Analysis
-
max time kernel
171s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
PO_UIBHHX_1.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PO_UIBHHX_1.js
Resource
win10v2004-20220812-en
General
-
Target
PO_UIBHHX_1.js
-
Size
21KB
-
MD5
88c6e84831b422b9d434b07bbbe79c59
-
SHA1
70836ddd3f433ceeb4f41d0b838648128064ed9d
-
SHA256
b27c1193731a6b9945c21dd07602cd5a5dc97ff12066175b9864af4172f2238f
-
SHA512
956e6f69292bbda69c92b39372a15c9464ec0ebb31cb91e6f9fb60b767238dfa1853d4a645b82c2c6e1e95cff75043bf7e31c652838e0175171b3a5de6167520
-
SSDEEP
384:QljVAOQlKJhuGBQMHhGKYXzYaB7n1onTaeLc3vNTo1Hmu6jI/BA/oyJ2wko:YQoJP/5i91oVONTo1GiJA/32Fo
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
dmkozlovd@yandex.ru - Password:
Newton@22
Extracted
vjw0rm
http://kezs.duckdns.org:7974
Extracted
wshrat
http://kezs.duckdns.org:1604
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\DMK.exe family_agenttesla C:\Users\Admin\AppData\Roaming\DMK.exe family_agenttesla behavioral2/memory/4432-142-0x0000000000A20000-0x0000000000A5C000-memory.dmp family_agenttesla -
Blocklisted process makes network request 21 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 11 3688 wscript.exe 14 4088 wscript.exe 27 3688 wscript.exe 34 4308 wscript.exe 36 4308 wscript.exe 37 3688 wscript.exe 40 4308 wscript.exe 41 4308 wscript.exe 42 3688 wscript.exe 43 4308 wscript.exe 47 4308 wscript.exe 53 4308 wscript.exe 54 3688 wscript.exe 55 4308 wscript.exe 56 4308 wscript.exe 57 4308 wscript.exe 58 4308 wscript.exe 59 4308 wscript.exe 60 3688 wscript.exe 61 4308 wscript.exe 62 4308 wscript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
DMK.exepid process 4432 DMK.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeWScript.exewscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 6 IoCs
Processes:
WScript.exewscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PKCIU1HJSH.js WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PKCIU1HJSH.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO_UIBHHX_1.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PO_UIBHHX_1.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VKBxWYjIAN.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VKBxWYjIAN.js wscript.exe -
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
wscript.exeDMK.exeWScript.exedescription ioc process Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. = "C:\\Users\\Admin\\AppData\\Roaming\\.\\..exe" DMK.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKCIU1HJSH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PKCIU1HJSH.js\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKCIU1HJSH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PKCIU1HJSH.js\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKCIU1HJSH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PKCIU1HJSH.js\"" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PKCIU1HJSH = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\PKCIU1HJSH.js\"" wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings wscript.exe -
Script User-Agent 12 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 57 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 59 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 40 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 41 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 43 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 56 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 61 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 62 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 34 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 47 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 55 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript HTTP User-Agent header 58 WSHRAT|94D95F5C|GBQHURCC|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 3/10/2022|JavaScript -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DMK.exepid process 4432 DMK.exe 4432 DMK.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DMK.exedescription pid process Token: SeDebugPrivilege 4432 DMK.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
