Analysis
-
max time kernel
128s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
18/10/2022, 11:10
Static task
static1
Behavioral task
behavioral1
Sample
COAVegum-pdf.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
COAVegum-pdf.js
Resource
win10v2004-20220901-en
General
-
Target
COAVegum-pdf.js
-
Size
407KB
-
MD5
84fc56a0f392b4bdd5051ef094e3a0f7
-
SHA1
b54064006b82d4627df88aec46f83cd191a5d372
-
SHA256
bdfeaf2f10c5843da5e7a5b5cfefe48f60cd4754d2a331c8c1dfb5c3a90fb7d1
-
SHA512
921c602a5955c663fe75248d2a23e7ba0af045a4ed0f619f372298a166c7f6be4992881848b18333ceeb562d25f8c7d36c3ad3915eff030b835617bc8000dcd3
-
SSDEEP
6144:g+2VMvtkvHZhnXtXx6OnRcvlhnYgltbmZ728U6PcJg2nHpb:WMvtkfZhXtXMOGTndW746EJgyb
Malware Config
Extracted
Protocol: smtp- Host:
server240.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
Success4sure2day10@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 5 IoCs
flow pid Process 4 2020 wscript.exe 9 2020 wscript.exe 11 2020 wscript.exe 13 2020 wscript.exe 14 2020 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 1516 anew4FUDcrypt.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfPDtvsdEF.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfPDtvsdEF.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 anew4FUDcrypt.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 anew4FUDcrypt.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 anew4FUDcrypt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\audio_dg = "C:\\Users\\Admin\\AppData\\Roaming\\audio_dg\\audio_dg.exe" anew4FUDcrypt.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 6 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1516 anew4FUDcrypt.exe 1516 anew4FUDcrypt.exe 1516 anew4FUDcrypt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1516 anew4FUDcrypt.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1516 anew4FUDcrypt.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2020 1948 wscript.exe 28 PID 1948 wrote to memory of 2020 1948 wscript.exe 28 PID 1948 wrote to memory of 2020 1948 wscript.exe 28 PID 1948 wrote to memory of 1516 1948 wscript.exe 29 PID 1948 wrote to memory of 1516 1948 wscript.exe 29 PID 1948 wrote to memory of 1516 1948 wscript.exe 29 PID 1948 wrote to memory of 1516 1948 wscript.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 anew4FUDcrypt.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 anew4FUDcrypt.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\COAVegum-pdf.js1⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WfPDtvsdEF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe"C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1516
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5d38c08505b96562261c3920265bb4f97
SHA17b7bb2838e3e04d412fdde726b351ac0a6eaba80
SHA25683a0e9ffbf7ec5895ec2062597c34e6e88cc48a608896e2722b78677e2e04ea9
SHA5129eac7bb3dac64db0aa5c90d6609545fb1b2c07b7721c01046db11742e4097e9c6b842dadd9e97627e6f9df73abe98494e2616467a339051fc9cf8fc00df0b4d8
-
Filesize
218KB
MD5d38c08505b96562261c3920265bb4f97
SHA17b7bb2838e3e04d412fdde726b351ac0a6eaba80
SHA25683a0e9ffbf7ec5895ec2062597c34e6e88cc48a608896e2722b78677e2e04ea9
SHA5129eac7bb3dac64db0aa5c90d6609545fb1b2c07b7721c01046db11742e4097e9c6b842dadd9e97627e6f9df73abe98494e2616467a339051fc9cf8fc00df0b4d8
-
Filesize
7KB
MD5e2f132785fa07b0d29a5e94676f06e0b
SHA16e8cd782c173a0b145d68a16952e7aa3a5bc26a1
SHA256844966b61c3a7065a8b313ad25d65dd05ee4440c4b1f609fd0d175c926ce8d85
SHA51288ad1be03af8ecb549008e095c219848dec04398352fd1c8e7d6e706dbb9642f07fc87b326c56c288a93bc451512f60f8c8f6b250ea1609aa47e02831586dd57