Overview

overview

10

Static

static

10MinNetW7FF

windows7_x64

10

Analysis

  • max time kernel
    600s
  • max time network
    597s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    14-01-2021 07:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tnt_consignment_pickup_Aw(Dstnt_p067b).js

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.zolvtek.com/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    bird0006

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Blocklisted process makes network request 24 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\Tnt_consignment_pickup_Aw(Dstnt_p067b).js
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Tnt_consignment_pickup_Aw(Dstnt_p067b).js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:604
      • C:\Users\Admin\AppData\Roaming\Internet Explorer.exe
        "C:\Users\Admin\AppData\Roaming\Internet Explorer.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:368
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1928 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1944
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2036
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x5a4
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1148
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:652

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Internet Explorer.exe
      MD5

      69968540ca3bc109959e30c6c5c4b746

      SHA1

      5629ab083b93eb0b929d5918911c4573d3e8cf73

      SHA256

      4b18321dbf058432c0ae26683c816406771e44cff9fbfcf26e87e6ff1029a35d

      SHA512

      66d8f565561dc3a8d7c282fe0ff2f2a250d084a64caee5f6f8f8d13b8cf3514a541deb71d88fdcd71d70e66ffe4c851df0f962b4703d8ced9053db0942ac3ed6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Internet Explorer.exe
      MD5

      69968540ca3bc109959e30c6c5c4b746

      SHA1

      5629ab083b93eb0b929d5918911c4573d3e8cf73

      SHA256

      4b18321dbf058432c0ae26683c816406771e44cff9fbfcf26e87e6ff1029a35d

      SHA512

      66d8f565561dc3a8d7c282fe0ff2f2a250d084a64caee5f6f8f8d13b8cf3514a541deb71d88fdcd71d70e66ffe4c851df0f962b4703d8ced9053db0942ac3ed6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tnt_consignment_pickup_Aw(Dstnt_p067b).js
      MD5

      840dc62a11fb14751fe953d7dfcd5574

      SHA1

      64e0dab4021a7329e032641c9a2d996702e35828

      SHA256

      f15399a055d4eb34ad03dde34727b9728b55da64abfc14b3f25e7ae5527216b9

      SHA512

      7a0c68ecbc5692664479ee184251bc25c47fca75dbe2f5f664cd2ed3be1f4a8bea58534bb2fa0c267d55e6082277c66c325f5cbe13fc6f893a5c87a46fe95db5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Tnt_consignment_pickup_Aw(Dstnt_p067b).js
      MD5

      840dc62a11fb14751fe953d7dfcd5574

      SHA1

      64e0dab4021a7329e032641c9a2d996702e35828

      SHA256

      f15399a055d4eb34ad03dde34727b9728b55da64abfc14b3f25e7ae5527216b9

      SHA512

      7a0c68ecbc5692664479ee184251bc25c47fca75dbe2f5f664cd2ed3be1f4a8bea58534bb2fa0c267d55e6082277c66c325f5cbe13fc6f893a5c87a46fe95db5

      Download Submit

    • memory/368-6-0x0000000000000000-mapping.dmp

      Download

    • memory/368-9-0x00000000742C0000-0x00000000749AE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/368-11-0x0000000000180000-0x0000000000181000-memory.dmp

      Filesize

      4KB

      Download

    • memory/604-2-0x0000000000000000-mapping.dmp

      Download

    • memory/944-10-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/1408-4-0x0000000002630000-0x0000000002634000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1944-13-0x0000000000000000-mapping.dmp

      Download