agenttesla | e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe
Size

4.5MB
MD5

357e95c67cad40d7dbd6ed7ad2274e43
SHA1

7f4005f935f0a2666f6eb89cfb743153e47b44a9
SHA256

e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969
SHA512

f868b99abc083aa780bf73354c7bce87ed9e639b4a6c4368a021b6953e89a29b71fa02ce5ceab9a9fb9d930a49eb91aa54c1bdce851bd8f92bbd0a4510a147f6
SSDEEP

98304:QtY88x9t4upQC2J8cBVjuOOpFLTXSkIEhYHp0e3zShDC0y2I58DxmG1FCcK:QDktpv2RkOOpFLTLleDShDC0I8Dxm

Score

10^/10

agenttesla discovery evasion execution keylogger spyware stealer themida trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

zW1UDh1Sv6rNfns.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	zW1UDh1Sv6rNfns.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
1620	powershell.exe
2352	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

zW1UDh1Sv6rNfns.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zW1UDh1Sv6rNfns.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	zW1UDh1Sv6rNfns.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2968	cmd.exe

Executes dropped EXE 8 IoCs

Processes:

zW1UDh1Sv6rNfns.exe3DRas.exezW1UDh1Sv6rNfns.exe3DRas.exe3DRas.exe3DRas.exe3DRas.exe3DRas.exe

pid	Process
2116	zW1UDh1Sv6rNfns.exe
2984	3DRas.exe
2160	zW1UDh1Sv6rNfns.exe
2684	3DRas.exe
1328	3DRas.exe
1148	3DRas.exe
1056	3DRas.exe
940	3DRas.exe

Loads dropped DLL 6 IoCs

Processes:

zW1UDh1Sv6rNfns.exe3DRas.exe

pid	Process
2116	zW1UDh1Sv6rNfns.exe
2984	3DRas.exe
2984	3DRas.exe
2984	3DRas.exe
2984	3DRas.exe
2984	3DRas.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2160-41-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-45-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-52-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-33-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-38-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-40-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-44-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-50-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-47-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-53-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-55-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-54-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-58-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-60-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-61-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-59-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-62-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-56-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-63-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-64-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral1/memory/2160-57-0x0000000000400000-0x0000000000A20000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

zW1UDh1Sv6rNfns.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zW1UDh1Sv6rNfns.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

zW1UDh1Sv6rNfns.exe

pid	Process
2160	zW1UDh1Sv6rNfns.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

zW1UDh1Sv6rNfns.exe

description	pid	Process	procid_target
PID 2116 set thread context of 2160	2116	zW1UDh1Sv6rNfns.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeschtasks.exezW1UDh1Sv6rNfns.exepowershell.exeschtasks.exezW1UDh1Sv6rNfns.exe3DRas.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zW1UDh1Sv6rNfns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zW1UDh1Sv6rNfns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3DRas.exe

Delays execution with timeout.exe 1 IoCs

evasion

Processes:

timeout.exe

pid	Process
2784	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exe

pid	Process
2764	schtasks.exe
2064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe3DRas.exezW1UDh1Sv6rNfns.exezW1UDh1Sv6rNfns.exepowershell.exepowershell.exe

pid	Process
3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe
2984	3DRas.exe
2116	zW1UDh1Sv6rNfns.exe
2116	zW1UDh1Sv6rNfns.exe
2984	3DRas.exe
2116	zW1UDh1Sv6rNfns.exe
2984	3DRas.exe
2160	zW1UDh1Sv6rNfns.exe
2984	3DRas.exe
2160	zW1UDh1Sv6rNfns.exe
2160	zW1UDh1Sv6rNfns.exe
1620	powershell.exe
2984	3DRas.exe
2352	powershell.exe
2984	3DRas.exe
2984	3DRas.exe
2984	3DRas.exe
2984	3DRas.exe
2984	3DRas.exe
2984	3DRas.exe
2984	3DRas.exe
2984	3DRas.exe
2984	3DRas.exe
2984	3DRas.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exeWMIC.exe3DRas.exezW1UDh1Sv6rNfns.exezW1UDh1Sv6rNfns.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: SeDebugPrivilege	2984	3DRas.exe
Token: SeDebugPrivilege	2116	zW1UDh1Sv6rNfns.exe
Token: SeDebugPrivilege	2160	zW1UDh1Sv6rNfns.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

zW1UDh1Sv6rNfns.exe

pid	Process
2160	zW1UDh1Sv6rNfns.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.execmd.execmd.exezW1UDh1Sv6rNfns.exe3DRas.exe

