agenttesla | dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14

Analysis

max time kernel
146s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
Size

1.0MB
MD5

74422803498dc96c3e7ffe8a6ee002b2
SHA1

9fc446b5cffc9b5dddbd508c0e8b47b611e239d7
SHA256

dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14
SHA512

d2f3f0c9f1911f0d313132c0aca437b38f04780aa0fc2a5159bca408fc235dd5a2210390aa50507d94bf823a8df0c0bbf68b60f95be5747e9a645cb8ac2067e1
SSDEEP

12288:zd0NH/DlYD+3ys6ds9+TOipx50R7sac05tE0aLEw4oA4wc7ryDPjHY6ukjhiOGEE:Z0tqD++y9Spxg7sliJ0ERO

Score

10^/10

agenttesla nanocore collection defense_evasion discovery execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot5145135161:AAFnBnjYGtIUE_EwGqQ3-YIV1FOEItrzy8c/

Extracted

Family

nanocore

Version

1.2.2.0

mynewera.ddns.net:3997

127.0.0.1:3997

Mutex

641fe02d-0bc7-4feb-8aea-e93f448bc3bc

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-11-07T17:10:24.306345836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
3997
default_group
neweramoney
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
641fe02d-0bc7-4feb-8aea-e93f448bc3bc
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
mynewera.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2084	powershell.exe
3464	powershell.exe
1724	powershell.exe
3612	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
16	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	schvost.exe

Executes dropped EXE 2 IoCs

pid	Process
3872	schvost.exe
4452	schvost.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
Key opened	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
Key opened	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmBOz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmBOz\\bmBOz.exe"	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Service = "C:\\Program Files (x86)\\SMTP Service\\smtpsv.exe"	schvost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	schvost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	api.ipify.org
32	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 760 set thread context of 4892	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	98
PID 3872 set thread context of 4452	3872	schvost.exe	105

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\SMTP Service\smtpsv.exe	schvost.exe
File created	C:\Program Files (x86)\SMTP Service\smtpsv.exe	schvost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schvost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schvost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4876	schtasks.exe
2684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
2084	powershell.exe
2084	powershell.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
3464	powershell.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
3464	powershell.exe
3872	schvost.exe
1724	powershell.exe
3612	powershell.exe
3872	schvost.exe
1724	powershell.exe
4452	schvost.exe
4452	schvost.exe
4452	schvost.exe
3612	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4452	schvost.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4452	schvost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	4892	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
Token: SeDebugPrivilege	3872	schvost.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	4452	schvost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4892	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 2084	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	86
PID 760 wrote to memory of 2084	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	86
PID 760 wrote to memory of 2084	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	86
PID 760 wrote to memory of 3872	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	91
PID 760 wrote to memory of 3872	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	91
PID 760 wrote to memory of 3872	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	91
PID 760 wrote to memory of 3464	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	92
PID 760 wrote to memory of 3464	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	92
PID 760 wrote to memory of 3464	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	92
PID 760 wrote to memory of 4876	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	94
PID 760 wrote to memory of 4876	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	94
PID 760 wrote to memory of 4876	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	94
PID 760 wrote to memory of 1216	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	96
PID 760 wrote to memory of 1216	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	96
PID 760 wrote to memory of 1216	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	96
PID 760 wrote to memory of 1384	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	97
PID 760 wrote to memory of 1384	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	97
PID 760 wrote to memory of 1384	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	97
PID 760 wrote to memory of 4892	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	98
PID 760 wrote to memory of 4892	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	98
PID 760 wrote to memory of 4892	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	98
PID 760 wrote to memory of 4892	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	98
PID 760 wrote to memory of 4892	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	98
PID 760 wrote to memory of 4892	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	98
PID 760 wrote to memory of 4892	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	98
PID 760 wrote to memory of 4892	760	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe	98
PID 3872 wrote to memory of 1724	3872	schvost.exe	99
PID 3872 wrote to memory of 1724	3872	schvost.exe	99
PID 3872 wrote to memory of 1724	3872	schvost.exe	99
PID 3872 wrote to memory of 3612	3872	schvost.exe	101
PID 3872 wrote to memory of 3612	3872	schvost.exe	101
PID 3872 wrote to memory of 3612	3872	schvost.exe	101
PID 3872 wrote to memory of 2684	3872	schvost.exe	103
PID 3872 wrote to memory of 2684	3872	schvost.exe	103
PID 3872 wrote to memory of 2684	3872	schvost.exe	103
PID 3872 wrote to memory of 4452	3872	schvost.exe	105
PID 3872 wrote to memory of 4452	3872	schvost.exe	105
PID 3872 wrote to memory of 4452	3872	schvost.exe	105
PID 3872 wrote to memory of 4452	3872	schvost.exe	105
PID 3872 wrote to memory of 4452	3872	schvost.exe	105
PID 3872 wrote to memory of 4452	3872	schvost.exe	105
PID 3872 wrote to memory of 4452	3872	schvost.exe	105
PID 3872 wrote to memory of 4452	3872	schvost.exe	105

