agenttesla | 99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece

General

Target

99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
Size

482KB
MD5

b8c88d67b60eb603bca7b2d3f5bb10f0
SHA1

e88f749dcd0b94623376896e74bf9fb05491a422
SHA256

99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece
SHA512

212270a7765c89a920a7afcdb5b3c64a602b48a8ce4a55ac0f53461bb3b7f6e3c2bb63803b42df69c28439a2a7816818bbaf6844d46a508ca83506f0b6a3fa23
SSDEEP

12288:wuGIRivaKUsVnXch22zOhmY3lvVU7JtIqB:E+yXcv6kZ7JtIqB

Score

10^/10

agenttesla collection credential_access discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.penavico--cz.com
Port:
587
Username:
[email protected]
Password:
Fq$L%J((!6

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

AgentTesla payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2112-6-0x0000000000090000-0x00000000000CC000-memory.dmp	family_agenttesla
behavioral1/memory/2112-5-0x0000000000090000-0x00000000000CC000-memory.dmp	family_agenttesla
behavioral1/memory/2112-16-0x0000000000090000-0x00000000000CC000-memory.dmp	family_agenttesla
behavioral1/memory/2112-19-0x0000000000090000-0x00000000000CC000-memory.dmp	family_agenttesla
behavioral1/memory/2112-12-0x0000000000090000-0x00000000000CC000-memory.dmp	family_agenttesla
behavioral1/memory/2112-11-0x0000000000090000-0x00000000000CC000-memory.dmp	family_agenttesla
behavioral1/memory/1600-44-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1600-43-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla

Executes dropped EXE 4 IoCs

Processes:

DODO.exeDODO.exeDODO.exeDODO.exe

pid process

536 DODO.exe
1600 DODO.exe
1640 DODO.exe
1376 DODO.exe
Loads dropped DLL 2 IoCs

Processes:

DODO.exeDODO.exe

pid process

536 DODO.exe
1640 DODO.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
536	DODO.exe
1600	DODO.exe
1640	DODO.exe
1376	DODO.exe

pid	process
536	DODO.exe
1640	DODO.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exeDODO.exeDODO.exe

description	pid	process	target process
PID 1936 set thread context of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 536 set thread context of 1600	536	DODO.exe	DODO.exe
PID 1640 set thread context of 1376	1640	DODO.exe	DODO.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeDODO.exeschtasks.exe99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.execmd.exeschtasks.execmd.exeDODO.exe99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exeschtasks.execmd.execmd.execmd.exeDODO.exeDODO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DODO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DODO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DODO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DODO.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2452 schtasks.exe
548 schtasks.exe
2956 schtasks.exe

pid	process
2452	schtasks.exe
548	schtasks.exe
2956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exeDODO.exeDODO.exe

pid	process
2112	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
2112	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
1600	DODO.exe
1600	DODO.exe
1376	DODO.exe
1376	DODO.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exeDODO.exeDODO.exeDODO.exeDODO.exe

description	pid	process
Token: SeDebugPrivilege	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
Token: SeDebugPrivilege	2112	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
Token: SeDebugPrivilege	536	DODO.exe
Token: SeDebugPrivilege	1600	DODO.exe
Token: SeDebugPrivilege	1640	DODO.exe
Token: SeDebugPrivilege	1376	DODO.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.execmd.exetaskeng.exeDODO.execmd.exeDODO.exe

