Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2022, 06:30
Static task
static1
Behavioral task
behavioral1
Sample
TRANSFERENCIA 112987.17.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
TRANSFERENCIA 112987.17.js
Resource
win10v2004-20220812-en
General
-
Target
TRANSFERENCIA 112987.17.js
-
Size
50KB
-
MD5
fec5ad2c4cd364f6780813e4170d43d5
-
SHA1
b7ce2fb648f9cbf7fd69a16f083599bfe5511d53
-
SHA256
5dfaea003a9b484fad723fc13f79303169e4c8f2f414a4ee0ef187f7ebd0aac9
-
SHA512
bfa44ffc12478a1bb12266e8a00ff912def28f321a1eaa400c0cec730f2aacfb97e78822b33f5ad436421e1aa8e170c0da3da01ad646a59f466b0cd04dae4838
Malware Config
Extracted
Protocol: smtp- Host:
smtp.sure-peper.com - Port:
587 - Username:
[email protected] - Password:
fzu!HnL7
Extracted
agenttesla
Protocol: smtp- Host:
smtp.sure-peper.com - Port:
587 - Username:
[email protected] - Password:
fzu!HnL7
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 27 IoCs
flow pid Process 7 2036 wscript.exe 12 4200 wscript.exe 13 1216 wscript.exe 16 2036 wscript.exe 18 2036 wscript.exe 20 4200 wscript.exe 21 1216 wscript.exe 36 4200 wscript.exe 37 1216 wscript.exe 41 4200 wscript.exe 42 1216 wscript.exe 46 4200 wscript.exe 47 1216 wscript.exe 49 4200 wscript.exe 52 4200 wscript.exe 54 1216 wscript.exe 55 4200 wscript.exe 56 1216 wscript.exe 57 4200 wscript.exe 58 1216 wscript.exe 59 4200 wscript.exe 60 1216 wscript.exe 61 4200 wscript.exe 62 1216 wscript.exe 63 4200 wscript.exe 64 1216 wscript.exe 65 4200 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4928 ori.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wXURp = "C:\\Users\\Admin\\AppData\\Roaming\\wXURp\\wXURp.exe" ori.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4928 ori.exe 4928 ori.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4928 ori.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4928 ori.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2036 wrote to memory of 1216 2036 wscript.exe 83 PID 2036 wrote to memory of 1216 2036 wscript.exe 83 PID 1216 wrote to memory of 4200 1216 wscript.exe 84 PID 1216 wrote to memory of 4200 1216 wscript.exe 84 PID 2036 wrote to memory of 4928 2036 wscript.exe 85 PID 2036 wrote to memory of 4928 2036 wscript.exe 85 PID 2036 wrote to memory of 4928 2036 wscript.exe 85 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA 112987.17.js"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jQCWVHjWAA.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:4200
-
-
-
C:\Users\Admin\AppData\Local\Temp\ori.exe"C:\Users\Admin\AppData\Local\Temp\ori.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4928
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD52163b2e3196d9b2d1d0d7a88a0cba4fc
SHA1e1015c9e03d2271329497cd4ba94d0b602b34c26
SHA25695c3ac7b2e9cefca3a064ffea5b45138ec4fc2216f51a55e0c352458cfffc254
SHA512293b9764d98d147aa5be1490c1e03795fb46398d9f4fff8fc0698c02672fba5cb9f88017f4a03416bb1a0748ea7a4ed741b6b89e94a16b0e39f6a059481c437c
-
Filesize
209KB
MD52163b2e3196d9b2d1d0d7a88a0cba4fc
SHA1e1015c9e03d2271329497cd4ba94d0b602b34c26
SHA25695c3ac7b2e9cefca3a064ffea5b45138ec4fc2216f51a55e0c352458cfffc254
SHA512293b9764d98d147aa5be1490c1e03795fb46398d9f4fff8fc0698c02672fba5cb9f88017f4a03416bb1a0748ea7a4ed741b6b89e94a16b0e39f6a059481c437c
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a
-
Filesize
26KB
MD51f7855c87513cf8d9f4b5319445865cf
SHA1a73d48e0da18067c2e943da97c45acb679e18139
SHA256b386904566434edecd5319ebe730f8c5ecd05d8003eaf8b695cc771aa17c2579
SHA51241eb3f05e08fa6b878b1a8ffa90cba44756be53ea09d00c63425ba176f1bef31dc677caea99acfb2e6298403efaae1af4e71ea5a7fe29158a9c0510bfee022a9