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe

C:\Users\Admin\AppData\Local\Temp\dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
"C:\Users\Admin\AppData\Local\Temp\dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe"
1⤵
- Downloads MZ/PE file
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\schvost.exe
  "C:\Users\Admin\AppData\Local\Temp\schvost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\schvost.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xSoEsezdtyinR.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xSoEsezdtyinR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D5D.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2684
- - C:\Users\Admin\AppData\Local\Temp\schvost.exe
    "C:\Users\Admin\AppData\Local\Temp\schvost.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    PID:4452
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LejUjhcXbLPX.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LejUjhcXbLPX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1EFD.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4876
- C:\Users\Admin\AppData\Local\Temp\dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
  "C:\Users\Admin\AppData\Local\Temp\dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe"
  2⤵
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
  "C:\Users\Admin\AppData\Local\Temp\dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe"
  2⤵
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe
  "C:\Users\Admin\AppData\Local\Temp\dd1b8e8b32926abb0494c5d426239c7db7b420c7fc5406b6ee3be24e354cbd14.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\schvost.exe.log

Filesize
1KB

MD5
400f1cc1a0a0ce1cdabda365ab3368ce

SHA1
1ecf683f14271d84f3b6063493dce00ff5f42075

SHA256
c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

SHA512
14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fab14cc689b20de65f04964b2281da60

SHA1
d982b7911c69e1d69245e9e1a1bd35b5e77343ee

SHA256
b879e9b2b6dfce46ccf2044ac7afce611596763d404026ed7ab2e7614f506cde

SHA512
67cad4f65dfb9491a7d79622825946d8621c3c1420485e9cc64fe628e969f16bb6ddc8eac2a2b87fb967feaa108560d0fa39e0980b4c53d6f1031fce6dccc76d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2e72e3db67c3755db7b3702a78a3d237

SHA1
bbb05547f9769f2c12453309e3c6bc89d5bfed68

SHA256
18fd4ea835311c1344fd5120704eebf1a7121b6571092b978042071ce4da1af6

SHA512
115cdd00f255da58d59c6eafd58f5dd8de351d077ae55e1e6ad29227d379ce60a6a131ac09d7fbaee251d457a382d6e33bb6e5572a7f1932153b251ed2f0a871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
dbbcee5161a3d504efc127057efeab58

SHA1
0a8a4ea51dcbf99f50b445da6934d12bfe9fd3ff

SHA256
0f480b1c5fafc31f712f9cc4829a67cfa02a2f514e42bf055008f524d2816971

SHA512
9737a151c023bb1f0f79746270cd446ef5d903ea3963f9fcbe676074d5d85810ef095a05ccf1db65a3e16ded6634e3be77e35ca0513c1c798515353a935c3fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zb1pqrb3.l3t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\schvost.exe

Filesize
1.7MB

MD5
78a4be361ee04193d1d72654b59fa74a

SHA1
3fb7fdc638f34b852332b05268f0013e30f0d0f2

SHA256
847bd451a4c943cf12122e8c059acbc71fae7b87d9147b47a5e73c3e6d10523c

SHA512
8a4fbb9a144635d3daed5b75f0f053e688efe0817a05b7741a3b4d383111cc43ef0df0da88a01fbd2cc95d3ebe33cf3138295e6dd5b4c2083d4bd767b150c086

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EFD.tmp

Filesize
1KB

MD5
cf1bbc2966f858f608ce1cf3fc5b02d4

SHA1
2e02c100be185d992a69efd5f50075dd4fb29746

SHA256
414c95a70982f533ab04d01d9a8de7075600e67c75a36594a8cd503e85d92fb3

SHA512
8847628896d4d642b4d997b963efe583502ea6b1e019022d9a468363eb13df57a6f9a7a059b2b567df2d4a1309fba6a6f25342e9b8c499e40cbdffa4fdda0ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5D5D.tmp

Filesize
1KB

MD5
09393342a2fe162acc3f5622a96bda84

SHA1
de21e8501a0712eb85e69593fd3bf8b600badf74

SHA256
ccb223d25bd979e01c6ab933dff7eab1ccff5ac7443d588699e0434b79db5324

SHA512
8b2fb4fd3c9318136dcaecbcd3dd7e6bad64b61546f440ba770b14541d93689da663923584d0217cb3781f44394c68bd2a02bf12ab1d23d8abf71291d16935a2

Download Submit
memory/760-8-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/760-2-0x00000000050A0000-0x0000000005644000-memory.dmp

Filesize
5.6MB

Download
memory/760-7-0x000000007529E000-0x000000007529F000-memory.dmp

Filesize
4KB

Download
memory/760-5-0x0000000004B40000-0x0000000004B4A000-memory.dmp

Filesize
40KB

Download
memory/760-9-0x00000000044F0000-0x0000000004564000-memory.dmp

Filesize
464KB

Download
memory/760-10-0x000000000CB90000-0x000000000CC2C000-memory.dmp

Filesize
624KB

Download
memory/760-4-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/760-91-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/760-0-0x000000007529E000-0x000000007529F000-memory.dmp

