Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2022, 02:41
Static task
static1
Behavioral task
behavioral1
Sample
b19ccae4e289a96091c9195d0610d0bd12b6634aacff934c6d90385464453555.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b19ccae4e289a96091c9195d0610d0bd12b6634aacff934c6d90385464453555.js
Resource
win10v2004-20220812-en
General
-
Target
b19ccae4e289a96091c9195d0610d0bd12b6634aacff934c6d90385464453555.js
-
Size
427KB
-
MD5
2d8193ff53b965ddcacc30ab8c7397a5
-
SHA1
18c53d136df295ca2c47bd5f863ed5bc703cd672
-
SHA256
b19ccae4e289a96091c9195d0610d0bd12b6634aacff934c6d90385464453555
-
SHA512
627a28608f0a2f6f8238881905ce2ec12c73cfb2ecba0f7087aa12deed7c807623c7ad55b3bbf45ac9cf082d0779fe49a17eeee6bdceb9c4699dac0a9c8ff98c
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 32 IoCs
flow pid Process 6 1692 wscript.exe 7 5072 wscript.exe 10 5072 wscript.exe 11 1692 wscript.exe 17 5072 wscript.exe 18 1692 wscript.exe 24 1692 wscript.exe 25 5072 wscript.exe 30 1692 wscript.exe 31 5072 wscript.exe 35 1692 wscript.exe 36 5072 wscript.exe 40 1692 wscript.exe 41 5072 wscript.exe 45 1692 wscript.exe 46 5072 wscript.exe 48 1692 wscript.exe 49 5072 wscript.exe 50 5072 wscript.exe 51 1692 wscript.exe 53 1692 wscript.exe 54 5072 wscript.exe 55 1692 wscript.exe 56 5072 wscript.exe 57 5072 wscript.exe 58 1692 wscript.exe 59 5072 wscript.exe 60 1692 wscript.exe 61 5072 wscript.exe 62 1692 wscript.exe 63 1692 wscript.exe 64 5072 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 5020 mike king.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rOvqfjPlWe.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rOvqfjPlWe.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mike king.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mike king.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mike king.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5020 mike king.exe 5020 mike king.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5020 mike king.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5020 mike king.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4092 wrote to memory of 1692 4092 wscript.exe 82 PID 4092 wrote to memory of 1692 4092 wscript.exe 82 PID 4092 wrote to memory of 5020 4092 wscript.exe 83 PID 4092 wrote to memory of 5020 4092 wscript.exe 83 PID 4092 wrote to memory of 5020 4092 wscript.exe 83 PID 1692 wrote to memory of 5072 1692 wscript.exe 84 PID 1692 wrote to memory of 5072 1692 wscript.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mike king.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mike king.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\b19ccae4e289a96091c9195d0610d0bd12b6634aacff934c6d90385464453555.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\rOvqfjPlWe.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:5072
-
-
-
C:\Users\Admin\AppData\Local\Temp\mike king.exe"C:\Users\Admin\AppData\Local\Temp\mike king.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:5020
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209KB
MD5273034838d07e2c19d74764ec8e3a3d1
SHA188bdac672b3fc746bfa9dba24d47b8c7dd8cb9c2
SHA2567bc141b2e517737a8ada4b00fa60ca593c9f699d52d0238fd8abe0acb2b95ea4
SHA5126cba47d0465f8cf058b8ea604a37112aa009346668f551e806aea854c32179ffa1862293800f936c9f4bc27478a1b9eed18316f758a6fb94db30f548b39e1006
-
Filesize
209KB
MD5273034838d07e2c19d74764ec8e3a3d1
SHA188bdac672b3fc746bfa9dba24d47b8c7dd8cb9c2
SHA2567bc141b2e517737a8ada4b00fa60ca593c9f699d52d0238fd8abe0acb2b95ea4
SHA5126cba47d0465f8cf058b8ea604a37112aa009346668f551e806aea854c32179ffa1862293800f936c9f4bc27478a1b9eed18316f758a6fb94db30f548b39e1006
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a
-
Filesize
26KB
MD5e813e79958e40267e63e4da0ba6e966d
SHA152c619a6e8b03dcb411658297a27de6c4f51ec43
SHA2565d4dada39679ee42dd14d60b3cf1210ea69d1e048ae952fc7d39e14ca17ae63a
SHA512ce19f949662ebc3b78f94e87ada1f820a94b24dd5a07720b085463befe239c401fd5159bd564065b70347695253b7ce6676b21e96e56e00fe9e8461c39c36afc