Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
28-06-2022 10:03
Static task
static1
Behavioral task
behavioral1
Sample
Documents for your perusal.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Documents for your perusal.js
Resource
win10v2004-20220414-en
General
-
Target
Documents for your perusal.js
-
Size
1.0MB
-
MD5
377613bfa2aa0b0143caeadf2fcad9fb
-
SHA1
c6ca17a49b21e31c43e7b0ab99e8fc40abe6f6dd
-
SHA256
8e489340e5a0c5c56cfda0312f390e8479693264ce0efd9a8f82ac2acc5435b8
-
SHA512
cd5483d6c8c6690872664294cfb6da2a49655a9a2cbcef4d5ba52e6ac0669f8cbb0dfea0c64d79603cd1488b4ecb17d95e57a7e63bde27747f397b53450a1dff
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
zincox - Password:
computer@1010
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com/ - Port:
21 - Username:
zincox - Password:
computer@1010
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil via FTP
suricata: ET MALWARE AgentTesla Exfil via FTP
-
Blocklisted process makes network request 15 IoCs
Processes:
wscript.exeflow pid process 4 1904 wscript.exe 5 1904 wscript.exe 6 1904 wscript.exe 8 1904 wscript.exe 13 1904 wscript.exe 14 1904 wscript.exe 16 1904 wscript.exe 17 1904 wscript.exe 18 1904 wscript.exe 20 1904 wscript.exe 21 1904 wscript.exe 22 1904 wscript.exe 24 1904 wscript.exe 25 1904 wscript.exe 26 1904 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Documents for your perusal.exepid process 1664 Documents for your perusal.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BtciJsEOuq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BtciJsEOuq.js wscript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BtciJsEOuq.js\"" wscript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Documents for your perusal.exedescription pid process target process PID 1664 set thread context of 1684 1664 Documents for your perusal.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RegSvcs.exepowershell.exepid process 1684 RegSvcs.exe 1684 RegSvcs.exe 708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.exepowershell.exedescription pid process Token: SeDebugPrivilege 1684 RegSvcs.exe Token: SeDebugPrivilege 708 powershell.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
wscript.exeDocuments for your perusal.exedescription pid process target process PID 2036 wrote to memory of 1904 2036 wscript.exe wscript.exe PID 2036 wrote to memory of 1904 2036 wscript.exe wscript.exe PID 2036 wrote to memory of 1904 2036 wscript.exe wscript.exe PID 2036 wrote to memory of 1664 2036 wscript.exe Documents for your perusal.exe PID 2036 wrote to memory of 1664 2036 wscript.exe Documents for your perusal.exe PID 2036 wrote to memory of 1664 2036 wscript.exe Documents for your perusal.exe PID 2036 wrote to memory of 1664 2036 wscript.exe Documents for your perusal.exe PID 1664 wrote to memory of 708 1664 Documents for your perusal.exe powershell.exe PID 1664 wrote to memory of 708 1664 Documents for your perusal.exe powershell.exe PID 1664 wrote to memory of 708 1664 Documents for your perusal.exe powershell.exe PID 1664 wrote to memory of 708 1664 Documents for your perusal.exe powershell.exe PID 1664 wrote to memory of 1308 1664 Documents for your perusal.exe schtasks.exe PID 1664 wrote to memory of 1308 1664 Documents for your perusal.exe schtasks.exe PID 1664 wrote to memory of 1308 1664 Documents for your perusal.exe schtasks.exe PID 1664 wrote to memory of 1308 1664 Documents for your perusal.exe schtasks.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe PID 1664 wrote to memory of 1684 1664 Documents for your perusal.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BtciJsEOuq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GSQqDpox.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GSQqDpox" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB74F.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exeFilesize
560KB
MD54989aa262692c6fb07e54bcf44562006
SHA1bf8e5f166b79970aad7c02cca15bdcd6f85f7b91
SHA256f0e00d31613cbf13877cafef94e42fe96e68ab53637f7e4094466d59e6332a3f
SHA5121daa2bd724ee9cd0d19fbab17220fcc806e3618291fd5bf1a28c95d1ae60156c63305c5c8d40a8177aa77dcc09b45921ff356f1e78058a97b5d68cdb8527477b
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exeFilesize
560KB
MD54989aa262692c6fb07e54bcf44562006
SHA1bf8e5f166b79970aad7c02cca15bdcd6f85f7b91
SHA256f0e00d31613cbf13877cafef94e42fe96e68ab53637f7e4094466d59e6332a3f
SHA5121daa2bd724ee9cd0d19fbab17220fcc806e3618291fd5bf1a28c95d1ae60156c63305c5c8d40a8177aa77dcc09b45921ff356f1e78058a97b5d68cdb8527477b
-
C:\Users\Admin\AppData\Local\Temp\tmpB74F.tmpFilesize
1KB
MD54de11d63119e510a6095a4fb58b96db0
SHA1abaa59e84b36565e73a2e2635d4fcdd21015a772
SHA2569d60381097d5ea16473ac4ce0efa0c0aa2781c31b3cde8de2f5a4b48edab0576
SHA512d4ede480e54c5d83438719be9a9ce1adc28b9e48eac48ca23e46b00f3eccad8d9767bf9902cd6679cc60476f2455fe180ea47e3fa8071461912cf65834851e53
-
C:\Users\Admin\AppData\Roaming\BtciJsEOuq.jsFilesize
17KB
MD5c0d73991959cc38cfc5195de55e5af8c
SHA14c79913f301dad503145cc20805da17d1cd310dd
SHA2565743caf8ba2a38a2afc04e50bfbc58d088b8eff958ff8178d9c29bc158105292
SHA512aca10c9808cf704446666c1326bd7789c32f61fb9d4f8b0fb743b720bc0f99f8a4c743246bc27acc73785aa7c3e907673ba2f3da9d5643089e3764ab5d2c8da4
-
memory/708-66-0x0000000000000000-mapping.dmp
-
memory/708-84-0x000000006F670000-0x000000006FC1B000-memory.dmpFilesize
5.7MB
-
memory/708-83-0x000000006F670000-0x000000006FC1B000-memory.dmpFilesize
5.7MB
-
memory/1308-68-0x0000000000000000-mapping.dmp
-
memory/1664-61-0x0000000000F40000-0x0000000000FD2000-memory.dmpFilesize
584KB
-
memory/1664-64-0x0000000000800000-0x000000000080A000-memory.dmpFilesize
40KB
-
memory/1664-65-0x00000000051E0000-0x0000000005252000-memory.dmpFilesize
456KB
-
memory/1664-63-0x0000000000550000-0x0000000000566000-memory.dmpFilesize
88KB
-
memory/1664-62-0x0000000075C01000-0x0000000075C03000-memory.dmpFilesize
8KB
-
memory/1664-57-0x0000000000000000-mapping.dmp
-
memory/1664-70-0x0000000005070000-0x00000000050AA000-memory.dmpFilesize
232KB
-
memory/1684-79-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-75-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-74-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-76-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-77-0x0000000000435B9E-mapping.dmp
-
memory/1684-71-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1684-81-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1904-55-0x0000000000000000-mapping.dmp
-
memory/2036-54-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmpFilesize
8KB