Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 10:03
General
-
Target
Documents for your perusal.js
-
Size
1.0MB
-
MD5
377613bfa2aa0b0143caeadf2fcad9fb
-
SHA1
c6ca17a49b21e31c43e7b0ab99e8fc40abe6f6dd
-
SHA256
8e489340e5a0c5c56cfda0312f390e8479693264ce0efd9a8f82ac2acc5435b8
-
SHA512
cd5483d6c8c6690872664294cfb6da2a49655a9a2cbcef4d5ba52e6ac0669f8cbb0dfea0c64d79603cd1488b4ecb17d95e57a7e63bde27747f397b53450a1dff
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
zincox - Password:
computer@1010
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com/ - Port:
21 - Username:
zincox - Password:
computer@1010
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
suricata: ET MALWARE AgentTesla Exfil via FTP
suricata: ET MALWARE AgentTesla Exfil via FTP
-
Blocklisted process makes network request 15 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops startup file 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BtciJsEOuq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GSQqDpox.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GSQqDpox" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB74F.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exeFilesize
560KB
MD54989aa262692c6fb07e54bcf44562006
SHA1bf8e5f166b79970aad7c02cca15bdcd6f85f7b91
SHA256f0e00d31613cbf13877cafef94e42fe96e68ab53637f7e4094466d59e6332a3f
SHA5121daa2bd724ee9cd0d19fbab17220fcc806e3618291fd5bf1a28c95d1ae60156c63305c5c8d40a8177aa77dcc09b45921ff356f1e78058a97b5d68cdb8527477b
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exeFilesize
560KB
MD54989aa262692c6fb07e54bcf44562006
SHA1bf8e5f166b79970aad7c02cca15bdcd6f85f7b91
SHA256f0e00d31613cbf13877cafef94e42fe96e68ab53637f7e4094466d59e6332a3f
SHA5121daa2bd724ee9cd0d19fbab17220fcc806e3618291fd5bf1a28c95d1ae60156c63305c5c8d40a8177aa77dcc09b45921ff356f1e78058a97b5d68cdb8527477b
-
C:\Users\Admin\AppData\Local\Temp\tmpB74F.tmpFilesize
1KB
MD54de11d63119e510a6095a4fb58b96db0
SHA1abaa59e84b36565e73a2e2635d4fcdd21015a772
SHA2569d60381097d5ea16473ac4ce0efa0c0aa2781c31b3cde8de2f5a4b48edab0576
SHA512d4ede480e54c5d83438719be9a9ce1adc28b9e48eac48ca23e46b00f3eccad8d9767bf9902cd6679cc60476f2455fe180ea47e3fa8071461912cf65834851e53
-
C:\Users\Admin\AppData\Roaming\BtciJsEOuq.jsFilesize
17KB
MD5c0d73991959cc38cfc5195de55e5af8c
SHA14c79913f301dad503145cc20805da17d1cd310dd
SHA2565743caf8ba2a38a2afc04e50bfbc58d088b8eff958ff8178d9c29bc158105292
SHA512aca10c9808cf704446666c1326bd7789c32f61fb9d4f8b0fb743b720bc0f99f8a4c743246bc27acc73785aa7c3e907673ba2f3da9d5643089e3764ab5d2c8da4
-
memory/708-66-0x0000000000000000-mapping.dmp
-
memory/708-84-0x000000006F670000-0x000000006FC1B000-memory.dmpFilesize
5.7MB
-
memory/708-83-0x000000006F670000-0x000000006FC1B000-memory.dmpFilesize
5.7MB
-
memory/1308-68-0x0000000000000000-mapping.dmp
-
memory/1664-61-0x0000000000F40000-0x0000000000FD2000-memory.dmpFilesize
584KB
-
memory/1664-64-0x0000000000800000-0x000000000080A000-memory.dmpFilesize
40KB
-
memory/1664-65-0x00000000051E0000-0x0000000005252000-memory.dmpFilesize
456KB
-
memory/1664-63-0x0000000000550000-0x0000000000566000-memory.dmpFilesize
88KB
-
memory/1664-62-0x0000000075C01000-0x0000000075C03000-memory.dmpFilesize
8KB
-
memory/1664-57-0x0000000000000000-mapping.dmp
-
memory/1664-70-0x0000000005070000-0x00000000050AA000-memory.dmpFilesize
232KB
-
memory/1684-79-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-75-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-74-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-76-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-77-0x0000000000435B9E-mapping.dmp
-
memory/1684-71-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-81-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1904-55-0x0000000000000000-mapping.dmp
-
memory/2036-54-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmpFilesize
8KB