Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2022, 06:29

General

  • Target

    POM21002942.js

  • Size

    427KB

  • MD5

    2d8193ff53b965ddcacc30ab8c7397a5

  • SHA1

    18c53d136df295ca2c47bd5f863ed5bc703cd672

  • SHA256

    b19ccae4e289a96091c9195d0610d0bd12b6634aacff934c6d90385464453555

  • SHA512

    627a28608f0a2f6f8238881905ce2ec12c73cfb2ecba0f7087aa12deed7c807623c7ad55b3bbf45ac9cf082d0779fe49a17eeee6bdceb9c4699dac0a9c8ff98c

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 24 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\POM21002942.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\rOvqfjPlWe.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:4984
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:4196
    • C:\Users\Admin\AppData\Local\Temp\mike king.exe
      "C:\Users\Admin\AppData\Local\Temp\mike king.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4500

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\mike king.exe

          Filesize

          209KB

          MD5

          273034838d07e2c19d74764ec8e3a3d1

          SHA1

          88bdac672b3fc746bfa9dba24d47b8c7dd8cb9c2

          SHA256

          7bc141b2e517737a8ada4b00fa60ca593c9f699d52d0238fd8abe0acb2b95ea4

          SHA512

          6cba47d0465f8cf058b8ea604a37112aa009346668f551e806aea854c32179ffa1862293800f936c9f4bc27478a1b9eed18316f758a6fb94db30f548b39e1006

        • C:\Users\Admin\AppData\Local\Temp\mike king.exe

          Filesize

          209KB

          MD5

          273034838d07e2c19d74764ec8e3a3d1

          SHA1

          88bdac672b3fc746bfa9dba24d47b8c7dd8cb9c2

          SHA256

          7bc141b2e517737a8ada4b00fa60ca593c9f699d52d0238fd8abe0acb2b95ea4

          SHA512

          6cba47d0465f8cf058b8ea604a37112aa009346668f551e806aea854c32179ffa1862293800f936c9f4bc27478a1b9eed18316f758a6fb94db30f548b39e1006

        • C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js

          Filesize

          6KB

          MD5

          a542a21ecaba36f6ba8c6457b8ab67f9

          SHA1

          3f05ddc6d6e59554cd9870b9e4b17919b81eaa6c

          SHA256

          bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b

          SHA512

          78ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a

        • C:\Users\Admin\AppData\Roaming\rOvqfjPlWe.js

          Filesize

          26KB

          MD5

          e813e79958e40267e63e4da0ba6e966d

          SHA1

          52c619a6e8b03dcb411658297a27de6c4f51ec43

          SHA256

          5d4dada39679ee42dd14d60b3cf1210ea69d1e048ae952fc7d39e14ca17ae63a

          SHA512

          ce19f949662ebc3b78f94e87ada1f820a94b24dd5a07720b085463befe239c401fd5159bd564065b70347695253b7ce6676b21e96e56e00fe9e8461c39c36afc

        • memory/4500-139-0x0000000000C50000-0x0000000000C8A000-memory.dmp

          Filesize

          232KB

        • memory/4500-140-0x0000000005C00000-0x00000000061A4000-memory.dmp

          Filesize

          5.6MB

        • memory/4500-141-0x0000000005590000-0x000000000562C000-memory.dmp

          Filesize

          624KB

        • memory/4500-142-0x00000000061B0000-0x0000000006216000-memory.dmp

          Filesize

          408KB

        • memory/4500-143-0x0000000006850000-0x00000000068A0000-memory.dmp

          Filesize

          320KB

        • memory/4500-144-0x0000000006FB0000-0x0000000007042000-memory.dmp

          Filesize

          584KB

        • memory/4500-145-0x0000000006F40000-0x0000000006F4A000-memory.dmp

          Filesize

          40KB