd.exe	46
PID 2844 wrote to memory of 2652	2844	cmd.exe	46
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2980	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	47
PID 2084 wrote to memory of 2792	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	48
PID 2084 wrote to memory of 2792	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	48
PID 2084 wrote to memory of 2792	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	48
PID 2084 wrote to memory of 2792	2084	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	48
PID 2792 wrote to memory of 1936	2792	all.exe	49
PID 2792 wrote to memory of 1936	2792	all.exe	49
PID 2792 wrote to memory of 1936	2792	all.exe	49
PID 2792 wrote to memory of 1936	2792	all.exe	49
PID 2792 wrote to memory of 2120	2792	all.exe	50
PID 2792 wrote to memory of 2120	2792	all.exe	50
PID 2792 wrote to memory of 2120	2792	all.exe	50
PID 2792 wrote to memory of 2120	2792	all.exe	50
PID 2792 wrote to memory of 1420	2792	all.exe	51
PID 2792 wrote to memory of 1420	2792	all.exe	51
PID 2792 wrote to memory of 1420	2792	all.exe	51
PID 2792 wrote to memory of 1420	2792	all.exe	51

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44444.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44444.exe

C:\Users\Admin\AppData\Local\Temp\0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3056
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\muga.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\all.exe
  "C:\Users\Admin\AppData\Local\Temp\all.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\44444.exe
    "C:\Users\Admin\AppData\Local\Temp\44444.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe
    "C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe
      "C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
      - C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3256
- - C:\Users\Admin\AppData\Local\Temp\2222.exe
    "C:\Users\Admin\AppData\Local\Temp\2222.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 516
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1220

C:\Windows\system32\taskeng.exe
taskeng.exe {202195AB-18F1-4D7B-89DF-DFC5DEF4264C} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Roaming\muga.exe
  C:\Users\Admin\AppData\Roaming\muga.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\muga.exe" "C:\Users\Admin\AppData\Roaming\muga.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Users\Admin\AppData\Roaming\muga.exe
    "C:\Users\Admin\AppData\Roaming\muga.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:696
- C:\Users\Admin\AppData\Roaming\muga.exe
  C:\Users\Admin\AppData\Roaming\muga.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3672
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3728
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\muga.exe" "C:\Users\Admin\AppData\Roaming\muga.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3712
- - C:\Users\Admin\AppData\Roaming\muga.exe
    "C:\Users\Admin\AppData\Roaming\muga.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3872
- C:\Users\Admin\AppData\Roaming\muga.exe
  C:\Users\Admin\AppData\Roaming\muga.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3760
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\muga.exe" "C:\Users\Admin\AppData\Roaming\muga.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2222.exe

Filesize
214KB

MD5
83c154318163aa8fee18be88d159f1c9

SHA1
44446b0d942e64b441f92a65eb6619c0048ffb1d

SHA256
7e6466b4866090085dd2ce8e196f38e58225c27ea631755b100a5a5800be4f55

SHA512
96a8bd2fd5daf6374032acb08311a3f44ea27ea387b495d38822161a0edec12d95084f8cd5896db17bc4245b92d9aa3e15664049e49dce2b2d5e32feb3c5155d

Download Submit
C:\Users\Admin\AppData\Local\Temp\all.exe

Filesize
960KB

MD5
1f042b2a3b0a6c7524cbdbd674d83312

SHA1
b3587334b69efef15c6e3038d39d8437d9a580d2

SHA256
3be3cb7b5ca32b5ef81f328362faacf8156fcd0897e72270ecb4ca439a397744

SHA512
2a25c83396d8d6de7e0068123a4ece3bfebdea441ff1faa8b823ff18d932bcfe0d58689ff9e0bbda89cad4f49fee7a867ee90cbcac506174358489d782605ee8

Download Submit
C:\Users\Admin\AppData\Roaming\muga.exe

Filesize
1.3MB

MD5
0535d61c633b6dac3e59ec955c2ed86b

SHA1
92441762bc9c5bdf261b62590837af1158762cbb

SHA256
6bc441927968c65a2b9b072d1aa40ee2f17a095f2de8c2a802e64399afaf40f3

SHA512
951efc726866c8997e6b86269ea8f8b6cfb0bea0faabeeecc9773cad8c6023376c407505193a7be4e64853c25f56a9f4a4e6720bc99db1d169ba078540ca993d

Download Submit
\Users\Admin\AppData\Local\Temp\44444.exe

Filesize
215KB

MD5
9f0bb50450c285510cb7753e618f36c8

SHA1
44114072210f4a9cacde44401f3ae0bbbbee3dbd

SHA256
f485215ca649889c07dec31d27c4917ed28ed487f985456a25f4a415f6450681

SHA512
93eb8cf1ba71248f16bb6aa1dd977878d2f6c4feb7e330ef3c9b979b6f4a2e2bd892d0e1c9405b56f137809739451783a2c0830784d977e432e90f287b6d994d

Download Submit
\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe

Filesize
275KB

MD5
eeffadd8d76966dd0adec2adb01a1af8

SHA1
1757702bb1f085f96f49117af82de06c37981154

SHA256
bffce6c493ab7b5d26dc1a71cb6323ca4de487174f435fe9944d44dbf7fad929

SHA512
4b1813203866c668e66f1ee767815f9388f9c618db3389625a815c1f6d4889e8c68020b691207736c9a5849a3a6a9365ca4e17782be20e2e2a5e1d0af2b519fb

Download Submit
memory/696-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1936-53-0x00000000012E0000-0x000000000131C000-memory.dmp

Filesize
240KB

Download
memory/2084-5-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/2084-9-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2084-0-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/2084-2-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2084-1-0x0000000000830000-0x000000000098C000-memory.dmp

Filesize
1.4MB

Download
memory/2084-37-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/2120-100-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-96-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-515-0x0000000000ED0000-0x0000000000F1C000-memory.dmp

Filesize
304KB

Download
memory/2120-514-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/2120-513-0x00000000006D0000-0x00000000006FE000-memory.dmp

Filesize
184KB

Download
memory/2120-85-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-94-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-86-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-88-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-55-0x00000000013D0000-0x000000000141A000-memory.dmp

Filesize
296KB

Download
memory/2120-90-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-92-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-84-0x0000000000E70000-0x0000000000ECE000-memory.dmp

Filesize
376KB

Download
memory/2120-110-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-114-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-112-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-108-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-106-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-104-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-102-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2120-98-0x0000000000E70000-0x0000000000EC8000-memory.dmp

Filesize
352KB

Download
memory/2680-8-0x0000000000F60000-0x00000000010BC000-memory.dmp

Filesize
1.4MB

Download
memory/2980-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2980-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-22-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2980-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download