wscript.exeWScript.exewscript.exedescription pid process target process PID 4088 wrote to memory of 3688 4088 wscript.exe wscript.exe PID 4088 wrote to memory of 3688 4088 wscript.exe wscript.exe PID 4088 wrote to memory of 4968 4088 wscript.exe WScript.exe PID 4088 wrote to memory of 4968 4088 wscript.exe WScript.exe PID 4968 wrote to memory of 4308 4968 WScript.exe wscript.exe PID 4968 wrote to memory of 4308 4968 WScript.exe wscript.exe PID 4308 wrote to memory of 4432 4308 wscript.exe DMK.exe PID 4308 wrote to memory of 4432 4308 wscript.exe DMK.exe PID 4308 wrote to memory of 4432 4308 wscript.exe DMK.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO_UIBHHX_1.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\VKBxWYjIAN.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PKCIU1HJSH.js"2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\PKCIU1HJSH.js"3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\DMK.exe"C:\Users\Admin\AppData\Roaming\DMK.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PKCIU1HJSH.jsFilesize
21KB
MD5a10fa24ec89f7dda64967321a8be24e7
SHA1b186a636c7aec979036eb6b9bb4f15c6dd159127
SHA256033c5eb405464194bd2627d0f284f95d1d59ab3e26a24045df1b49d3a084c8d2
SHA512ca68b738a14ad6a3d45fe75d66eefa0f6c83744d6716d8608d13890164177fc9c8a9d0e4e68ef5a7663f2b642abf17bd84ddf94b00d02e3f1b77bd3ad72001d5
-
C:\Users\Admin\AppData\Roaming\DMK.exeFilesize
216KB
MD57fb46e33d07dcbeaa61b6d73d3df8fed
SHA17b693bdc90f00f78732987ea464eef729b0bd716
SHA25624349efca9f84bb910d1bd4af6f1aea4d4213797228e02101c395dc6d8a3d367
SHA5122c3a5847bf4c0ff1857166a7d01ab30687cd448a1c227bae28005f45fe9fe53cca01824718eff0f886ff538d5da78a3dfd03ae0fdb5f2f4e2e2a4349e7b7497f
-
C:\Users\Admin\AppData\Roaming\DMK.exeFilesize
216KB
MD57fb46e33d07dcbeaa61b6d73d3df8fed
SHA17b693bdc90f00f78732987ea464eef729b0bd716
SHA25624349efca9f84bb910d1bd4af6f1aea4d4213797228e02101c395dc6d8a3d367
SHA5122c3a5847bf4c0ff1857166a7d01ab30687cd448a1c227bae28005f45fe9fe53cca01824718eff0f886ff538d5da78a3dfd03ae0fdb5f2f4e2e2a4349e7b7497f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PKCIU1HJSH.jsFilesize
21KB
MD528b8b78206e6a88fd1eb6c9662754303
SHA122a4b86ad554f0b78a37b5c4455e33dc6c9f5823
SHA25606d68e31c648f32d0c72946807d4d7ab2a476dfd4e498e62faeef9a05489073f
SHA512b95e28b6f5fb3da2fc89919cd0393225485ad2f4d74295f9a9bbf98b429ae9eaae7324a11ded92d297939705f6972b6bd2ac7d099321e50d09481ed26cf0110f
-
C:\Users\Admin\AppData\Roaming\PKCIU1HJSH.jsFilesize
21KB
MD5a10fa24ec89f7dda64967321a8be24e7
SHA1b186a636c7aec979036eb6b9bb4f15c6dd159127
SHA256033c5eb405464194bd2627d0f284f95d1d59ab3e26a24045df1b49d3a084c8d2
SHA512ca68b738a14ad6a3d45fe75d66eefa0f6c83744d6716d8608d13890164177fc9c8a9d0e4e68ef5a7663f2b642abf17bd84ddf94b00d02e3f1b77bd3ad72001d5
-
C:\Users\Admin\AppData\Roaming\VKBxWYjIAN.jsFilesize
7KB
MD5a6879aa1815de7572d007faaf0d3918d
SHA1d85862508053c6b3976d8cc21fde034e348eacd9
SHA256bc844688dcbbe53c41a70d181aa4f1a5f91b367519eca99cde04be94fe421bcd
SHA512241f719157731d26ef36086e1c8bb6fbf34c18a5dd09c606d3717315f41d6c77f7237bac7cf051c5ae4a205ff61b6b3efd29e9e9d64c9c0931b0bad37bacd1ff
-
memory/3688-132-0x0000000000000000-mapping.dmp
-
memory/4308-136-0x0000000000000000-mapping.dmp
-
memory/4432-139-0x0000000000000000-mapping.dmp
-
memory/4432-142-0x0000000000A20000-0x0000000000A5C000-memory.dmpFilesize
240KB
-
memory/4432-143-0x0000000005990000-0x0000000005F34000-memory.dmpFilesize
5.6MB
-
memory/4432-144-0x0000000005480000-0x0000000005512000-memory.dmpFilesize
584KB
-
memory/4432-145-0x0000000005610000-0x00000000056AC000-memory.dmpFilesize
624KB
-
memory/4432-146-0x00000000062F0000-0x0000000006356000-memory.dmpFilesize
408KB
-
memory/4968-134-0x0000000000000000-mapping.dmp