Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
18/10/2022, 11:10
Static task
static1
Behavioral task
behavioral1
Sample
COAVegum-pdf.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
COAVegum-pdf.js
Resource
win10v2004-20220901-en
General
-
Target
COAVegum-pdf.js
-
Size
407KB
-
MD5
84fc56a0f392b4bdd5051ef094e3a0f7
-
SHA1
b54064006b82d4627df88aec46f83cd191a5d372
-
SHA256
bdfeaf2f10c5843da5e7a5b5cfefe48f60cd4754d2a331c8c1dfb5c3a90fb7d1
-
SHA512
921c602a5955c663fe75248d2a23e7ba0af045a4ed0f619f372298a166c7f6be4992881848b18333ceeb562d25f8c7d36c3ad3915eff030b835617bc8000dcd3
-
SSDEEP
6144:g+2VMvtkvHZhnXtXx6OnRcvlhnYgltbmZ728U6PcJg2nHpb:WMvtkfZhXtXMOGTndW746EJgyb
Malware Config
Extracted
Protocol: smtp- Host:
server240.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
Success4sure2day10@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 6 IoCs
flow pid Process 5 3140 wscript.exe 22 3140 wscript.exe 35 3140 wscript.exe 37 3140 wscript.exe 39 3140 wscript.exe 40 3140 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 3084 anew4FUDcrypt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfPDtvsdEF.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfPDtvsdEF.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 anew4FUDcrypt.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 anew4FUDcrypt.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 anew4FUDcrypt.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audio_dg = "C:\\Users\\Admin\\AppData\\Roaming\\audio_dg\\audio_dg.exe" anew4FUDcrypt.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 api.ipify.org 13 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3084 anew4FUDcrypt.exe 3084 anew4FUDcrypt.exe 3084 anew4FUDcrypt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3084 anew4FUDcrypt.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3084 anew4FUDcrypt.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4880 wrote to memory of 3140 4880 wscript.exe 82 PID 4880 wrote to memory of 3140 4880 wscript.exe 82 PID 4880 wrote to memory of 3084 4880 wscript.exe 83 PID 4880 wrote to memory of 3084 4880 wscript.exe 83 PID 4880 wrote to memory of 3084 4880 wscript.exe 83 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 anew4FUDcrypt.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 anew4FUDcrypt.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\COAVegum-pdf.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\WfPDtvsdEF.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:3140
-
-
C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe"C:\Users\Admin\AppData\Local\Temp\anew4FUDcrypt.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3084
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD5d38c08505b96562261c3920265bb4f97
SHA17b7bb2838e3e04d412fdde726b351ac0a6eaba80
SHA25683a0e9ffbf7ec5895ec2062597c34e6e88cc48a608896e2722b78677e2e04ea9
SHA5129eac7bb3dac64db0aa5c90d6609545fb1b2c07b7721c01046db11742e4097e9c6b842dadd9e97627e6f9df73abe98494e2616467a339051fc9cf8fc00df0b4d8
-
Filesize
218KB
MD5d38c08505b96562261c3920265bb4f97
SHA17b7bb2838e3e04d412fdde726b351ac0a6eaba80
SHA25683a0e9ffbf7ec5895ec2062597c34e6e88cc48a608896e2722b78677e2e04ea9
SHA5129eac7bb3dac64db0aa5c90d6609545fb1b2c07b7721c01046db11742e4097e9c6b842dadd9e97627e6f9df73abe98494e2616467a339051fc9cf8fc00df0b4d8
-
Filesize
7KB
MD5e2f132785fa07b0d29a5e94676f06e0b
SHA16e8cd782c173a0b145d68a16952e7aa3a5bc26a1
SHA256844966b61c3a7065a8b313ad25d65dd05ee4440c4b1f609fd0d175c926ce8d85
SHA51288ad1be03af8ecb549008e095c219848dec04398352fd1c8e7d6e706dbb9642f07fc87b326c56c288a93bc451512f60f8c8f6b250ea1609aa47e02831586dd57