description	pid	Process	procid_target
PID 3012 wrote to memory of 2436	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	29
PID 3012 wrote to memory of 2436	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	29
PID 3012 wrote to memory of 2436	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	29
PID 2436 wrote to memory of 2216	2436	cmd.exe	31
PID 2436 wrote to memory of 2216	2436	cmd.exe	31
PID 2436 wrote to memory of 2216	2436	cmd.exe	31
PID 3012 wrote to memory of 2116	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	33
PID 3012 wrote to memory of 2116	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	33
PID 3012 wrote to memory of 2116	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	33
PID 3012 wrote to memory of 2116	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	33
PID 3012 wrote to memory of 2984	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	34
PID 3012 wrote to memory of 2984	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	34
PID 3012 wrote to memory of 2984	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	34
PID 3012 wrote to memory of 2984	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	34
PID 3012 wrote to memory of 2968	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	35
PID 3012 wrote to memory of 2968	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	35
PID 3012 wrote to memory of 2968	3012	e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe	35
PID 2968 wrote to memory of 2784	2968	cmd.exe	37
PID 2968 wrote to memory of 2784	2968	cmd.exe	37
PID 2968 wrote to memory of 2784	2968	cmd.exe	37
PID 2116 wrote to memory of 1620	2116	zW1UDh1Sv6rNfns.exe	38
PID 2116 wrote to memory of 1620	2116	zW1UDh1Sv6rNfns.exe	38
PID 2116 wrote to memory of 1620	2116	zW1UDh1Sv6rNfns.exe	38
PID 2116 wrote to memory of 1620	2116	zW1UDh1Sv6rNfns.exe	38
PID 2116 wrote to memory of 2764	2116	zW1UDh1Sv6rNfns.exe	39
PID 2116 wrote to memory of 2764	2116	zW1UDh1Sv6rNfns.exe	39
PID 2116 wrote to memory of 2764	2116	zW1UDh1Sv6rNfns.exe	39
PID 2116 wrote to memory of 2764	2116	zW1UDh1Sv6rNfns.exe	39
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2116 wrote to memory of 2160	2116	zW1UDh1Sv6rNfns.exe	42
PID 2984 wrote to memory of 2352	2984	3DRas.exe	43
PID 2984 wrote to memory of 2352	2984	3DRas.exe	43
PID 2984 wrote to memory of 2352	2984	3DRas.exe	43
PID 2984 wrote to memory of 2352	2984	3DRas.exe	43
PID 2984 wrote to memory of 2064	2984	3DRas.exe	45
PID 2984 wrote to memory of 2064	2984	3DRas.exe	45
PID 2984 wrote to memory of 2064	2984	3DRas.exe	45
PID 2984 wrote to memory of 2064	2984	3DRas.exe	45
PID 2984 wrote to memory of 2684	2984	3DRas.exe	47
PID 2984 wrote to memory of 2684	2984	3DRas.exe	47
PID 2984 wrote to memory of 2684	2984	3DRas.exe	47
PID 2984 wrote to memory of 2684	2984	3DRas.exe	47
PID 2984 wrote to memory of 1148	2984	3DRas.exe	48
PID 2984 wrote to memory of 1148	2984	3DRas.exe	48
PID 2984 wrote to memory of 1148	2984	3DRas.exe	48
PID 2984 wrote to memory of 1148	2984	3DRas.exe	48
PID 2984 wrote to memory of 1328	2984	3DRas.exe	49
PID 2984 wrote to memory of 1328	2984	3DRas.exe	49
PID 2984 wrote to memory of 1328	2984	3DRas.exe	49
PID 2984 wrote to memory of 1328	2984	3DRas.exe	49
PID 2984 wrote to memory of 1056	2984	3DRas.exe	50
PID 2984 wrote to memory of 1056	2984	3DRas.exe	50
PID 2984 wrote to memory of 1056	2984	3DRas.exe	50

C:\Users\Admin\AppData\Local\Temp\e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe
"C:\Users\Admin\AppData\Local\Temp\e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\cmd.exe
  "cmd" /C wmic path win32_ComputerSystem get model
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_ComputerSystem get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- C:\Users\Admin\AppData\Local\Temp\rCMpyBdAiu\zW1UDh1Sv6rNfns.exe
  "C:\Users\Admin\AppData\Local\Temp\rCMpyBdAiu\zW1UDh1Sv6rNfns.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NuWWtBZeYqtw.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NuWWtBZeYqtw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6CA8.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\rCMpyBdAiu\zW1UDh1Sv6rNfns.exe
    "C:\Users\Admin\AppData\Local\Temp\rCMpyBdAiu\zW1UDh1Sv6rNfns.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2160
- C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe
  "C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IvlsrtlGXAfm.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2352
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IvlsrtlGXAfm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp84BA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2064
- - C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe
    "C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe"
    3⤵
    - Executes dropped EXE
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe
    "C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe"
    3⤵
    - Executes dropped EXE
    PID:1148
- - C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe
    "C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe"
    3⤵
    - Executes dropped EXE
    PID:1328
- - C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe
    "C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe"
    3⤵
    - Executes dropped EXE
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe
    "C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe"
    3⤵
    - Executes dropped EXE
    PID:940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\e4abd64a01e42490c43dd96226b4c4e601b9b850ea6ae337b9084aee1434e969.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\qYgKwldBFHrF\3DRas.exe

