Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-06-2022 10:03
Static task
static1
Behavioral task
behavioral1
Sample
Documents for your perusal.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Documents for your perusal.js
Resource
win10v2004-20220414-en
General
-
Target
Documents for your perusal.js
-
Size
1.0MB
-
MD5
377613bfa2aa0b0143caeadf2fcad9fb
-
SHA1
c6ca17a49b21e31c43e7b0ab99e8fc40abe6f6dd
-
SHA256
8e489340e5a0c5c56cfda0312f390e8479693264ce0efd9a8f82ac2acc5435b8
-
SHA512
cd5483d6c8c6690872664294cfb6da2a49655a9a2cbcef4d5ba52e6ac0669f8cbb0dfea0c64d79603cd1488b4ecb17d95e57a7e63bde27747f397b53450a1dff
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
zincox - Password:
computer@1010
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com/ - Port:
21 - Username:
zincox - Password:
computer@1010
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil via FTP
suricata: ET MALWARE AgentTesla Exfil via FTP
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 4 3148 wscript.exe 13 3148 wscript.exe 14 3148 wscript.exe 17 3148 wscript.exe 37 3148 wscript.exe 44 3148 wscript.exe 50 3148 wscript.exe 51 3148 wscript.exe 54 3148 wscript.exe 55 3148 wscript.exe 58 3148 wscript.exe 59 3148 wscript.exe 60 3148 wscript.exe 61 3148 wscript.exe 62 3148 wscript.exe 63 3148 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
Documents for your perusal.exepid process 2332 Documents for your perusal.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeDocuments for your perusal.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Documents for your perusal.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BtciJsEOuq.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BtciJsEOuq.js wscript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\BtciJsEOuq.js\"" wscript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Documents for your perusal.exedescription pid process target process PID 2332 set thread context of 2900 2332 Documents for your perusal.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeRegSvcs.exepid process 1372 powershell.exe 2900 RegSvcs.exe 2900 RegSvcs.exe 1372 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1372 powershell.exe Token: SeDebugPrivilege 2900 RegSvcs.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
wscript.exeDocuments for your perusal.exedescription pid process target process PID 3060 wrote to memory of 3148 3060 wscript.exe wscript.exe PID 3060 wrote to memory of 3148 3060 wscript.exe wscript.exe PID 3060 wrote to memory of 2332 3060 wscript.exe Documents for your perusal.exe PID 3060 wrote to memory of 2332 3060 wscript.exe Documents for your perusal.exe PID 3060 wrote to memory of 2332 3060 wscript.exe Documents for your perusal.exe PID 2332 wrote to memory of 1372 2332 Documents for your perusal.exe powershell.exe PID 2332 wrote to memory of 1372 2332 Documents for your perusal.exe powershell.exe PID 2332 wrote to memory of 1372 2332 Documents for your perusal.exe powershell.exe PID 2332 wrote to memory of 2564 2332 Documents for your perusal.exe schtasks.exe PID 2332 wrote to memory of 2564 2332 Documents for your perusal.exe schtasks.exe PID 2332 wrote to memory of 2564 2332 Documents for your perusal.exe schtasks.exe PID 2332 wrote to memory of 2900 2332 Documents for your perusal.exe RegSvcs.exe PID 2332 wrote to memory of 2900 2332 Documents for your perusal.exe RegSvcs.exe PID 2332 wrote to memory of 2900 2332 Documents for your perusal.exe RegSvcs.exe PID 2332 wrote to memory of 2900 2332 Documents for your perusal.exe RegSvcs.exe PID 2332 wrote to memory of 2900 2332 Documents for your perusal.exe RegSvcs.exe PID 2332 wrote to memory of 2900 2332 Documents for your perusal.exe RegSvcs.exe PID 2332 wrote to memory of 2900 2332 Documents for your perusal.exe RegSvcs.exe PID 2332 wrote to memory of 2900 2332 Documents for your perusal.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\BtciJsEOuq.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GSQqDpox.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GSQqDpox" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC50.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exeFilesize
