Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-06-2022 05:56
Static task
static1
Behavioral task
behavioral1
Sample
Scan docs.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Scan docs.js
Resource
win10v2004-20220414-en
General
-
Target
Scan docs.js
-
Size
695KB
-
MD5
891dc2bbf1be950a27098486168919b5
-
SHA1
1528b59f9783c8f9e58b5f0f8f6090cbfcf864a0
-
SHA256
da1e26831c4ee7c90829f22362c3127b05816318a151bee3a9b7a8cb9ddce39f
-
SHA512
93e602f9925d6ae35c2edeb4b9edd88bd6c7e3d7d885a536f117a3eaadf866f5fce9ee5b528624c4db9450dd3f49cf97171ff05cbe37a15aec5603349dfb0ff6
Malware Config
Extracted
Protocol: smtp- Host:
mail.freighttrainfleet.com - Port:
587 - Username:
[email protected] - Password:
9b52731M*
Extracted
agenttesla
Protocol: smtp- Host:
mail.freighttrainfleet.com - Port:
587 - Username:
[email protected] - Password:
9b52731M*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 4 848 wscript.exe 7 848 wscript.exe 8 848 wscript.exe 10 848 wscript.exe 12 848 wscript.exe 13 848 wscript.exe 15 848 wscript.exe 16 848 wscript.exe 17 848 wscript.exe 19 848 wscript.exe 20 848 wscript.exe 21 848 wscript.exe 23 848 wscript.exe 24 848 wscript.exe 25 848 wscript.exe 27 848 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Net4 Origin.exepid process 1236 Net4 Origin.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GQGruPODld.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GQGruPODld.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Net4 Origin.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Net4 Origin.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Net4 Origin.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Net4 Origin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\GQGruPODld.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Net4 Origin.exepid process 1236 Net4 Origin.exe 1236 Net4 Origin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Net4 Origin.exedescription pid process Token: SeDebugPrivilege 1236 Net4 Origin.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Net4 Origin.exepid process 1236 Net4 Origin.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 1652 wrote to memory of 848 1652 wscript.exe wscript.exe PID 1652 wrote to memory of 848 1652 wscript.exe wscript.exe PID 1652 wrote to memory of 848 1652 wscript.exe wscript.exe PID 1652 wrote to memory of 1236 1652 wscript.exe Net4 Origin.exe PID 1652 wrote to memory of 1236 1652 wscript.exe Net4 Origin.exe PID 1652 wrote to memory of 1236 1652 wscript.exe Net4 Origin.exe PID 1652 wrote to memory of 1236 1652 wscript.exe Net4 Origin.exe -
outlook_office_path 1 IoCs
Processes:
Net4 Origin.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Net4 Origin.exe -
outlook_win_path 1 IoCs
Processes:
Net4 Origin.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Net4 Origin.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Scan docs.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\GQGruPODld.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:848 -
C:\Users\Admin\AppData\Local\Temp\Net4 Origin.exe"C:\Users\Admin\AppData\Local\Temp\Net4 Origin.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Net4 Origin.exeFilesize
209KB
MD5511f723efd20136c1bf50e4c28d7894b
SHA1b01840d6fba0e8842f4dcc5077d577a2082f65ca
SHA256639be5d755e8d6783e0e959d782901e0513f1c6663515bd7246e4f5c7f7786db
SHA5125518a071575eee72680e50d9331d13acb200da8154bd8739f111ee33a9192358fef6b51e6645a6df3ee6d94ef1af5ef7767b29474aa2b9153f78d2c421ac4546
-
C:\Users\Admin\AppData\Local\Temp\Net4 Origin.exeFilesize
209KB
MD5511f723efd20136c1bf50e4c28d7894b
SHA1b01840d6fba0e8842f4dcc5077d577a2082f65ca
SHA256639be5d755e8d6783e0e959d782901e0513f1c6663515bd7246e4f5c7f7786db
SHA5125518a071575eee72680e50d9331d13acb200da8154bd8739f111ee33a9192358fef6b51e6645a6df3ee6d94ef1af5ef7767b29474aa2b9153f78d2c421ac4546
-
C:\Users\Admin\AppData\Roaming\GQGruPODld.jsFilesize
117KB
MD527327ec3f126ff5a0fbe91a4d697e0ea
SHA1189db856bfb734d30f12335682dd5fc775949b8f
SHA256aab53233a4cbe4f4cd4b24caa118862115ccb3a4faec1b31fff9b87f7380fab1
SHA512e7e37cabecfc3e14929d8371579b5c121bbbd01c17d43c9902f52facd06bf38087d69f651722ed6eafde46db3123fd5032f16e5156bcb4f87c33df04186fbf1e
-
memory/848-55-0x0000000000000000-mapping.dmp
-
memory/1236-57-0x0000000000000000-mapping.dmp
-
memory/1236-61-0x0000000001140000-0x000000000117A000-memory.dmpFilesize
232KB
-
memory/1236-62-0x0000000076461000-0x0000000076463000-memory.dmpFilesize
8KB
-
memory/1652-54-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmpFilesize
8KB