Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
PO_UIBHHX_1.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PO_UIBHHX_1.js
Resource
win10v2004-20220812-en
General
-
Target
PO_UIBHHX_1.js
-
Size
21KB
-
MD5
88c6e84831b422b9d434b07bbbe79c59
-
SHA1
70836ddd3f433ceeb4f41d0b838648128064ed9d
-
SHA256
b27c1193731a6b9945c21dd07602cd5a5dc97ff12066175b9864af4172f2238f
-
SHA512
956e6f69292bbda69c92b39372a15c9464ec0ebb31cb91e6f9fb60b767238dfa1853d4a645b82c2c6e1e95cff75043bf7e31c652838e0175171b3a5de6167520
-
SSDEEP
384:QljVAOQlKJhuGBQMHhGKYXzYaB7n1onTaeLc3vNTo1Hmu6jI/BA/oyJ2wko:YQoJP/5i91oVONTo1GiJA/32Fo
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
dmkozlovd@yandex.ru - Password:
Newton@22
Extracted
vjw0rm
http://kezs.duckdns.org:7974
Extracted
wshrat
http://kezs.duckdns.org:1604
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\DMK.exe family_agenttesla C:\Users\Admin\AppData\Roaming\DMK.exe family_agenttesla behavioral1/memory/832-68-0x00000000012C0000-0x00000000012FC000-memory.dmp family_agenttesla -
Blocklisted process makes network request 23 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 7 1988 wscript.exe 9 1112 wscript.exe 12 1988 wscript.exe 14 1140 wscript.exe 15 1140 wscript.exe 16 1140 wscript.exe 18 1140 wscript.exe 20 1140 wscript.exe 21 1140 wscript.exe 24 1988 wscript.exe 25 1140 wscript.exe 26 1140 wscript.exe 27 1140 wscript.exe 29 1140 wscript.exe 32 1140 wscript.exe 33 1140 wscript.exe 34 1140 wscript.exe 35 1988 wscript.exe 37 1140 wscript.exe 38 1140 wscript.exe 39 1140 wscript.exe 40 1140 wscript.exe 43 1140 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
DMK.exepid process 832 DMK.exe -
Drops startup file 6 IoCs
Processes:
wscript.exewscript.exeWScript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO_UIBHHX_1.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO_UIBHHX_1.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VKBxWYjIAN.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VKBxWYjIAN.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A3TSY8PDAB.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A3TSY8PDAB.js wscript.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
wscript.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\A3TSY8PDAB = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A3TSY8PDAB.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A3TSY8PDAB = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A3TSY8PDAB.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\A3TSY8PDAB = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A3TSY8PDAB.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\A3TSY8PDAB = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\A3TSY8PDAB.js\"" WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Script User-Agent 18 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 37 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 38 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 39 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 20 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 25 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 26 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 14 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 27 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 32 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 33 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 34 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 43 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 15 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 16 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 21 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 18 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 29 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 40 WSHRAT|D44DAEDB|ORXGKKZC|Admin|Microsoft Windows 7 Ultimate |plus|nan-av|false - 3/10/2022|JavaScript -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DMK.exepid process 832 DMK.exe 832 DMK.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DMK.exedescription pid process Token: SeDebugPrivilege 832 DMK.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