description	pid	process	target process
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2112	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
PID 1936 wrote to memory of 2260	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	cmd.exe
PID 1936 wrote to memory of 2260	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	cmd.exe
PID 1936 wrote to memory of 2260	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	cmd.exe
PID 1936 wrote to memory of 2260	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	cmd.exe
PID 1936 wrote to memory of 2816	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	cmd.exe
PID 1936 wrote to memory of 2816	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	cmd.exe
PID 1936 wrote to memory of 2816	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	cmd.exe
PID 1936 wrote to memory of 2816	1936	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe	cmd.exe
PID 2260 wrote to memory of 2452	2260	cmd.exe	schtasks.exe
PID 2260 wrote to memory of 2452	2260	cmd.exe	schtasks.exe
PID 2260 wrote to memory of 2452	2260	cmd.exe	schtasks.exe
PID 2260 wrote to memory of 2452	2260	cmd.exe	schtasks.exe
PID 852 wrote to memory of 536	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 536	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 536	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 536	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 536	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 536	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 536	852	taskeng.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1600	536	DODO.exe	DODO.exe
PID 536 wrote to memory of 1492	536	DODO.exe	cmd.exe
PID 536 wrote to memory of 1492	536	DODO.exe	cmd.exe
PID 536 wrote to memory of 1492	536	DODO.exe	cmd.exe
PID 536 wrote to memory of 1492	536	DODO.exe	cmd.exe
PID 536 wrote to memory of 1036	536	DODO.exe	cmd.exe
PID 536 wrote to memory of 1036	536	DODO.exe	cmd.exe
PID 536 wrote to memory of 1036	536	DODO.exe	cmd.exe
PID 536 wrote to memory of 1036	536	DODO.exe	cmd.exe
PID 1492 wrote to memory of 548	1492	cmd.exe	schtasks.exe
PID 1492 wrote to memory of 548	1492	cmd.exe	schtasks.exe
PID 1492 wrote to memory of 548	1492	cmd.exe	schtasks.exe
PID 1492 wrote to memory of 548	1492	cmd.exe	schtasks.exe
PID 852 wrote to memory of 1640	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 1640	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 1640	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 1640	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 1640	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 1640	852	taskeng.exe	DODO.exe
PID 852 wrote to memory of 1640	852	taskeng.exe	DODO.exe
PID 1640 wrote to memory of 1376	1640	DODO.exe	DODO.exe
PID 1640 wrote to memory of 1376	1640	DODO.exe	DODO.exe

outlook_office_path 1 IoCs

Processes:

99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe

outlook_win_path 1 IoCs

Processes:

99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe

C:\Users\Admin\AppData\Local\Temp\99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
"C:\Users\Admin\AppData\Local\Temp\99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe
  "C:\Users\Admin\AppData\Local\Temp\99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2112
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\DODO\DODO.exe'" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\DODO\DODO.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece.exe" "C:\Users\Admin\AppData\Roaming\DODO\DODO.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2816

C:\Windows\system32\taskeng.exe
taskeng.exe {26BC1B75-89F4-4780-9819-938D49B133D7} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Roaming\DODO\DODO.exe
  C:\Users\Admin\AppData\Roaming\DODO\DODO.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Roaming\DODO\DODO.exe
    "C:\Users\Admin\AppData\Roaming\DODO\DODO.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\DODO\DODO.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\DODO\DODO.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\DODO\DODO.exe" "C:\Users\Admin\AppData\Roaming\DODO\DODO.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1036
- C:\Users\Admin\AppData\Roaming\DODO\DODO.exe
  C:\Users\Admin\AppData\Roaming\DODO\DODO.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Roaming\DODO\DODO.exe
    "C:\Users\Admin\AppData\Roaming\DODO\DODO.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\DODO\DODO.exe'" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1752
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\DODO\DODO.exe'" /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Roaming\DODO\DODO.exe" "C:\Users\Admin\AppData\Roaming\DODO\DODO.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

4

T1552

Credentials In Files

4

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DODO\DODO.exe

Filesize
482KB

MD5
b8c88d67b60eb603bca7b2d3f5bb10f0

SHA1
e88f749dcd0b94623376896e74bf9fb05491a422

SHA256
99ae462223921221378d160a89832d95b3e19bf823f369cb2b6f7c89392f3ece

SHA512
212270a7765c89a920a7afcdb5b3c64a602b48a8ce4a55ac0f53461bb3b7f6e3c2bb63803b42df69c28439a2a7816818bbaf6844d46a508ca83506f0b6a3fa23

Download Submit
memory/536-30-0x0000000000F50000-0x0000000000FCE000-memory.dmp

Filesize
504KB

Download
memory/1376-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1600-43-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1600-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1600-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1936-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/1936-1-0x00000000002E0000-0x000000000035E000-memory.dmp

Filesize
504KB

Download
memory/1936-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1936-9-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/1936-22-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1936-20-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2112-11-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/2112-12-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/2112-23-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2112-19-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/2112-21-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2112-26-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2112-27-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2112-16-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/2112-5-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/2112-4-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/2112-6-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download
memory/2112-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2112-3-0x0000000000090000-0x00000000000CC000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads