Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2022, 06:31

General

  • Target

    PROFORMA.js

  • Size

    398KB

  • MD5

    598ae97e1537c1e49a5733bc7ebf78b7

  • SHA1

    420fd78ccebfd817a999affa77658dac96f5e675

  • SHA256

    bb233cd3bfd0141e493746f8b0ea0095bc95a98221c5e7ac473c51c16f4ef3f8

  • SHA512

    c49b550b7412701ce8afb73517fd9be3a02cbb1224de8e07823df62f3470623f8d46ddfafccb7c68f6162a74c1669b09871f1d2916c67eebb5ba5addcf054be5

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    server240.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Success4sure2day10@

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 10 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PROFORMA.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DDqTCNaOGd.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:3768
    • C:\Users\Admin\AppData\Roaming\Ameder.exe
      "C:\Users\Admin\AppData\Roaming\Ameder.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:3508

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Ameder.exe

          Filesize

          210KB

          MD5

          bb3183ab7345bd26974ecc8eb29fa06c

          SHA1

          e1b6195b9546aeae5a5a636ced1f66f04290eeab

          SHA256

          9fe8aa2f5b68c291b3485cd12c26c565e9d6abde3139eb4de2ba0291d7ced60e

          SHA512

          244564bb058bd58949849e550d60c28c83157b6b8bfac991b27bddd2c4d46407e2b27bc22b90a72390d0fb10067a4c2c73347215c157aee1f2b36e7aa4ee303f

        • C:\Users\Admin\AppData\Roaming\Ameder.exe

          Filesize

          210KB

          MD5

          bb3183ab7345bd26974ecc8eb29fa06c

          SHA1

          e1b6195b9546aeae5a5a636ced1f66f04290eeab

          SHA256

          9fe8aa2f5b68c291b3485cd12c26c565e9d6abde3139eb4de2ba0291d7ced60e

          SHA512

          244564bb058bd58949849e550d60c28c83157b6b8bfac991b27bddd2c4d46407e2b27bc22b90a72390d0fb10067a4c2c73347215c157aee1f2b36e7aa4ee303f

        • C:\Users\Admin\AppData\Roaming\DDqTCNaOGd.js

          Filesize

          9KB

          MD5

          cd234e5e1b9b723c5c697a5c1c1bbe4f

          SHA1

          f12f5590137c6f3f8145c2b5cf279c15070cc016

          SHA256

          8290dd28ba5d7f3122fcb327a70cc19fcba95f97403c35a21f617ef1d0abf1c9

          SHA512

          520c2cc546ef0a220dc1d12b563b1fd34f3232047a3bc0ef331b47f17fb2bc49c09a7a04a776f18b05e01db8baacf4e2261e50ce50fd8ea64b6bc21206f26096

        • memory/3508-137-0x00000000000B0000-0x00000000000EA000-memory.dmp

          Filesize

          232KB

        • memory/3508-138-0x0000000004F50000-0x00000000054F4000-memory.dmp

          Filesize

          5.6MB

        • memory/3508-139-0x0000000004AD0000-0x0000000004B6C000-memory.dmp

          Filesize

          624KB

        • memory/3508-140-0x00000000057B0000-0x0000000005816000-memory.dmp

          Filesize

          408KB

        • memory/3508-141-0x0000000005EE0000-0x0000000005F30000-memory.dmp

          Filesize

          320KB

        • memory/3508-142-0x00000000061D0000-0x0000000006262000-memory.dmp

          Filesize

          584KB

        • memory/3508-143-0x0000000006130000-0x000000000613A000-memory.dmp

          Filesize

          40KB