Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/08/2022, 15:29
Static task
static1
Behavioral task
behavioral1
Sample
TRANSFERENCIA $112987.17.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
TRANSFERENCIA $112987.17.js
Resource
win10v2004-20220812-en
General
-
Target
TRANSFERENCIA $112987.17.js
-
Size
50KB
-
MD5
fec5ad2c4cd364f6780813e4170d43d5
-
SHA1
b7ce2fb648f9cbf7fd69a16f083599bfe5511d53
-
SHA256
5dfaea003a9b484fad723fc13f79303169e4c8f2f414a4ee0ef187f7ebd0aac9
-
SHA512
bfa44ffc12478a1bb12266e8a00ff912def28f321a1eaa400c0cec730f2aacfb97e78822b33f5ad436421e1aa8e170c0da3da01ad646a59f466b0cd04dae4838
Malware Config
Extracted
Protocol: smtp- Host:
smtp.sure-peper.com - Port:
587 - Username:
[email protected] - Password:
fzu!HnL7
Extracted
agenttesla
Protocol: smtp- Host:
smtp.sure-peper.com - Port:
587 - Username:
[email protected] - Password:
fzu!HnL7
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 36 IoCs
flow pid Process 6 1760 wscript.exe 11 1552 wscript.exe 12 960 wscript.exe 14 1760 wscript.exe 15 1760 wscript.exe 16 1760 wscript.exe 17 960 wscript.exe 20 1552 wscript.exe 22 1552 wscript.exe 24 960 wscript.exe 31 1552 wscript.exe 33 960 wscript.exe 36 1552 wscript.exe 38 960 wscript.exe 40 1552 wscript.exe 42 960 wscript.exe 46 1552 wscript.exe 48 960 wscript.exe 50 1552 wscript.exe 51 960 wscript.exe 53 1552 wscript.exe 56 960 wscript.exe 59 1552 wscript.exe 62 960 wscript.exe 64 1552 wscript.exe 66 960 wscript.exe 67 1552 wscript.exe 70 960 wscript.exe 74 1552 wscript.exe 75 960 wscript.exe 77 1552 wscript.exe 79 960 wscript.exe 82 1552 wscript.exe 83 960 wscript.exe 87 1552 wscript.exe 89 960 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1236 ori.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jQCWVHjWAA.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\wXURp = "C:\\Users\\Admin\\AppData\\Roaming\\wXURp\\wXURp.exe" ori.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1236 ori.exe 1236 ori.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1236 ori.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1236 ori.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1760 wrote to memory of 1552 1760 wscript.exe 28 PID 1760 wrote to memory of 1552 1760 wscript.exe 28 PID 1760 wrote to memory of 1552 1760 wscript.exe 28 PID 1552 wrote to memory of 960 1552 wscript.exe 30 PID 1552 wrote to memory of 960 1552 wscript.exe 30 PID 1552 wrote to memory of 960 1552 wscript.exe 30 PID 1760 wrote to memory of 1236 1760 wscript.exe 34 PID 1760 wrote to memory of 1236 1760 wscript.exe 34 PID 1760 wrote to memory of 1236 1760 wscript.exe 34 PID 1760 wrote to memory of 1236 1760 wscript.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ori.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\TRANSFERENCIA $112987.17.js"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\jQCWVHjWAA.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:960
-
-
-
C:\Users\Admin\AppData\Local\Temp\ori.exe"C:\Users\Admin\AppData\Local\Temp\ori.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1236
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD52163b2e3196d9b2d1d0d7a88a0cba4fc
SHA1e1015c9e03d2271329497cd4ba94d0b602b34c26
SHA25695c3ac7b2e9cefca3a064ffea5b45138ec4fc2216f51a55e0c352458cfffc254
SHA512293b9764d98d147aa5be1490c1e03795fb46398d9f4fff8fc0698c02672fba5cb9f88017f4a03416bb1a0748ea7a4ed741b6b89e94a16b0e39f6a059481c437c
-
Filesize
209KB
MD52163b2e3196d9b2d1d0d7a88a0cba4fc
SHA1e1015c9e03d2271329497cd4ba94d0b602b34c26
SHA25695c3ac7b2e9cefca3a064ffea5b45138ec4fc2216f51a55e0c352458cfffc254
SHA512293b9764d98d147aa5be1490c1e03795fb46398d9f4fff8fc0698c02672fba5cb9f88017f4a03416bb1a0748ea7a4ed741b6b89e94a16b0e39f6a059481c437c
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a
-
Filesize
26KB
MD51f7855c87513cf8d9f4b5319445865cf
SHA1a73d48e0da18067c2e943da97c45acb679e18139
SHA256b386904566434edecd5319ebe730f8c5ecd05d8003eaf8b695cc771aa17c2579
SHA51241eb3f05e08fa6b878b1a8ffa90cba44756be53ea09d00c63425ba176f1bef31dc677caea99acfb2e6298403efaae1af4e71ea5a7fe29158a9c0510bfee022a9