Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
02-12-2021 16:28
Static task
static1
Behavioral task
behavioral1
Sample
Details as attached in this mail.js
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Details as attached in this mail.js
Resource
win10-en-20211014
General
-
Target
Details as attached in this mail.js
-
Size
628KB
-
MD5
e570e22ed2b2a600241ee070d0c4873d
-
SHA1
2cea5772982d6695cde4b1c2c8727034ec7d67b3
-
SHA256
904b4d3ef25a59a896522183f38be8cb155350dc1823cf7784b48e9fe93983c1
-
SHA512
357a23f2cff7632deb6eb05e2595795e914b56e8526896b9f6bf6736a95ba6b8804c7ee2941fd0a1f056a9ff5b5f219d598efffa4799dea13fb763866f631a89
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com/ - Port:
21 - Username:
zinco - Password:
computer147
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/584-64-0x00000000004E0000-0x0000000000517000-memory.dmp family_agenttesla behavioral1/memory/1624-69-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1624-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1624-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1624-71-0x000000000043760E-mapping.dmp family_agenttesla behavioral1/memory/1624-72-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
Details as attached in this mail.exepid process 584 Details as attached in this mail.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Details as attached in this mail.exedescription pid process target process PID 584 set thread context of 1624 584 Details as attached in this mail.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Details as attached in this mail.exeAddInProcess32.exepid process 584 Details as attached in this mail.exe 584 Details as attached in this mail.exe 584 Details as attached in this mail.exe 584 Details as attached in this mail.exe 1624 AddInProcess32.exe 1624 AddInProcess32.exe 584 Details as attached in this mail.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Details as attached in this mail.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 584 Details as attached in this mail.exe Token: SeDebugPrivilege 1624 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
wscript.exeDetails as attached in this mail.exedescription pid process target process PID 1992 wrote to memory of 584 1992 wscript.exe Details as attached in this mail.exe PID 1992 wrote to memory of 584 1992 wscript.exe Details as attached in this mail.exe PID 1992 wrote to memory of 584 1992 wscript.exe Details as attached in this mail.exe PID 1992 wrote to memory of 584 1992 wscript.exe Details as attached in this mail.exe PID 584 wrote to memory of 1624 584 Details as attached in this mail.exe AddInProcess32.exe PID 584 wrote to memory of 1624 584 Details as attached in this mail.exe AddInProcess32.exe PID 584 wrote to memory of 1624 584 Details as attached in this mail.exe AddInProcess32.exe PID 584 wrote to memory of 1624 584 Details as attached in this mail.exe AddInProcess32.exe PID 584 wrote to memory of 1624 584 Details as attached in this mail.exe AddInProcess32.exe PID 584 wrote to memory of 1624 584 Details as attached in this mail.exe AddInProcess32.exe PID 584 wrote to memory of 1624 584 Details as attached in this mail.exe AddInProcess32.exe PID 584 wrote to memory of 1624 584 Details as attached in this mail.exe AddInProcess32.exe PID 584 wrote to memory of 1624 584 Details as attached in this mail.exe AddInProcess32.exe -
outlook_office_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
outlook_win_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Details as attached in this mail.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Details as attached in this mail.exe"C:\Users\Admin\AppData\Local\Temp\Details as attached in this mail.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Details as attached in this mail.exeMD5
2cbaf9720be212b240fa6b8eeacf27ad
SHA1a4e9a68be30a36f134112e6d3b6f1478287c2186
SHA25676b6397c76b3d3f981e87c16e22b7e61dfe5bd5f6bbb4386a8627cf8dfece835
SHA5120e0b604d76a51d161ea8bbb87a02568db0b1043d85fb2107b21b8a6da48dd26a003e3a0869e4fe970da72f895c26634493df0143d292ae83daf5f51974443413
-
C:\Users\Admin\AppData\Local\Temp\Details as attached in this mail.exeMD5
2cbaf9720be212b240fa6b8eeacf27ad
SHA1a4e9a68be30a36f134112e6d3b6f1478287c2186
SHA25676b6397c76b3d3f981e87c16e22b7e61dfe5bd5f6bbb4386a8627cf8dfece835
SHA5120e0b604d76a51d161ea8bbb87a02568db0b1043d85fb2107b21b8a6da48dd26a003e3a0869e4fe970da72f895c26634493df0143d292ae83daf5f51974443413
-
memory/584-64-0x00000000004E0000-0x0000000000517000-memory.dmpFilesize
220KB
-
memory/584-65-0x0000000000560000-0x000000000056B000-memory.dmpFilesize
44KB
-
memory/584-59-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/584-60-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/584-61-0x0000000000800000-0x0000000000849000-memory.dmpFilesize
292KB
-
memory/584-63-0x0000000000290000-0x00000000002BA000-memory.dmpFilesize
168KB
-
memory/584-56-0x0000000000000000-mapping.dmp
-
memory/1624-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1624-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1624-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1624-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1624-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1624-71-0x000000000043760E-mapping.dmp
-
memory/1624-72-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1624-74-0x0000000002180000-0x0000000002181000-memory.dmpFilesize
4KB
-
memory/1624-75-0x0000000002181000-0x0000000002182000-memory.dmpFilesize
4KB
-
memory/1992-55-0x000007FEFC4C1000-0x000007FEFC4C3000-memory.dmpFilesize
8KB