agenttesla | 0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe
Size

4.6MB
MD5

418d3422db5ec4b85b95647cf1dca1ee
SHA1

fbc3e8cf62c5de0f319a81bb03fbd397487285cf
SHA256

0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441
SHA512

678397b004c96113991f733f35a174d76847aae66e846b1e8d8f00d4318814cbbddc7e535c627adb27d028c595aefa753d8c2747bc0621ee1c35ff0051d0526c
SSDEEP

98304:JrtNtkXBS3lfftb2/Jgk+5KwWELBGh+p257hHIsLtvn/4dmDrs4x:lrtk03hfkJgk+5ME9U3XoCtvnEyP

Score

10^/10

agenttesla discovery evasion execution keylogger spyware stealer themida trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

m59NGFc4NGv3cEq.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ m59NGFc4NGv3cEq.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2056 powershell.exe
3064 powershell.exe
984 powershell.exe
1580 powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	m59NGFc4NGv3cEq.exe

pid	process
2056	powershell.exe
3064	powershell.exe
984	powershell.exe
1580	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

m59NGFc4NGv3cEq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	m59NGFc4NGv3cEq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	m59NGFc4NGv3cEq.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2604 cmd.exe

pid	process
2604	cmd.exe

Executes dropped EXE 8 IoCs

Processes:

m59NGFc4NGv3cEq.exeXDDz4zPtAG5Y1JP.exeXDDz4zPtAG5Y1JP.exeXDDz4zPtAG5Y1JP.exeXDDz4zPtAG5Y1JP.exeXDDz4zPtAG5Y1JP.exeXDDz4zPtAG5Y1JP.exem59NGFc4NGv3cEq.exe

pid	process
2704	m59NGFc4NGv3cEq.exe
2980	XDDz4zPtAG5Y1JP.exe
1900	XDDz4zPtAG5Y1JP.exe
1852	XDDz4zPtAG5Y1JP.exe
2940	XDDz4zPtAG5Y1JP.exe
1836	XDDz4zPtAG5Y1JP.exe
2956	XDDz4zPtAG5Y1JP.exe
2780	m59NGFc4NGv3cEq.exe

Loads dropped DLL 6 IoCs

Processes:

XDDz4zPtAG5Y1JP.exem59NGFc4NGv3cEq.exe

pid process

2980 XDDz4zPtAG5Y1JP.exe
2980 XDDz4zPtAG5Y1JP.exe
2980 XDDz4zPtAG5Y1JP.exe
2980 XDDz4zPtAG5Y1JP.exe
2980 XDDz4zPtAG5Y1JP.exe
2704 m59NGFc4NGv3cEq.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2704	m59NGFc4NGv3cEq.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2780-78-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-63-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-76-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-73-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-71-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-80-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-69-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-82-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-67-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-65-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-86-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-88-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-61-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-84-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-83-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-89-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-87-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-85-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-81-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-79-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2780-90-0x0000000000400000-0x0000000000A20000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

m59NGFc4NGv3cEq.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA m59NGFc4NGv3cEq.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

m59NGFc4NGv3cEq.exe

pid process

2780 m59NGFc4NGv3cEq.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

m59NGFc4NGv3cEq.exe

description pid process target process

PID 2704 set thread context of 2780 2704 m59NGFc4NGv3cEq.exe m59NGFc4NGv3cEq.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	m59NGFc4NGv3cEq.exe

flow	ioc
4	ip-api.com

pid	process
2780	m59NGFc4NGv3cEq.exe

description	pid	process	target process
PID 2704 set thread context of 2780	2704	m59NGFc4NGv3cEq.exe	m59NGFc4NGv3cEq.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exem59NGFc4NGv3cEq.exeXDDz4zPtAG5Y1JP.exeschtasks.exepowershell.exepowershell.exeschtasks.exem59NGFc4NGv3cEq.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m59NGFc4NGv3cEq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XDDz4zPtAG5Y1JP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m59NGFc4NGv3cEq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2860 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1616 schtasks.exe
2124 schtasks.exe

pid	process
2860	timeout.exe

pid	process
1616	schtasks.exe
2124	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exeXDDz4zPtAG5Y1JP.exem59NGFc4NGv3cEq.exepowershell.exepowershell.exepowershell.exepowershell.exem59NGFc4NGv3cEq.exe

