Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/08/2022, 06:30
Static task
static1
Behavioral task
behavioral1
Sample
Request for PI.js
Resource
win7-20220812-en
General
-
Target
Request for PI.js
-
Size
50KB
-
MD5
72a7b0c6616ec12b73957b808c7cbabc
-
SHA1
6fa031b34174966d214bd9ab9428b405fede8d77
-
SHA256
0274e6f327598725f0b88d7044264a0f85598ac00ba227b13a7045c080d4c46d
-
SHA512
46347307f066377819272f76ecc5792f93a4f90744317c973816fdb879f0622de9d15def30e7ec34e51544d84b0d2cf52fa8aa4b67dd2eb176e08d8b14051857
Malware Config
Extracted
Protocol: ftp- Host:
ftp.techlabinfo.com.br - Port:
21 - Username:
[email protected] - Password:
oX3.Xh!@xFc=
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.techlabinfo.com.br/ - Port:
21 - Username:
[email protected] - Password:
oX3.Xh!@xFc=
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 36 IoCs
flow pid Process 6 1100 wscript.exe 11 1760 wscript.exe 12 572 wscript.exe 14 1100 wscript.exe 15 1100 wscript.exe 16 1100 wscript.exe 18 1760 wscript.exe 19 572 wscript.exe 22 572 wscript.exe 23 1760 wscript.exe 31 1760 wscript.exe 34 572 wscript.exe 35 1760 wscript.exe 37 572 wscript.exe 41 1760 wscript.exe 43 572 wscript.exe 46 1760 wscript.exe 49 572 wscript.exe 51 1760 wscript.exe 53 572 wscript.exe 54 1760 wscript.exe 56 572 wscript.exe 61 1760 wscript.exe 62 572 wscript.exe 65 572 wscript.exe 67 1760 wscript.exe 69 1760 wscript.exe 71 572 wscript.exe 75 1760 wscript.exe 76 572 wscript.exe 79 1760 wscript.exe 81 572 wscript.exe 84 1760 wscript.exe 85 572 wscript.exe 89 1760 wscript.exe 90 572 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1408 EPPP.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ToLSGtelkO.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ToLSGtelkO.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EPPP.exe Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EPPP.exe Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EPPP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1408 EPPP.exe 1408 EPPP.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1408 EPPP.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1408 EPPP.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1100 wrote to memory of 572 1100 wscript.exe 27 PID 1100 wrote to memory of 572 1100 wscript.exe 27 PID 1100 wrote to memory of 572 1100 wscript.exe 27 PID 572 wrote to memory of 1760 572 wscript.exe 29 PID 572 wrote to memory of 1760 572 wscript.exe 29 PID 572 wrote to memory of 1760 572 wscript.exe 29 PID 1100 wrote to memory of 1408 1100 wscript.exe 33 PID 1100 wrote to memory of 1408 1100 wscript.exe 33 PID 1100 wrote to memory of 1408 1100 wscript.exe 33 PID 1100 wrote to memory of 1408 1100 wscript.exe 33 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EPPP.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 EPPP.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Request for PI.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\ToLSGtelkO.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1760
-
-
-
C:\Users\Admin\AppData\Local\Temp\EPPP.exe"C:\Users\Admin\AppData\Local\Temp\EPPP.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1408
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD53058367b72a671967b83872a8f99b09a
SHA1b34b56369600d6b117bfadb1dd5d7affac4eaa61
SHA25676d65d87a7c98ffbebe035f800a8bb48e88cd9a15d843b88a6c9bd6fcc551b3b
SHA512be853cbf4e82589b0002530f9e4f67c6ed994fb3dd02488f04b49ca292e0106ea1f79d077e99fb15c969a2256c679c801a24cc8d9d7b679455e5a368f7ba65fb
-
Filesize
209KB
MD53058367b72a671967b83872a8f99b09a
SHA1b34b56369600d6b117bfadb1dd5d7affac4eaa61
SHA25676d65d87a7c98ffbebe035f800a8bb48e88cd9a15d843b88a6c9bd6fcc551b3b
SHA512be853cbf4e82589b0002530f9e4f67c6ed994fb3dd02488f04b49ca292e0106ea1f79d077e99fb15c969a2256c679c801a24cc8d9d7b679455e5a368f7ba65fb
-
Filesize
26KB
MD550c6f77435d4987498d7c5b67e7e3715
SHA14ef9674b6918f666814b26717dafe740246ce8bc
SHA2564960d6a2c4bddf11663bec4cbf3a06a57b01f9509b82c92e1ee0ec97890911e0
SHA51245947604ac1bc959b3af7a49c7bdc9917b16ff117b81724f100a0f8a7e4ce672bfae25e03ef9c89dcea21f98c9963b4d0aa893a88af64ba3d1b445b79cb7aeff
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a