agenttesla | 6bc441927968c65a2b9b072d1aa40ee2f17a095f2de8c2a802e64399afaf40f3

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
Size

1.3MB
MD5

0535d61c633b6dac3e59ec955c2ed86b
SHA1

92441762bc9c5bdf261b62590837af1158762cbb
SHA256

6bc441927968c65a2b9b072d1aa40ee2f17a095f2de8c2a802e64399afaf40f3
SHA512

951efc726866c8997e6b86269ea8f8b6cfb0bea0faabeeecc9773cad8c6023376c407505193a7be4e64853c25f56a9f4a4e6720bc99db1d169ba078540ca993d
SSDEEP

24576:vjTUTc/NguVO/o5Y7N+qbmsbkh6wmB5Be5SfWVlJ1cKaXLK4r3f2:7TUTcbVO/o27kEhkgF5BekfWVlLUPr3

Score

10^/10

agenttesla netwire botnet collection discovery keylogger persistence rat spyware stealer trojan

Malware Config

Extracted

Family

netwire

betterday.duckdns.org:5345

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Extracted

Family

agenttesla

https://api.telegram.org/bot1698102386:AAHWYbuf-rLmgfOsAgCnA_t8ncjPXSF5S8c/sendDocument

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4328-16-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral2/memory/4328-18-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

AgentTesla payload 3 IoCs

resource	yara_rule
behavioral2/files/0x00080000000234fb-35.dat	family_agenttesla
behavioral2/memory/1840-45-0x0000000000940000-0x000000000097C000-memory.dmp	family_agenttesla
behavioral2/files/0x00080000000234fd-57.dat	family_agenttesla

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	all.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Qctpxcpure1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	muga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Qctpxcpure1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	muga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	Qctpxcpure1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	muga.exe

Executes dropped EXE 12 IoCs

pid	Process
5076	muga.exe
2656	all.exe
1840	44444.exe
1600	Qctpxcpure1.exe
3632	2222.exe
1164	muga.exe
216	Qctpxcpure1.exe
368	muga.exe
560	muga.exe
2248	Qctpxcpure1.exe
4312	muga.exe
1752	Qctpxcpure1.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44444.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44444.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	44444.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2222.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2222.exe
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2222.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uytr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uytr\\uytr.exe"	44444.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uytr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uytr\\uytr.exe"	2222.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4580 set thread context of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 5076 set thread context of 1164	5076	muga.exe	111
PID 368 set thread context of 560	368	muga.exe	121