pid	process
2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe
2980	XDDz4zPtAG5Y1JP.exe
2704	m59NGFc4NGv3cEq.exe
2980	XDDz4zPtAG5Y1JP.exe
2704	m59NGFc4NGv3cEq.exe
2704	m59NGFc4NGv3cEq.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2704	m59NGFc4NGv3cEq.exe
2704	m59NGFc4NGv3cEq.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
2980	XDDz4zPtAG5Y1JP.exe
984	powershell.exe
3064	powershell.exe
2704	m59NGFc4NGv3cEq.exe
2704	m59NGFc4NGv3cEq.exe
2704	m59NGFc4NGv3cEq.exe
1580	powershell.exe
2056	powershell.exe
2780	m59NGFc4NGv3cEq.exe
2704	m59NGFc4NGv3cEq.exe
2704	m59NGFc4NGv3cEq.exe
2780	m59NGFc4NGv3cEq.exe
2780	m59NGFc4NGv3cEq.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exeWMIC.exem59NGFc4NGv3cEq.exeXDDz4zPtAG5Y1JP.exepowershell.exepowershell.exepowershell.exepowershell.exem59NGFc4NGv3cEq.exe

description	pid	process
Token: SeDebugPrivilege	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe
Token: SeIncreaseQuotaPrivilege	2564	WMIC.exe
Token: SeSecurityPrivilege	2564	WMIC.exe
Token: SeTakeOwnershipPrivilege	2564	WMIC.exe
Token: SeLoadDriverPrivilege	2564	WMIC.exe
Token: SeSystemProfilePrivilege	2564	WMIC.exe
Token: SeSystemtimePrivilege	2564	WMIC.exe
Token: SeProfSingleProcessPrivilege	2564	WMIC.exe
Token: SeIncBasePriorityPrivilege	2564	WMIC.exe
Token: SeCreatePagefilePrivilege	2564	WMIC.exe
Token: SeBackupPrivilege	2564	WMIC.exe
Token: SeRestorePrivilege	2564	WMIC.exe
Token: SeShutdownPrivilege	2564	WMIC.exe
Token: SeDebugPrivilege	2564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2564	WMIC.exe
Token: SeRemoteShutdownPrivilege	2564	WMIC.exe
Token: SeUndockPrivilege	2564	WMIC.exe
Token: SeManageVolumePrivilege	2564	WMIC.exe
Token: 33	2564	WMIC.exe
Token: 34	2564	WMIC.exe
Token: 35	2564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2564	WMIC.exe
Token: SeSecurityPrivilege	2564	WMIC.exe
Token: SeTakeOwnershipPrivilege	2564	WMIC.exe
Token: SeLoadDriverPrivilege	2564	WMIC.exe
Token: SeSystemProfilePrivilege	2564	WMIC.exe
Token: SeSystemtimePrivilege	2564	WMIC.exe
Token: SeProfSingleProcessPrivilege	2564	WMIC.exe
Token: SeIncBasePriorityPrivilege	2564	WMIC.exe
Token: SeCreatePagefilePrivilege	2564	WMIC.exe
Token: SeBackupPrivilege	2564	WMIC.exe
Token: SeRestorePrivilege	2564	WMIC.exe
Token: SeShutdownPrivilege	2564	WMIC.exe
Token: SeDebugPrivilege	2564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2564	WMIC.exe
Token: SeRemoteShutdownPrivilege	2564	WMIC.exe
Token: SeUndockPrivilege	2564	WMIC.exe
Token: SeManageVolumePrivilege	2564	WMIC.exe
Token: 33	2564	WMIC.exe
Token: 34	2564	WMIC.exe
Token: 35	2564	WMIC.exe
Token: SeDebugPrivilege	2704	m59NGFc4NGv3cEq.exe
Token: SeDebugPrivilege	2980	XDDz4zPtAG5Y1JP.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2780	m59NGFc4NGv3cEq.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

m59NGFc4NGv3cEq.exe

pid process

2780 m59NGFc4NGv3cEq.exe

pid	process
2780	m59NGFc4NGv3cEq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.execmd.execmd.exeXDDz4zPtAG5Y1JP.exem59NGFc4NGv3cEq.exe