560KB
MD54989aa262692c6fb07e54bcf44562006
SHA1bf8e5f166b79970aad7c02cca15bdcd6f85f7b91
SHA256f0e00d31613cbf13877cafef94e42fe96e68ab53637f7e4094466d59e6332a3f
SHA5121daa2bd724ee9cd0d19fbab17220fcc806e3618291fd5bf1a28c95d1ae60156c63305c5c8d40a8177aa77dcc09b45921ff356f1e78058a97b5d68cdb8527477b
-
C:\Users\Admin\AppData\Local\Temp\Documents for your perusal.exeFilesize
560KB
MD54989aa262692c6fb07e54bcf44562006
SHA1bf8e5f166b79970aad7c02cca15bdcd6f85f7b91
SHA256f0e00d31613cbf13877cafef94e42fe96e68ab53637f7e4094466d59e6332a3f
SHA5121daa2bd724ee9cd0d19fbab17220fcc806e3618291fd5bf1a28c95d1ae60156c63305c5c8d40a8177aa77dcc09b45921ff356f1e78058a97b5d68cdb8527477b
-
C:\Users\Admin\AppData\Local\Temp\tmpBC50.tmpFilesize
1KB
MD54b080ba37cbdd94d309dea28c93d27de
SHA1f6aac0409fd2f0fe3213b186164733406b7d8e1d
SHA256c515b1139c2234a223149dc411d96d6c915b0a243134074bde9462ba9bcf3b79
SHA5121b8770c46ef64ee1ba73c7707537230df12f132474b11080dc469d06fa70d0b4b519cd89712703e15cd9817c5b8f03702a8d5ae87b433820cb9251241b04e219
-
C:\Users\Admin\AppData\Roaming\BtciJsEOuq.jsFilesize
17KB
MD5c0d73991959cc38cfc5195de55e5af8c
SHA14c79913f301dad503145cc20805da17d1cd310dd
SHA2565743caf8ba2a38a2afc04e50bfbc58d088b8eff958ff8178d9c29bc158105292
SHA512aca10c9808cf704446666c1326bd7789c32f61fb9d4f8b0fb743b720bc0f99f8a4c743246bc27acc73785aa7c3e907673ba2f3da9d5643089e3764ab5d2c8da4
-
memory/1372-140-0x0000000000000000-mapping.dmp
-
memory/1372-161-0x00000000076E0000-0x00000000076E8000-memory.dmpFilesize
32KB
-
memory/1372-159-0x00000000075F0000-0x00000000075FE000-memory.dmpFilesize
56KB
-
memory/1372-157-0x0000000007640000-0x00000000076D6000-memory.dmpFilesize
600KB
-
memory/1372-156-0x0000000007430000-0x000000000743A000-memory.dmpFilesize
40KB
-
memory/1372-155-0x00000000073C0000-0x00000000073DA000-memory.dmpFilesize
104KB
-
memory/1372-151-0x0000000006670000-0x00000000066A2000-memory.dmpFilesize
200KB
-
memory/1372-154-0x0000000007A00000-0x000000000807A000-memory.dmpFilesize
6.5MB
-
memory/1372-142-0x0000000002780000-0x00000000027B6000-memory.dmpFilesize
216KB
-
memory/1372-160-0x0000000007700000-0x000000000771A000-memory.dmpFilesize
104KB
-
memory/1372-144-0x0000000005440000-0x0000000005A68000-memory.dmpFilesize
6.2MB
-
memory/1372-153-0x0000000006650000-0x000000000666E000-memory.dmpFilesize
120KB
-
memory/1372-152-0x00000000709A0000-0x00000000709EC000-memory.dmpFilesize
304KB
-
memory/1372-147-0x0000000005000000-0x0000000005022000-memory.dmpFilesize
136KB
-
memory/1372-148-0x00000000053A0000-0x0000000005406000-memory.dmpFilesize
408KB
-
memory/1372-149-0x0000000005AE0000-0x0000000005B46000-memory.dmpFilesize
408KB
-
memory/1372-150-0x00000000060C0000-0x00000000060DE000-memory.dmpFilesize
120KB
-
memory/2332-138-0x0000000005320000-0x000000000532A000-memory.dmpFilesize
40KB
-
memory/2332-139-0x0000000007850000-0x00000000078EC000-memory.dmpFilesize
624KB
-
memory/2332-137-0x0000000005390000-0x0000000005422000-memory.dmpFilesize
584KB
-
memory/2332-136-0x00000000058A0000-0x0000000005E44000-memory.dmpFilesize
5.6MB
-
memory/2332-135-0x00000000008E0000-0x0000000000972000-memory.dmpFilesize
584KB
-
memory/2332-132-0x0000000000000000-mapping.dmp
-
memory/2564-141-0x0000000000000000-mapping.dmp
-
memory/2900-146-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/2900-145-0x0000000000000000-mapping.dmp
-
memory/2900-158-0x0000000006CD0000-0x0000000006D20000-memory.dmpFilesize
320KB
-
memory/3148-130-0x0000000000000000-mapping.dmp