wscript.exeWScript.exewscript.exedescription pid process target process PID 1112 wrote to memory of 1988 1112 wscript.exe wscript.exe PID 1112 wrote to memory of 1988 1112 wscript.exe wscript.exe PID 1112 wrote to memory of 1988 1112 wscript.exe wscript.exe PID 1112 wrote to memory of 432 1112 wscript.exe WScript.exe PID 1112 wrote to memory of 432 1112 wscript.exe WScript.exe PID 1112 wrote to memory of 432 1112 wscript.exe WScript.exe PID 432 wrote to memory of 1140 432 WScript.exe wscript.exe PID 432 wrote to memory of 1140 432 WScript.exe wscript.exe PID 432 wrote to memory of 1140 432 WScript.exe wscript.exe PID 1140 wrote to memory of 832 1140 wscript.exe DMK.exe PID 1140 wrote to memory of 832 1140 wscript.exe DMK.exe PID 1140 wrote to memory of 832 1140 wscript.exe DMK.exe PID 1140 wrote to memory of 832 1140 wscript.exe DMK.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO_UIBHHX_1.js1⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VKBxWYjIAN.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A3TSY8PDAB.js"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\A3TSY8PDAB.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DMK.exe"C:\Users\Admin\AppData\Roaming\DMK.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\A3TSY8PDAB.jsFilesize
21KB
MD5a10fa24ec89f7dda64967321a8be24e7
SHA1b186a636c7aec979036eb6b9bb4f15c6dd159127
SHA256033c5eb405464194bd2627d0f284f95d1d59ab3e26a24045df1b49d3a084c8d2
SHA512ca68b738a14ad6a3d45fe75d66eefa0f6c83744d6716d8608d13890164177fc9c8a9d0e4e68ef5a7663f2b642abf17bd84ddf94b00d02e3f1b77bd3ad72001d5
-
C:\Users\Admin\AppData\Roaming\A3TSY8PDAB.jsFilesize
21KB
MD5a10fa24ec89f7dda64967321a8be24e7
SHA1b186a636c7aec979036eb6b9bb4f15c6dd159127
SHA256033c5eb405464194bd2627d0f284f95d1d59ab3e26a24045df1b49d3a084c8d2
SHA512ca68b738a14ad6a3d45fe75d66eefa0f6c83744d6716d8608d13890164177fc9c8a9d0e4e68ef5a7663f2b642abf17bd84ddf94b00d02e3f1b77bd3ad72001d5
-
C:\Users\Admin\AppData\Roaming\DMK.exeFilesize
216KB
MD57fb46e33d07dcbeaa61b6d73d3df8fed
SHA17b693bdc90f00f78732987ea464eef729b0bd716
SHA25624349efca9f84bb910d1bd4af6f1aea4d4213797228e02101c395dc6d8a3d367
SHA5122c3a5847bf4c0ff1857166a7d01ab30687cd448a1c227bae28005f45fe9fe53cca01824718eff0f886ff538d5da78a3dfd03ae0fdb5f2f4e2e2a4349e7b7497f
-
C:\Users\Admin\AppData\Roaming\DMK.exeFilesize
216KB
MD57fb46e33d07dcbeaa61b6d73d3df8fed
SHA17b693bdc90f00f78732987ea464eef729b0bd716
SHA25624349efca9f84bb910d1bd4af6f1aea4d4213797228e02101c395dc6d8a3d367
SHA5122c3a5847bf4c0ff1857166a7d01ab30687cd448a1c227bae28005f45fe9fe53cca01824718eff0f886ff538d5da78a3dfd03ae0fdb5f2f4e2e2a4349e7b7497f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\A3TSY8PDAB.jsFilesize
21KB
MD51eee6f4672507446ef115c6a8f7f4258
SHA16cd632010b88ae33d3821f5f932c9a41cd7b3a06
SHA256791f53a564c6693886c0b34a4ae378d1d9d2c7015ae1048300eb593765cf33c7
SHA5125909f9c0bd7a12ccc041a90e3ab640c00d9ded0bafac72d7c04f9f4c0c006897f75dd9e193d919ab26e6439d00ab605011b4e2bf9e9d0fe41e41b228981648a3
-
C:\Users\Admin\AppData\Roaming\VKBxWYjIAN.jsFilesize
7KB
MD5a6879aa1815de7572d007faaf0d3918d
SHA1d85862508053c6b3976d8cc21fde034e348eacd9
SHA256bc844688dcbbe53c41a70d181aa4f1a5f91b367519eca99cde04be94fe421bcd
SHA512241f719157731d26ef36086e1c8bb6fbf34c18a5dd09c606d3717315f41d6c77f7237bac7cf051c5ae4a205ff61b6b3efd29e9e9d64c9c0931b0bad37bacd1ff
-
memory/432-58-0x0000000000000000-mapping.dmp
-
memory/832-65-0x0000000000000000-mapping.dmp
-
memory/832-68-0x00000000012C0000-0x00000000012FC000-memory.dmpFilesize
240KB
-
memory/1112-54-0x000007FEFBCC1000-0x000007FEFBCC3000-memory.dmpFilesize
8KB
-
memory/1140-61-0x0000000000000000-mapping.dmp
-
memory/1988-55-0x0000000000000000-mapping.dmp