description	pid	process	target process
PID 2484 wrote to memory of 2460	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	cmd.exe
PID 2484 wrote to memory of 2460	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	cmd.exe
PID 2484 wrote to memory of 2460	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	cmd.exe
PID 2460 wrote to memory of 2564	2460	cmd.exe	WMIC.exe
PID 2460 wrote to memory of 2564	2460	cmd.exe	WMIC.exe
PID 2460 wrote to memory of 2564	2460	cmd.exe	WMIC.exe
PID 2484 wrote to memory of 2704	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	m59NGFc4NGv3cEq.exe
PID 2484 wrote to memory of 2704	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	m59NGFc4NGv3cEq.exe
PID 2484 wrote to memory of 2704	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	m59NGFc4NGv3cEq.exe
PID 2484 wrote to memory of 2704	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	m59NGFc4NGv3cEq.exe
PID 2484 wrote to memory of 2980	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	XDDz4zPtAG5Y1JP.exe
PID 2484 wrote to memory of 2980	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	XDDz4zPtAG5Y1JP.exe
PID 2484 wrote to memory of 2980	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	XDDz4zPtAG5Y1JP.exe
PID 2484 wrote to memory of 2980	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	XDDz4zPtAG5Y1JP.exe
PID 2484 wrote to memory of 2604	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	cmd.exe
PID 2484 wrote to memory of 2604	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	cmd.exe
PID 2484 wrote to memory of 2604	2484	0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe	cmd.exe
PID 2604 wrote to memory of 2860	2604	cmd.exe	timeout.exe
PID 2604 wrote to memory of 2860	2604	cmd.exe	timeout.exe
PID 2604 wrote to memory of 2860	2604	cmd.exe	timeout.exe
PID 2980 wrote to memory of 3064	2980	XDDz4zPtAG5Y1JP.exe	powershell.exe
PID 2980 wrote to memory of 3064	2980	XDDz4zPtAG5Y1JP.exe	powershell.exe
PID 2980 wrote to memory of 3064	2980	XDDz4zPtAG5Y1JP.exe	powershell.exe
PID 2980 wrote to memory of 3064	2980	XDDz4zPtAG5Y1JP.exe	powershell.exe
PID 2980 wrote to memory of 984	2980	XDDz4zPtAG5Y1JP.exe	powershell.exe
PID 2980 wrote to memory of 984	2980	XDDz4zPtAG5Y1JP.exe	powershell.exe
PID 2980 wrote to memory of 984	2980	XDDz4zPtAG5Y1JP.exe	powershell.exe
PID 2980 wrote to memory of 984	2980	XDDz4zPtAG5Y1JP.exe	powershell.exe
PID 2980 wrote to memory of 1616	2980	XDDz4zPtAG5Y1JP.exe	schtasks.exe
PID 2980 wrote to memory of 1616	2980	XDDz4zPtAG5Y1JP.exe	schtasks.exe
PID 2980 wrote to memory of 1616	2980	XDDz4zPtAG5Y1JP.exe	schtasks.exe
PID 2980 wrote to memory of 1616	2980	XDDz4zPtAG5Y1JP.exe	schtasks.exe
PID 2980 wrote to memory of 1900	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 1900	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 1900	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 1900	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 1852	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 1852	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 1852	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 1852	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 2940	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 2940	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 2940	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 2940	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 1836	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 1836	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 1836	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 1836	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 2956	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 2956	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 2956	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2980 wrote to memory of 2956	2980	XDDz4zPtAG5Y1JP.exe	XDDz4zPtAG5Y1JP.exe
PID 2704 wrote to memory of 1580	2704	m59NGFc4NGv3cEq.exe	powershell.exe
PID 2704 wrote to memory of 1580	2704	m59NGFc4NGv3cEq.exe	powershell.exe
PID 2704 wrote to memory of 1580	2704	m59NGFc4NGv3cEq.exe	powershell.exe
PID 2704 wrote to memory of 1580	2704	m59NGFc4NGv3cEq.exe	powershell.exe
PID 2704 wrote to memory of 2056	2704	m59NGFc4NGv3cEq.exe	powershell.exe
PID 2704 wrote to memory of 2056	2704	m59NGFc4NGv3cEq.exe	powershell.exe
PID 2704 wrote to memory of 2056	2704	m59NGFc4NGv3cEq.exe	powershell.exe
PID 2704 wrote to memory of 2056	2704	m59NGFc4NGv3cEq.exe	powershell.exe
PID 2704 wrote to memory of 2124	2704	m59NGFc4NGv3cEq.exe	schtasks.exe
PID 2704 wrote to memory of 2124	2704	m59NGFc4NGv3cEq.exe	schtasks.exe
PID 2704 wrote to memory of 2124	2704	m59NGFc4NGv3cEq.exe	schtasks.exe
PID 2704 wrote to memory of 2124	2704	m59NGFc4NGv3cEq.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe
"C:\Users\Admin\AppData\Local\Temp\0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\cmd.exe
  "cmd" /C wmic path win32_ComputerSystem get model
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_ComputerSystem get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\liODLhDtCr\m59NGFc4NGv3cEq.exe
  "C:\Users\Admin\AppData\Local\Temp\liODLhDtCr\m59NGFc4NGv3cEq.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\liODLhDtCr\m59NGFc4NGv3cEq.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qbBOxcvrRwZ.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qbBOxcvrRwZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1719.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2124
- - C:\Users\Admin\AppData\Local\Temp\liODLhDtCr\m59NGFc4NGv3cEq.exe
    "C:\Users\Admin\AppData\Local\Temp\liODLhDtCr\m59NGFc4NGv3cEq.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2780
- C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe
  "C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kGkrrVBwvWw.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:984
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kGkrrVBwvWw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFEB9.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1616
- - C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe
    "C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe"
    3⤵
    - Executes dropped EXE
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe
    "C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe"
    3⤵
    - Executes dropped EXE
    PID:1852
- - C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe
    "C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe"
    3⤵
    - Executes dropped EXE
    PID:2940
- - C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe
    "C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe"
    3⤵
    - Executes dropped EXE
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe
    "C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe"
    3⤵
    - Executes dropped EXE
    PID:2956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\0dfee48d6f0ab22d94eb3e2f045f543e8f9554169730533128425714527fe441.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\liODLhDtCr\m59NGFc4NGv3cEq.exe