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qctpxcpure1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	all.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qctpxcpure1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qctpxcpure1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qctpxcpure1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	muga.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4088	schtasks.exe
1716	schtasks.exe
3868	schtasks.exe
924	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1840	44444.exe
1840	44444.exe
3632	2222.exe
3632	2222.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1840	44444.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
Token: SeDebugPrivilege	5076	muga.exe
Token: SeDebugPrivilege	1840	44444.exe
Token: SeDebugPrivilege	3632	2222.exe
Token: SeDebugPrivilege	1600	Qctpxcpure1.exe
Token: SeDebugPrivilege	368	muga.exe
Token: SeDebugPrivilege	216	Qctpxcpure1.exe
Token: SeDebugPrivilege	4312	muga.exe
Token: SeDebugPrivilege	2248	Qctpxcpure1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3632	2222.exe
1840	44444.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 4740	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	82
PID 4580 wrote to memory of 4740	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	82
PID 4580 wrote to memory of 4740	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	82
PID 4580 wrote to memory of 4884	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	83
PID 4580 wrote to memory of 4884	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	83
PID 4580 wrote to memory of 4884	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	83
PID 4580 wrote to memory of 224	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	86
PID 4580 wrote to memory of 224	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	86
PID 4580 wrote to memory of 224	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	86
PID 4740 wrote to memory of 4088	4740	cmd.exe	88
PID 4740 wrote to memory of 4088	4740	cmd.exe	88
PID 4740 wrote to memory of 4088	4740	cmd.exe	88
PID 5076 wrote to memory of 3192	5076	muga.exe	97
PID 5076 wrote to memory of 3192	5076	muga.exe	97
PID 5076 wrote to memory of 3192	5076	muga.exe	97
PID 5076 wrote to memory of 736	5076	muga.exe	98
PID 5076 wrote to memory of 736	5076	muga.exe	98
PID 5076 wrote to memory of 736	5076	muga.exe	98
PID 5076 wrote to memory of 744	5076	muga.exe	100
PID 5076 wrote to memory of 744	5076	muga.exe	100
PID 5076 wrote to memory of 744	5076	muga.exe	100
PID 3192 wrote to memory of 1716	3192	cmd.exe	103
PID 3192 wrote to memory of 1716	3192	cmd.exe	103
PID 3192 wrote to memory of 1716	3192	cmd.exe	103
PID 4580 wrote to memory of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 4580 wrote to memory of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 4580 wrote to memory of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 4580 wrote to memory of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 4580 wrote to memory of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 4580 wrote to memory of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 4580 wrote to memory of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 4580 wrote to memory of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 4580 wrote to memory of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 4580 wrote to memory of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 4580 wrote to memory of 4328	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	105
PID 4580 wrote to memory of 2656	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	107
PID 4580 wrote to memory of 2656	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	107
PID 4580 wrote to memory of 2656	4580	0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe	107
PID 2656 wrote to memory of 1840	2656	all.exe	108
PID 2656 wrote to memory of 1840	2656	all.exe	108
PID 2656 wrote to memory of 1840	2656	all.exe	108
PID 2656 wrote to memory of 1600	2656	all.exe	109
PID 2656 wrote to memory of 1600	2656	all.exe	109
PID 2656 wrote to memory of 1600	2656	all.exe	109
PID 2656 wrote to memory of 3632	2656	all.exe	110
PID 2656 wrote to memory of 3632	2656	all.exe	110
PID 2656 wrote to memory of 3632	2656	all.exe	110
PID 5076 wrote to memory of 1164	5076	muga.exe	111
PID 5076 wrote to memory of 1164	5076	muga.exe	111
PID 5076 wrote to memory of 1164	5076	muga.exe	111
PID 5076 wrote to memory of 1164	5076	muga.exe	111
PID 5076 wrote to memory of 1164	5076	muga.exe	111
PID 5076 wrote to memory of 1164	5076	muga.exe	111
PID 5076 wrote to memory of 1164	5076	muga.exe	111
PID 5076 wrote to memory of 1164	5076	muga.exe	111
PID 5076 wrote to memory of 1164	5076	muga.exe	111
PID 5076 wrote to memory of 1164	5076	muga.exe	111
PID 5076 wrote to memory of 1164	5076	muga.exe	111
PID 1600 wrote to memory of 216	1600	Qctpxcpure1.exe	112
PID 1600 wrote to memory of 216	1600	Qctpxcpure1.exe	112
PID 1600 wrote to memory of 216	1600	Qctpxcpure1.exe	112
PID 368 wrote to memory of 4740	368	muga.exe	114
PID 368 wrote to memory of 4740	368	muga.exe	114
PID 368 wrote to memory of 4740	368	muga.exe	114

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2222.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	2222.exe

C:\Users\Admin\AppData\Local\Temp\0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\muga.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:224
- C:\Users\Admin\AppData\Local\Temp\0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0535d61c633b6dac3e59ec955c2ed86b_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4328
- C:\Users\Admin\AppData\Local\Temp\all.exe
  "C:\Users\Admin\AppData\Local\Temp\all.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\44444.exe
    "C:\Users\Admin\AppData\Local\Temp\44444.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe
    "C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe
      "C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:216
    - - C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1752
- - C:\Users\Admin\AppData\Local\Temp\2222.exe
    "C:\Users\Admin\AppData\Local\Temp\2222.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:3632

C:\Users\Admin\AppData\Roaming\muga.exe
C:\Users\Admin\AppData\Roaming\muga.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\muga.exe" "C:\Users\Admin\AppData\Roaming\muga.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:744
- C:\Users\Admin\AppData\Roaming\muga.exe
  "C:\Users\Admin\AppData\Roaming\muga.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1164

C:\Users\Admin\AppData\Roaming\muga.exe
C:\Users\Admin\AppData\Roaming\muga.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4740
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\muga.exe" "C:\Users\Admin\AppData\Roaming\muga.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2148
- C:\Users\Admin\AppData\Roaming\muga.exe
  "C:\Users\Admin\AppData\Roaming\muga.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:560

C:\Users\Admin\AppData\Roaming\muga.exe
C:\Users\Admin\AppData\Roaming\muga.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4312
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2156
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "NanoShield" /tr "'C:\Users\Admin\AppData\Roaming\muga.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:924
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\muga.exe" "C:\Users\Admin\AppData\Roaming\muga.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qctpxcpure1.exe.log

Filesize
808B

MD5
70068e2282993d824d0e30e94a75cceb

SHA1
f1fc63b62bfbce2b7273949e284d9076b008e9dd

SHA256
01e3e612a48688af98bfb3c85b47ecb12bdfd4f6b921e003ff0a5158fd7c690f

SHA512
75ebaaa11633ac3eae8594813edce71b3bf6311d196bbeec91e3ec73f6b7f168a17bd682b50d67711aec795452d340693ad5c490af938e4057d5ebaffccb82e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\muga.exe.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Temp\2222.exe