Filesize
2.3MB

MD5
b2d4ca0d0b4a62668b10fef0fe398173

SHA1
af81044a4676023fc24d47c627e59ecd80aee9c7

SHA256
d195c0403aa92be0b700f1537e8745b746b1e3a60a22989145d462e01b6c0183

SHA512
d96714b8e7b1afde59bbbd9ca4a9fb04bce376f25b3afd6e88bee5fcdd0058d7080c7d8c2e4f32319990ec1f53805c783973f33e7adf260999fa7240ecac070c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rCMpyBdAiu\zW1UDh1Sv6rNfns.exe

Filesize
2.2MB

MD5
0c3fb6f18fef7082a5e471492a4ec464

SHA1
02e89c382c50a7745aa8fa8f489fe6a66f9d4d64

SHA256
c31ef3e47ebbb92febeeda72abfdbe9b8bb92cca58eda4e607ef2b192d6df1d6

SHA512
57d4dd97a88abe4fe9e1505a21e58bc693d9c1266447d8bca0d13d92b6576fe390b7fe1cd21dc09108fd7d30a0b3903bdfe1fef5ca876f047abeb7d58677a243

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6CA8.tmp

Filesize
1KB

MD5
c239691fe19ff5dc1dac4c9fd85bc9a6

SHA1
6d3461df54fb7c65136a3d2ab03ad8fbc651da4e

SHA256
c94544fe5082d5fc13704137530757bce47e4f70bbbb1dcaaa4cb952978f4a28

SHA512
18c9c4ab85cb3bcdce0346c5f58bafb1e2a14ff613d704265e7ff00ade0fbdcd25acc5ae7a5997a782f6545badde5678eda0cbdc785d9296ee0d7b85dd07e4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84BA.tmp

Filesize
1KB

MD5
0b8cb8859692a5d5bc9e5cc9b7d2e13c

SHA1
794b5885ab54a7af3af01e02db1c042cc24d99c7

SHA256
8baa663223deebf0c556cad18f60686abc7678e600822a4b27dc68d6dc774dc6

SHA512
29d109387e645eb37cfe686f55a914702a58ba256f4e6f8e112d7eac43e2e89dfcf5b2f3f284371f2a74de663f6867b047824259bc31691e0ac3f48e4d785637

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
60cbb54084cc166835b4e5bca4f44861

SHA1
b1d4224dde5577acb4891ed0f9131f33418713ec

SHA256
e26a83636b443f75c045c59d0738eda746af5c24a083c0dd404b55ec9a17e065

SHA512
948464c31551fe6d3a2485deefdd5e43d58575447fbda7da5b2b5c53ccbf448a2083a88ee7d9912224341cc92e02dd8e8c949c7548b521c517645add4a0a9f25

Download Submit
memory/2116-24-0x0000000008320000-0x000000000853A000-memory.dmp

Filesize
2.1MB

Download
memory/2116-20-0x0000000000D40000-0x0000000000F84000-memory.dmp

Filesize
2.3MB

Download
memory/2160-38-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-47-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-57-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-31-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-41-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-45-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2160-52-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-33-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-64-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-40-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-44-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-50-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-63-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-53-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-55-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-54-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-58-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-60-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-61-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-59-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-62-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2160-56-0x0000000000400000-0x0000000000A20000-memory.dmp

Filesize
6.1MB

Download
memory/2984-23-0x00000000068D0000-0x0000000006AF2000-memory.dmp

Filesize
2.1MB

Download
memory/2984-22-0x0000000000860000-0x0000000000872000-memory.dmp

Filesize
72KB

Download
memory/2984-21-0x0000000000930000-0x0000000000B7C000-memory.dmp

Filesize
2.3MB

Download
memory/3012-0-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

Filesize
4KB

Download
memory/3012-1-0x00000000002C0000-0x000000000074E000-memory.dmp

Filesize
4.6MB

Download