Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/08/2022, 02:41

General

  • Target

    b19ccae4e289a96091c9195d0610d0bd12b6634aacff934c6d90385464453555.js

  • Size

    427KB

  • MD5

    2d8193ff53b965ddcacc30ab8c7397a5

  • SHA1

    18c53d136df295ca2c47bd5f863ed5bc703cd672

  • SHA256

    b19ccae4e289a96091c9195d0610d0bd12b6634aacff934c6d90385464453555

  • SHA512

    627a28608f0a2f6f8238881905ce2ec12c73cfb2ecba0f7087aa12deed7c807623c7ad55b3bbf45ac9cf082d0779fe49a17eeee6bdceb9c4699dac0a9c8ff98c

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5400730219:AAF6yJi-sq4as7PeSLNrtiGC96YCaGma0y8/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 32 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\b19ccae4e289a96091c9195d0610d0bd12b6634aacff934c6d90385464453555.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\rOvqfjPlWe.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:5072
    • C:\Users\Admin\AppData\Local\Temp\mike king.exe
      "C:\Users\Admin\AppData\Local\Temp\mike king.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:5020

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\mike king.exe

          Filesize

          209KB

          MD5

          273034838d07e2c19d74764ec8e3a3d1

          SHA1

          88bdac672b3fc746bfa9dba24d47b8c7dd8cb9c2

          SHA256

          7bc141b2e517737a8ada4b00fa60ca593c9f699d52d0238fd8abe0acb2b95ea4

          SHA512

          6cba47d0465f8cf058b8ea604a37112aa009346668f551e806aea854c32179ffa1862293800f936c9f4bc27478a1b9eed18316f758a6fb94db30f548b39e1006

        • C:\Users\Admin\AppData\Local\Temp\mike king.exe

          Filesize

          209KB

          MD5

          273034838d07e2c19d74764ec8e3a3d1

          SHA1

          88bdac672b3fc746bfa9dba24d47b8c7dd8cb9c2

          SHA256

          7bc141b2e517737a8ada4b00fa60ca593c9f699d52d0238fd8abe0acb2b95ea4

          SHA512

          6cba47d0465f8cf058b8ea604a37112aa009346668f551e806aea854c32179ffa1862293800f936c9f4bc27478a1b9eed18316f758a6fb94db30f548b39e1006

        • C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js

          Filesize

          6KB

          MD5

          a542a21ecaba36f6ba8c6457b8ab67f9

          SHA1

          3f05ddc6d6e59554cd9870b9e4b17919b81eaa6c

          SHA256

          bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b

          SHA512

          78ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a

        • C:\Users\Admin\AppData\Roaming\rOvqfjPlWe.js

          Filesize

          26KB

          MD5

          e813e79958e40267e63e4da0ba6e966d

          SHA1

          52c619a6e8b03dcb411658297a27de6c4f51ec43

          SHA256

          5d4dada39679ee42dd14d60b3cf1210ea69d1e048ae952fc7d39e14ca17ae63a

          SHA512

          ce19f949662ebc3b78f94e87ada1f820a94b24dd5a07720b085463befe239c401fd5159bd564065b70347695253b7ce6676b21e96e56e00fe9e8461c39c36afc

        • memory/5020-139-0x0000000000A00000-0x0000000000A3A000-memory.dmp

          Filesize

          232KB

        • memory/5020-140-0x00000000059E0000-0x0000000005F84000-memory.dmp

          Filesize

          5.6MB

        • memory/5020-141-0x0000000005430000-0x00000000054CC000-memory.dmp

          Filesize

          624KB

        • memory/5020-142-0x00000000060D0000-0x0000000006136000-memory.dmp

          Filesize

          408KB

        • memory/5020-143-0x0000000006740000-0x0000000006790000-memory.dmp

          Filesize

          320KB

        • memory/5020-144-0x0000000006EA0000-0x0000000006F32000-memory.dmp

          Filesize

          584KB

        • memory/5020-145-0x0000000006E30000-0x0000000006E3A000-memory.dmp

          Filesize

          40KB