Filesize
2.3MB

MD5
b556e1671ea4cfdd09a334ba56e3d88d

SHA1
6a1e3965c5ce1d343583e9575b39ba4bdc3799c4

SHA256
10b424b2ef3c49c855f2ce5163757f726df556aedf621be7d26f1f3669d5b66b

SHA512
cd222b1177956b5c93c3b200807f7e876346ad99a5d7a2af3a5fe3fc95dba9b98763ad84ff4a5c3674aaba1a44c1c4d323c72a68b34dccc05a54748e2452766a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1719.tmp

Filesize
1KB

MD5
dc69cea9404482f94f447f34701ec85f

SHA1
4c1ea1759cd8373554a6ac285afc47db3de657f5

SHA256
695ef84c443b6b8059407171bc8d2e29c10b2870c59c049d82d461f48f3193f1

SHA512
86d5d47527f53ccb25b2936bb99d3b5c9c158c089a890bf263c283ca0b7ab762947efca23212784a19cd35de629106d34aa41dc2aae7fa7702b12a65d5500286

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFEB9.tmp

Filesize
1KB

MD5
8bb8741f1ea1023e62085c115490204b

SHA1
760c01138647012c97c1d8bcc3becc52dee862f0

SHA256
d9781330febe3f723101d55c26392a173b1937d9614feae2d16a73f538221ae0

SHA512
8f7e6bdfd456ace9e0c78b80f38767399d7c2623db93e79830a0debb3cccc812ec64e2de6b5b1ba9744260e3b6f36b803c9c3006d9816d6a6f03c54be2c92810

Download Submit
C:\Users\Admin\AppData\Local\Temp\yGreEVXKoamE\XDDz4zPtAG5Y1JP.exe

Filesize
2.3MB

MD5
7a7a7c876f642137056271817db6109a

SHA1
0833452d4ca169c1a12ce0ce0ef5f408b510b7f6

SHA256
1a1a61ea96f734f572ce0836182585ea0533c87c50a68dccb43d316b4cc250da

SHA512
9795110b5dd6f196a48bbfb592b4e8ad02350cc6e5e067586187f0a5991e4d93c9f471fe29b6f8f1c048a3a784ac5bccd249a999fc26f70b58982fa349f9c4fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9d8d69c51192f83a5e9dfe595fa9a61d

SHA1
0122e608f897b11b82ede5d17a56cdf97104f9c4

SHA256
87528cfbbb06de4519f56e91500d035209d7c6ac0933519c0042dfb2814ba6eb

SHA512
91e5e5074c16aacbfe15da2817d92957a7b0bd821a9182069757ff916be808f9d8a6b6815c034b447cec71ba0d6e524f064a846ebcf9d8f460836792bd604e77

Download Submit
memory/2484-1-0x0000000001220000-0x00000000016C4000-memory.dmp

Filesize
4.6MB

Download
memory/2484-0-0x000007FEF5503000-0x000007FEF5504000-memory.dmp

Filesize
4KB

Download
memory/2704-16-0x0000000000BB0000-0x0000000000E00000-memory.dmp

Filesize
2.3MB

Download
memory/2704-18-0x0000000000B20000-0x0000000000B3E000-memory.dmp

Filesize
120KB

Download
memory/2704-20-0x000000000ADD0000-0x000000000AFE8000-memory.dmp

Filesize
2.1MB

Download
memory/2780-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2780-65-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-59-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-78-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-63-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-76-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-90-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-73-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-71-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-80-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-69-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-82-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-67-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-79-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-86-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-88-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-61-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-84-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-83-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-89-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-87-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-85-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2780-81-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2980-19-0x0000000008E60000-0x000000000907E000-memory.dmp

Filesize
2.1MB

Download
memory/2980-17-0x00000000002A0000-0x00000000004F8000-memory.dmp

Filesize
2.3MB

Download