Overview

overview

10

Static

static

Inv-04_PDF.vbs

windows7_x64

10

Inv-04_PDF.vbs

windows10_x64

10

Analysis

  • max time kernel
    109s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    21-07-2021 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inv-04_PDF.vbs

  • Size

    2.3MB

  • MD5

    b6a05c3a37dde3db4a8005dfaeda9e97

  • SHA1

    c0b64b85e13865a76136ce2d5674ebca53246566

  • SHA256

    1d5026cbfdcd2825631dd77f8f5149e275f03ec78390f94e63dad83d778569c1

  • SHA512

    730b73dc411f25c3c79d1fe6272c797a076ab85da48162379ad32ad36c40806b2a13cf0671ab3e646c45a34fbeaf5f95091e2c7bfcfb10a889b6a17ef2de0e16

Score
10/10
agentteslananocorekeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.jetport-aero.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Niniola@456

Extracted

Family

nanocore

Version

1.2.2.0

C2

sys2021.linkpc.net:11940

23.94.82.41:11940
Mutex

de7e01ad-963b-4e14-81aa-08dfb351f0fe

Attributes
  • activate_away_mode

    false

  • backup_connection_host

    23.94.82.41

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2021-04-24T08:14:59.254967636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    11940

  • default_group

    Do

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    de7e01ad-963b-4e14-81aa-08dfb351f0fe

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sys2021.linkpc.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • AgentTesla Payload 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Inv-04_PDF.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3912
    • C:\Users\Admin\AppData\Local\Temp\file1.exe
      "C:\Users\Admin\AppData\Local\Temp\file1.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3564
    • C:\Users\Admin\AppData\Local\Temp\file2.exe
      "C:\Users\Admin\AppData\Local\Temp\file2.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        3⤵
        • Executes dropped EXE
        PID:700

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\file1.exe
    MD5

    672e9fdc80f39f27f98a048b9f51aea0

    SHA1

    506479c1633363f4ac0276e59d6b66f648cf4a33

    SHA256

    a9497517888f5e6e725fa5afd4faed80eec9f218438dbccf2c9e6e1b37aa8ed1

    SHA512

    eb8bb241076cfbda03db01d20341cc73fd7a807ce33442528232941c89c2da0007e0cee339d82c27446c9310b00036d1816be8e5f3a78ee85e37cdd4d9194e3c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\file1.exe
    MD5

    672e9fdc80f39f27f98a048b9f51aea0

    SHA1

    506479c1633363f4ac0276e59d6b66f648cf4a33

    SHA256

    a9497517888f5e6e725fa5afd4faed80eec9f218438dbccf2c9e6e1b37aa8ed1

    SHA512

    eb8bb241076cfbda03db01d20341cc73fd7a807ce33442528232941c89c2da0007e0cee339d82c27446c9310b00036d1816be8e5f3a78ee85e37cdd4d9194e3c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\file2.exe
    MD5

    b564a2bae72f01f3e3fb726184fed4c9

    SHA1

    c64494a88d69fe8974e5742841d1d12fc07c0d6e

    SHA256

    03707d7ad90db602966ae1e86703672c77d0ec94bd125cd026846f188f893be1

    SHA512

    7779a5e4f7b7136c72034667c8a0e7c13cec1c2a02ccdde65bb936609333b86b1e7d5c3a7ae6cbb46462244dd134a3daf2bd9af6a6d43e8ced33f4f1a52d5da3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\file2.exe
    MD5

    b564a2bae72f01f3e3fb726184fed4c9

    SHA1

    c64494a88d69fe8974e5742841d1d12fc07c0d6e

    SHA256

    03707d7ad90db602966ae1e86703672c77d0ec94bd125cd026846f188f893be1

    SHA512

    7779a5e4f7b7136c72034667c8a0e7c13cec1c2a02ccdde65bb936609333b86b1e7d5c3a7ae6cbb46462244dd134a3daf2bd9af6a6d43e8ced33f4f1a52d5da3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\eXPLorerInternet64\Explorer64int.exe
    MD5

    b564a2bae72f01f3e3fb726184fed4c9

    SHA1

    c64494a88d69fe8974e5742841d1d12fc07c0d6e

    SHA256

    03707d7ad90db602966ae1e86703672c77d0ec94bd125cd026846f188f893be1

    SHA512

    7779a5e4f7b7136c72034667c8a0e7c13cec1c2a02ccdde65bb936609333b86b1e7d5c3a7ae6cbb46462244dd134a3daf2bd9af6a6d43e8ced33f4f1a52d5da3

    Download Submit

  • memory/700-166-0x0000000005550000-0x0000000005551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/700-152-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

    Download

  • memory/700-155-0x000000000041E792-mapping.dmp

    Download

  • memory/1432-124-0x0000000004E20000-0x0000000004E21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1432-131-0x0000000004920000-0x0000000004E1E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/1432-132-0x00000000069B0000-0x0000000006A0C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1432-134-0x0000000006A90000-0x0000000006A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1432-114-0x0000000000000000-mapping.dmp

    Download

  • memory/1432-145-0x00000000073B0000-0x0000000007428000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1432-126-0x00000000049C0000-0x00000000049C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1432-148-0x0000000004920000-0x0000000004E1E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/1432-128-0x0000000004A70000-0x0000000004A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1432-121-0x00000000000B0000-0x00000000000B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1528-130-0x0000000004DB0000-0x00000000052AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/1528-133-0x00000000082C0000-0x0000000008322000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1528-149-0x0000000004DB0000-0x00000000052AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/1528-146-0x00000000089D0000-0x00000000089D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1528-144-0x00000000087F0000-0x0000000008857000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1528-120-0x0000000000390000-0x0000000000391000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1528-116-0x0000000000000000-mapping.dmp

    Download

  • memory/3564-153-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3564-154-0x0000000000437B0E-mapping.dmp

    Download

  • memory/3564-168-0x0000000004F40000-0x000000000543E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3564-169-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3564-170-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

    Filesize

    4KB

    Download