Filesize
214KB

MD5
83c154318163aa8fee18be88d159f1c9

SHA1
44446b0d942e64b441f92a65eb6619c0048ffb1d

SHA256
7e6466b4866090085dd2ce8e196f38e58225c27ea631755b100a5a5800be4f55

SHA512
96a8bd2fd5daf6374032acb08311a3f44ea27ea387b495d38822161a0edec12d95084f8cd5896db17bc4245b92d9aa3e15664049e49dce2b2d5e32feb3c5155d

Download Submit
C:\Users\Admin\AppData\Local\Temp\44444.exe

Filesize
215KB

MD5
9f0bb50450c285510cb7753e618f36c8

SHA1
44114072210f4a9cacde44401f3ae0bbbbee3dbd

SHA256
f485215ca649889c07dec31d27c4917ed28ed487f985456a25f4a415f6450681

SHA512
93eb8cf1ba71248f16bb6aa1dd977878d2f6c4feb7e330ef3c9b979b6f4a2e2bd892d0e1c9405b56f137809739451783a2c0830784d977e432e90f287b6d994d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qctpxcpure1.exe

Filesize
275KB

MD5
eeffadd8d76966dd0adec2adb01a1af8

SHA1
1757702bb1f085f96f49117af82de06c37981154

SHA256
bffce6c493ab7b5d26dc1a71cb6323ca4de487174f435fe9944d44dbf7fad929

SHA512
4b1813203866c668e66f1ee767815f9388f9c618db3389625a815c1f6d4889e8c68020b691207736c9a5849a3a6a9365ca4e17782be20e2e2a5e1d0af2b519fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\all.exe

Filesize
960KB

MD5
1f042b2a3b0a6c7524cbdbd674d83312

SHA1
b3587334b69efef15c6e3038d39d8437d9a580d2

SHA256
3be3cb7b5ca32b5ef81f328362faacf8156fcd0897e72270ecb4ca439a397744

SHA512
2a25c83396d8d6de7e0068123a4ece3bfebdea441ff1faa8b823ff18d932bcfe0d58689ff9e0bbda89cad4f49fee7a867ee90cbcac506174358489d782605ee8

Download Submit
C:\Users\Admin\AppData\Roaming\muga.exe

Filesize
1.3MB

MD5
0535d61c633b6dac3e59ec955c2ed86b

SHA1
92441762bc9c5bdf261b62590837af1158762cbb

SHA256
6bc441927968c65a2b9b072d1aa40ee2f17a095f2de8c2a802e64399afaf40f3

SHA512
951efc726866c8997e6b86269ea8f8b6cfb0bea0faabeeecc9773cad8c6023376c407505193a7be4e64853c25f56a9f4a4e6720bc99db1d169ba078540ca993d

Download Submit
memory/1600-130-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-88-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-507-0x0000000004D80000-0x0000000004DCC000-memory.dmp

Filesize
304KB

Download
memory/1600-506-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/1600-505-0x0000000004B20000-0x0000000004B4E000-memory.dmp

Filesize
184KB

Download
memory/1600-77-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-120-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-78-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-80-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-110-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-124-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-82-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-84-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-90-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-92-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-67-0x0000000000050000-0x000000000009A000-memory.dmp

Filesize
296KB

Download
memory/1600-96-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-98-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-100-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-118-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-86-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-94-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-136-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-134-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-132-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-103-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-128-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-126-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-122-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-104-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-76-0x0000000004A50000-0x0000000004AAE000-memory.dmp

Filesize
376KB

Download
memory/1600-117-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-114-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-112-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-108-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1600-106-0x0000000004A50000-0x0000000004AA8000-memory.dmp

Filesize
352KB

Download
memory/1840-945-0x0000000006380000-0x00000000063D0000-memory.dmp

Filesize
320KB

Download
memory/1840-45-0x0000000000940000-0x000000000097C000-memory.dmp

Filesize
240KB

Download
memory/1840-69-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/1840-68-0x00000000054A0000-0x00000000054B8000-memory.dmp

Filesize
96KB

Download
memory/1840-63-0x00000000054C0000-0x000000000555C000-memory.dmp

Filesize
624KB

Download
memory/4328-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-0-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/4580-2-0x00000000051C0000-0x0000000005764000-memory.dmp

Filesize
5.6MB

Download
memory/4580-30-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4580-3-0x0000000004CB0000-0x0000000004D42000-memory.dmp

Filesize
584KB

Download
memory/4580-11-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4580-8-0x000000007479E000-0x000000007479F000-memory.dmp

Filesize
4KB

Download
memory/4580-5-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/4580-4-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/4580-1-0x0000000000900000-0x0000000000A5C000-memory.dmp

Filesize
1.4MB

Download
memory/5076-15-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/5076-12-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/5076-13-0x00000000004D0000-0x000000000062C000-memory.dmp

Filesize
1.4MB

Download
memory/5076-14-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download
memory/5076-74-0x0000000074790000-0x0000000074F40000-memory.dmp

Filesize
7.7MB

Download