Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2022, 06:29
Static task
static1
Behavioral task
behavioral1
Sample
POM21002942.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
POM21002942.js
Resource
win10v2004-20220812-en
General
-
Target
POM21002942.js
-
Size
427KB
-
MD5
2d8193ff53b965ddcacc30ab8c7397a5
-
SHA1
18c53d136df295ca2c47bd5f863ed5bc703cd672
-
SHA256
b19ccae4e289a96091c9195d0610d0bd12b6634aacff934c6d90385464453555
-
SHA512
627a28608f0a2f6f8238881905ce2ec12c73cfb2ecba0f7087aa12deed7c807623c7ad55b3bbf45ac9cf082d0779fe49a17eeee6bdceb9c4699dac0a9c8ff98c
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 24 IoCs
flow pid Process 8 4196 wscript.exe 9 4984 wscript.exe 15 4984 wscript.exe 16 4196 wscript.exe 27 4984 wscript.exe 28 4196 wscript.exe 39 4984 wscript.exe 46 4984 wscript.exe 47 4196 wscript.exe 48 4984 wscript.exe 50 4196 wscript.exe 51 4984 wscript.exe 52 4196 wscript.exe 53 4984 wscript.exe 56 4196 wscript.exe 57 4984 wscript.exe 58 4196 wscript.exe 59 4984 wscript.exe 60 4196 wscript.exe 61 4984 wscript.exe 62 4196 wscript.exe 63 4984 wscript.exe 65 4196 wscript.exe 66 4984 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 4500 mike king.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rOvqfjPlWe.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rOvqfjPlWe.js wscript.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mike king.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mike king.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mike king.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4500 mike king.exe 4500 mike king.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4500 mike king.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4500 mike king.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 872 wrote to memory of 4984 872 wscript.exe 82 PID 872 wrote to memory of 4984 872 wscript.exe 82 PID 872 wrote to memory of 4500 872 wscript.exe 83 PID 872 wrote to memory of 4500 872 wscript.exe 83 PID 872 wrote to memory of 4500 872 wscript.exe 83 PID 4984 wrote to memory of 4196 4984 wscript.exe 84 PID 4984 wrote to memory of 4196 4984 wscript.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mike king.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mike king.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\POM21002942.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\rOvqfjPlWe.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:4196
-
-
-
C:\Users\Admin\AppData\Local\Temp\mike king.exe"C:\Users\Admin\AppData\Local\Temp\mike king.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4500
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD5273034838d07e2c19d74764ec8e3a3d1
SHA188bdac672b3fc746bfa9dba24d47b8c7dd8cb9c2
SHA2567bc141b2e517737a8ada4b00fa60ca593c9f699d52d0238fd8abe0acb2b95ea4
SHA5126cba47d0465f8cf058b8ea604a37112aa009346668f551e806aea854c32179ffa1862293800f936c9f4bc27478a1b9eed18316f758a6fb94db30f548b39e1006
-
Filesize
209KB
MD5273034838d07e2c19d74764ec8e3a3d1
SHA188bdac672b3fc746bfa9dba24d47b8c7dd8cb9c2
SHA2567bc141b2e517737a8ada4b00fa60ca593c9f699d52d0238fd8abe0acb2b95ea4
SHA5126cba47d0465f8cf058b8ea604a37112aa009346668f551e806aea854c32179ffa1862293800f936c9f4bc27478a1b9eed18316f758a6fb94db30f548b39e1006
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a
-
Filesize
26KB
MD5e813e79958e40267e63e4da0ba6e966d
SHA152c619a6e8b03dcb411658297a27de6c4f51ec43
SHA2565d4dada39679ee42dd14d60b3cf1210ea69d1e048ae952fc7d39e14ca17ae63a
SHA512ce19f949662ebc3b78f94e87ada1f820a94b24dd5a07720b085463befe239c401fd5159bd564065b70347695253b7ce6676b21e96e56e00fe9e8461c39c36afc