Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/08/2022, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PROFORMA.js
Resource
win10v2004-20220812-en
General
-
Target
PROFORMA.js
-
Size
398KB
-
MD5
598ae97e1537c1e49a5733bc7ebf78b7
-
SHA1
420fd78ccebfd817a999affa77658dac96f5e675
-
SHA256
bb233cd3bfd0141e493746f8b0ea0095bc95a98221c5e7ac473c51c16f4ef3f8
-
SHA512
c49b550b7412701ce8afb73517fd9be3a02cbb1224de8e07823df62f3470623f8d46ddfafccb7c68f6162a74c1669b09871f1d2916c67eebb5ba5addcf054be5
Malware Config
Extracted
Protocol: smtp- Host:
server240.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
Success4sure2day10@
Extracted
agenttesla
Protocol: smtp- Host:
server240.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
Success4sure2day10@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 15 IoCs
flow pid Process 4 1756 wscript.exe 7 1756 wscript.exe 8 1756 wscript.exe 10 1756 wscript.exe 12 1756 wscript.exe 13 1756 wscript.exe 15 1756 wscript.exe 16 1756 wscript.exe 17 1756 wscript.exe 19 1756 wscript.exe 20 1756 wscript.exe 21 1756 wscript.exe 23 1756 wscript.exe 24 1756 wscript.exe 25 1756 wscript.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Ameder.exe -
Executes dropped EXE 1 IoCs
pid Process 1528 Ameder.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DDqTCNaOGd.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DDqTCNaOGd.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ameder.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ameder.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ameder.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1528 Ameder.exe 1528 Ameder.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1528 Ameder.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1528 Ameder.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1756 2016 wscript.exe 27 PID 2016 wrote to memory of 1756 2016 wscript.exe 27 PID 2016 wrote to memory of 1756 2016 wscript.exe 27 PID 2016 wrote to memory of 1528 2016 wscript.exe 28 PID 2016 wrote to memory of 1528 2016 wscript.exe 28 PID 2016 wrote to memory of 1528 2016 wscript.exe 28 PID 2016 wrote to memory of 1528 2016 wscript.exe 28 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ameder.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ameder.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PROFORMA.js1⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DDqTCNaOGd.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1756
-
-
C:\Users\Admin\AppData\Roaming\Ameder.exe"C:\Users\Admin\AppData\Roaming\Ameder.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1528
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD5bb3183ab7345bd26974ecc8eb29fa06c
SHA1e1b6195b9546aeae5a5a636ced1f66f04290eeab
SHA2569fe8aa2f5b68c291b3485cd12c26c565e9d6abde3139eb4de2ba0291d7ced60e
SHA512244564bb058bd58949849e550d60c28c83157b6b8bfac991b27bddd2c4d46407e2b27bc22b90a72390d0fb10067a4c2c73347215c157aee1f2b36e7aa4ee303f
-
Filesize
210KB
MD5bb3183ab7345bd26974ecc8eb29fa06c
SHA1e1b6195b9546aeae5a5a636ced1f66f04290eeab
SHA2569fe8aa2f5b68c291b3485cd12c26c565e9d6abde3139eb4de2ba0291d7ced60e
SHA512244564bb058bd58949849e550d60c28c83157b6b8bfac991b27bddd2c4d46407e2b27bc22b90a72390d0fb10067a4c2c73347215c157aee1f2b36e7aa4ee303f
-
Filesize
9KB
MD5cd234e5e1b9b723c5c697a5c1c1bbe4f
SHA1f12f5590137c6f3f8145c2b5cf279c15070cc016
SHA2568290dd28ba5d7f3122fcb327a70cc19fcba95f97403c35a21f617ef1d0abf1c9
SHA512520c2cc546ef0a220dc1d12b563b1fd34f3232047a3bc0ef331b47f17fb2bc49c09a7a04a776f18b05e01db8baacf4e2261e50ce50fd8ea64b6bc21206f26096