Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 15:11
Static task
static1
Behavioral task
behavioral1
Sample
SbPbhXXaAe_ori40teleevery.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SbPbhXXaAe_ori40teleevery.js
Resource
win10v2004-20220414-en
General
-
Target
SbPbhXXaAe_ori40teleevery.js
-
Size
386KB
-
MD5
917298a0ef1125c31dfc7762135d9978
-
SHA1
b6902cd75e83cae4ff2a3ce12f0314d364d5f481
-
SHA256
173bf8f0a06a99b6ff4fd216a0be00b834aa4337828b91124da5d533e674fccf
-
SHA512
b1ad86cd50f605ecd3bd7e9d99835dd97f64f16efa97b416e08c1c61d311874807951b7e8a887d76a1de197643a68b863fab5644010756abf384941786d3b9e1
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5171883538:AAEyFWuNh68SJNNpkDCQbviRgrklZA3K4Qs/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 5 1112 wscript.exe 14 1112 wscript.exe 23 1112 wscript.exe 25 1112 wscript.exe 33 1112 wscript.exe 34 1112 wscript.exe 38 1112 wscript.exe 41 1112 wscript.exe 43 1112 wscript.exe 44 1112 wscript.exe 49 1112 wscript.exe 50 1112 wscript.exe 51 1112 wscript.exe 52 1112 wscript.exe 53 1112 wscript.exe 54 1112 wscript.exe 55 1112 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
ori40teleevery.exepid process 3068 ori40teleevery.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siiOXfeLhL.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\siiOXfeLhL.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ori40teleevery.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori40teleevery.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori40teleevery.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori40teleevery.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\siiOXfeLhL.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ori40teleevery.exepid process 3068 ori40teleevery.exe 3068 ori40teleevery.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ori40teleevery.exedescription pid process Token: SeDebugPrivilege 3068 ori40teleevery.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ori40teleevery.exepid process 3068 ori40teleevery.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 1804 wrote to memory of 1112 1804 wscript.exe wscript.exe PID 1804 wrote to memory of 1112 1804 wscript.exe wscript.exe PID 1804 wrote to memory of 3068 1804 wscript.exe ori40teleevery.exe PID 1804 wrote to memory of 3068 1804 wscript.exe ori40teleevery.exe PID 1804 wrote to memory of 3068 1804 wscript.exe ori40teleevery.exe -
outlook_office_path 1 IoCs
Processes:
ori40teleevery.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori40teleevery.exe -
outlook_win_path 1 IoCs
Processes:
ori40teleevery.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori40teleevery.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\SbPbhXXaAe_ori40teleevery.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\siiOXfeLhL.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\ori40teleevery.exe"C:\Users\Admin\AppData\Local\Temp\ori40teleevery.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ori40teleevery.exeFilesize
210KB
MD5e0f80223a94ccf3f36aa16c48514f692
SHA173d3bffd145250ce91657c9d4f3f53ca97c716c0
SHA256a56acb1d690ee4deccb5f33c846f767705d5b0a84b6ee0a77aea30c81aa9da67
SHA512d5ab5e0cc0399ccc0be06eb8813e4a481d81cd4c222fc7f4553c6f3d1c4b0433a18244626600ab903842da4d6db40e2430c5dcc96ed381b7d4b7f28fd29d6ad5
-
C:\Users\Admin\AppData\Local\Temp\ori40teleevery.exeFilesize
210KB
MD5e0f80223a94ccf3f36aa16c48514f692
SHA173d3bffd145250ce91657c9d4f3f53ca97c716c0
SHA256a56acb1d690ee4deccb5f33c846f767705d5b0a84b6ee0a77aea30c81aa9da67
SHA512d5ab5e0cc0399ccc0be06eb8813e4a481d81cd4c222fc7f4553c6f3d1c4b0433a18244626600ab903842da4d6db40e2430c5dcc96ed381b7d4b7f28fd29d6ad5
-
C:\Users\Admin\AppData\Roaming\siiOXfeLhL.jsFilesize
5KB
MD54231696592e958293b751bd32c1a6beb
SHA1648d61687cdc1c4b5cadda1df2fe643c31eb6f8b
SHA2563e95f65cac8ca73735d5af5ebe667926639810e99c9478d9c50c24426c51084b
SHA5121612f1654ed5c8a96470f96589f44a920dbee69468fa0bcd3135ed53beb3e3bfd92d845ab8c3f21253bc82eeca28af6f621e9833cdf2960dd8009b6bb2cdcafa
-
memory/1112-130-0x0000000000000000-mapping.dmp
-
memory/3068-132-0x0000000000000000-mapping.dmp
-
memory/3068-135-0x00000000004C0000-0x00000000004FA000-memory.dmpFilesize
232KB
-
memory/3068-136-0x00000000054B0000-0x0000000005A54000-memory.dmpFilesize
5.6MB
-
memory/3068-137-0x0000000004F00000-0x0000000004F9C000-memory.dmpFilesize
624KB
-
memory/3068-138-0x0000000005BA0000-0x0000000005C06000-memory.dmpFilesize
408KB
-
memory/3068-139-0x0000000006220000-0x0000000006270000-memory.dmpFilesize
320KB
-
memory/3068-140-0x0000000006980000-0x0000000006A12000-memory.dmpFilesize
584KB
-
memory/3068-141-0x0000000006900000-0x000000000690A000-memory.dmpFilesize
40KB