Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-06-2022 15:35
Static task
static1
Behavioral task
behavioral1
Sample
Documents for your perusal.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Documents for your perusal.js
Resource
win10v2004-20220414-en
General
-
Target
Documents for your perusal.js
-
Size
450KB
-
MD5
8d006d2e9172f2ba4c156eb100bd31c9
-
SHA1
39f1c16f43c879986747bcdc49a7a75c7a03f0df
-
SHA256
1f0f209552a8710e45b93d500959e04bb4e0cef99e268e1b77419fb50c62cfbd
-
SHA512
b1929743781911ee7b6ed928c4dcef8fe199fe2f6850d5a22eba49fb53efad1684a601fef8f1619f9bece4a3f75703fb0e59d985e98053f485b3a2911472e44b
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
zincox - Password:
computer@1010
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com/ - Port:
21 - Username:
zincox - Password:
computer@1010
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil via FTP
suricata: ET MALWARE AgentTesla Exfil via FTP
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 3 628 wscript.exe 8 628 wscript.exe 15 628 wscript.exe 23 628 wscript.exe 33 628 wscript.exe 39 628 wscript.exe 41 628 wscript.exe 43 628 wscript.exe 44 628 wscript.exe 46 628 wscript.exe 47 628 wscript.exe 48 628 wscript.exe 49 628 wscript.exe 50 628 wscript.exe 51 628 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Zxx.exepid process 1272 Zxx.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oItJmnUZpa.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oItJmnUZpa.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Zxx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Zxx.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Zxx.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Zxx.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\oItJmnUZpa.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Zxx.exepid process 1272 Zxx.exe 1272 Zxx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Zxx.exedescription pid process Token: SeDebugPrivilege 1272 Zxx.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 5060 wrote to memory of 628 5060 wscript.exe wscript.exe PID 5060 wrote to memory of 628 5060 wscript.exe wscript.exe PID 5060 wrote to memory of 1272 5060 wscript.exe Zxx.exe PID 5060 wrote to memory of 1272 5060 wscript.exe Zxx.exe PID 5060 wrote to memory of 1272 5060 wscript.exe Zxx.exe -
outlook_office_path 1 IoCs
Processes:
Zxx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Zxx.exe -
outlook_win_path 1 IoCs
Processes:
Zxx.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Zxx.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\oItJmnUZpa.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:628 -
C:\Users\Admin\AppData\Local\Temp\Zxx.exe"C:\Users\Admin\AppData\Local\Temp\Zxx.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Zxx.exeFilesize
209KB
MD5e711faa67fee4611ead33d70cf480594
SHA104abd88d79bf2b0660bd20d94e01d37d75f76bd8
SHA256da6985009226924a22f0b0a2a80163ff9e30e77d940ad3c0323f22bc748a284a
SHA512d692a166356301478c7c24d4dc8601c31d986ddea03406f8810c31db526f62411d2b83a370e46716f63e8680b10ef0bdeaa7d9396bc063db25912ddf69f66dc0
-
C:\Users\Admin\AppData\Local\Temp\Zxx.exeFilesize
209KB
MD5e711faa67fee4611ead33d70cf480594
SHA104abd88d79bf2b0660bd20d94e01d37d75f76bd8
SHA256da6985009226924a22f0b0a2a80163ff9e30e77d940ad3c0323f22bc748a284a
SHA512d692a166356301478c7c24d4dc8601c31d986ddea03406f8810c31db526f62411d2b83a370e46716f63e8680b10ef0bdeaa7d9396bc063db25912ddf69f66dc0
-
C:\Users\Admin\AppData\Roaming\oItJmnUZpa.jsFilesize
28KB
MD55de1afcc19fea0919a3e4ecd65f90e15
SHA16aa211c61c3edefea543414993a943b67a89d9ef
SHA256cf8d16624b0987294b2a9f37818ace0964021b32f0736e4bff70563258dc523f
SHA512e3798ca4fad1d914906711c540bb4fb803f4c63c510f13358ca4ad1e4df0a086e0421e4a71a15f062cd0b4b4d29eb7e7fa67e55750aeb58e9a7c74f161d20bf8
-
memory/628-130-0x0000000000000000-mapping.dmp
-
memory/1272-132-0x0000000000000000-mapping.dmp
-
memory/1272-135-0x0000000000480000-0x00000000004BA000-memory.dmpFilesize
232KB
-
memory/1272-136-0x0000000005480000-0x0000000005A24000-memory.dmpFilesize
5.6MB
-
memory/1272-137-0x0000000004ED0000-0x0000000004F6C000-memory.dmpFilesize
624KB
-
memory/1272-138-0x0000000005B70000-0x0000000005BD6000-memory.dmpFilesize
408KB
-
memory/1272-139-0x00000000061E0000-0x0000000006230000-memory.dmpFilesize
320KB
-
memory/1272-140-0x00000000067D0000-0x0000000006862000-memory.dmpFilesize
584KB
-
memory/1272-141-0x0000000006780000-0x000000000678A000-memory.dmpFilesize
40KB