Filesize
4KB

Download
memory/760-1-0x0000000000020000-0x0000000000128000-memory.dmp

Filesize
1.0MB

Download
memory/760-6-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/760-3-0x0000000004B90000-0x0000000004C22000-memory.dmp

Filesize
584KB

Download
memory/1724-152-0x0000000006350000-0x000000000639C000-memory.dmp

Filesize
304KB

Download
memory/1724-158-0x0000000075B40000-0x0000000075B8C000-memory.dmp

Filesize
304KB

Download
memory/1724-168-0x0000000007550000-0x00000000075F3000-memory.dmp

Filesize
652KB

Download
memory/1724-135-0x0000000005DC0000-0x0000000006114000-memory.dmp

Filesize
3.3MB

Download
memory/1724-179-0x0000000007820000-0x0000000007831000-memory.dmp

Filesize
68KB

Download
memory/1724-180-0x0000000007870000-0x0000000007884000-memory.dmp

Filesize
80KB

Download
memory/2084-50-0x00000000070F0000-0x0000000007186000-memory.dmp

Filesize
600KB

Download
memory/2084-17-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/2084-42-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2084-46-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2084-45-0x0000000006D40000-0x0000000006DE3000-memory.dmp

Filesize
652KB

Download
memory/2084-32-0x000000006FD40000-0x000000006FD8C000-memory.dmp

Filesize
304KB

Download
memory/2084-47-0x00000000074B0000-0x0000000007B2A000-memory.dmp

Filesize
6.5MB

Download
memory/2084-48-0x0000000006E70000-0x0000000006E8A000-memory.dmp

Filesize
104KB

Download
memory/2084-49-0x0000000006EE0000-0x0000000006EEA000-memory.dmp

Filesize
40KB

Download
memory/2084-43-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/2084-51-0x0000000007070000-0x0000000007081000-memory.dmp

Filesize
68KB

Download
memory/2084-52-0x00000000070A0000-0x00000000070AE000-memory.dmp

Filesize
56KB

Download
memory/2084-53-0x00000000070B0000-0x00000000070C4000-memory.dmp

Filesize
80KB

Download
memory/2084-54-0x00000000071B0000-0x00000000071CA000-memory.dmp

Filesize
104KB

Download
memory/2084-55-0x0000000007190000-0x0000000007198000-memory.dmp

Filesize
32KB

Download
memory/2084-58-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2084-11-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2084-12-0x0000000002220000-0x0000000002256000-memory.dmp

Filesize
216KB

Download
memory/2084-13-0x0000000004E30000-0x0000000005458000-memory.dmp

Filesize
6.2MB

Download
memory/2084-14-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2084-15-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2084-31-0x0000000006120000-0x0000000006152000-memory.dmp

Filesize
200KB

Download
memory/2084-30-0x0000000005BE0000-0x0000000005C2C000-memory.dmp

Filesize
304KB

Download
memory/2084-16-0x0000000004B90000-0x0000000004BB2000-memory.dmp

Filesize
136KB

Download
memory/2084-18-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/2084-44-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/2084-28-0x0000000005540000-0x0000000005894000-memory.dmp

Filesize
3.3MB

Download
memory/2084-29-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/3464-93-0x0000000006DF0000-0x0000000006E3C000-memory.dmp

Filesize
304KB

Download
memory/3464-88-0x0000000006300000-0x0000000006654000-memory.dmp

Filesize
3.3MB

Download
memory/3464-94-0x0000000070E60000-0x0000000070EAC000-memory.dmp

Filesize
304KB

Download
memory/3464-106-0x0000000007D50000-0x0000000007D64000-memory.dmp

Filesize
80KB

Download
memory/3464-105-0x0000000007D10000-0x0000000007D21000-memory.dmp

Filesize
68KB

Download
memory/3464-104-0x0000000007A50000-0x0000000007AF3000-memory.dmp

Filesize
652KB

Download
memory/3612-169-0x0000000075B40000-0x0000000075B8C000-memory.dmp

Filesize
304KB

Download
memory/3872-75-0x00000000007E0000-0x00000000009A4000-memory.dmp

Filesize
1.8MB

Download
memory/3872-77-0x0000000005160000-0x0000000005208000-memory.dmp

Filesize
672KB

Download
memory/3872-121-0x0000000004B80000-0x0000000004BFE000-memory.dmp

Filesize
504KB

Download
memory/3872-120-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/3872-74-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/3872-151-0x0000000075290000-0x0000000075A40000-memory.dmp

Filesize
7.7MB

Download
memory/4452-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4452-155-0x00000000055F0000-0x00000000055FA000-memory.dmp

Filesize
40KB

Download
memory/4452-157-0x0000000005C50000-0x0000000005C5A000-memory.dmp

Filesize
40KB

Download
memory/4452-156-0x00000000056A0000-0x00000000056BE000-memory.dmp

Filesize
120KB

Download
memory/4892-109-0x0000000007090000-0x00000000070E0000-memory.dmp

Filesize
320KB

Download
memory/4892-110-0x00000000073F0000-0x00000000075B2000-memory.dmp

Filesize
1.8MB

Download
memory/4892-89-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download