Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 05:36
Static task
static1
Behavioral task
behavioral1
Sample
7c5e8174cdba01f663d435d1ea9d3c41.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
7c5e8174cdba01f663d435d1ea9d3c41.js
Resource
win10v2004-20220812-en
General
-
Target
7c5e8174cdba01f663d435d1ea9d3c41.js
-
Size
374KB
-
MD5
2c18b9d4a4e1519c66e969e5296eb46d
-
SHA1
b2852a309cab8cf2315f1b9898c4209d63c617e7
-
SHA256
2d96512f33cd8445144d7e54a10372aee634560021661e5988ff503bbff094fd
-
SHA512
d2369695292d171792e4aa21a3ecaa60ad8068bca86aa9e275a387f14703ec1502be74e9169a94b1fb5a55a0c2f305dae59803b27d21ac734180be301e4a3942
-
SSDEEP
6144:Nw/VyURyDDckawASdoFoYbwXiC4gJMYSDnc3erU5B7LGfMzD:iy4xA4gJNSvgmfM/
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5752794370:AAGHbBIUSUvwQW5dpdi3bNZyPbHwpEPD5r0/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exeflow pid process 5 5004 wscript.exe 16 5004 wscript.exe 33 5004 wscript.exe 47 5004 wscript.exe 51 5004 wscript.exe 65 5004 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
RRRTTT.exepid process 4968 RRRTTT.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lGAgOfKqAd.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lGAgOfKqAd.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RRRTTT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RRRTTT.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RRRTTT.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RRRTTT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org 9 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RRRTTT.exepid process 4968 RRRTTT.exe 4968 RRRTTT.exe 4968 RRRTTT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RRRTTT.exedescription pid process Token: SeDebugPrivilege 4968 RRRTTT.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 4528 wrote to memory of 5004 4528 wscript.exe wscript.exe PID 4528 wrote to memory of 5004 4528 wscript.exe wscript.exe PID 4528 wrote to memory of 4968 4528 wscript.exe RRRTTT.exe PID 4528 wrote to memory of 4968 4528 wscript.exe RRRTTT.exe PID 4528 wrote to memory of 4968 4528 wscript.exe RRRTTT.exe -
outlook_office_path 1 IoCs
Processes:
RRRTTT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RRRTTT.exe -
outlook_win_path 1 IoCs
Processes:
RRRTTT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RRRTTT.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\7c5e8174cdba01f663d435d1ea9d3c41.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lGAgOfKqAd.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:5004 -
C:\Users\Admin\AppData\Roaming\RRRTTT.exe"C:\Users\Admin\AppData\Roaming\RRRTTT.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\RRRTTT.exeFilesize
196KB
MD5cef584fa8a5b62e4ecb231b3a4ae17f6
SHA1b913140c163cf97c6d50746ec6eef293bb4a2044
SHA256c3062dae9f9438eef148f1e7518b7f10d7bbe294d6d60dd0c3c16058c8be5d41
SHA5127d6f09d9bcf8abd1567a2477366226a888aaef6ce46df3a44761236c748a5960491f167f8f7c1d2f9feb8143956e9ca134d603431adcd80ea26811404deb6fc5
-
C:\Users\Admin\AppData\Roaming\RRRTTT.exeFilesize
196KB
MD5cef584fa8a5b62e4ecb231b3a4ae17f6
SHA1b913140c163cf97c6d50746ec6eef293bb4a2044
SHA256c3062dae9f9438eef148f1e7518b7f10d7bbe294d6d60dd0c3c16058c8be5d41
SHA5127d6f09d9bcf8abd1567a2477366226a888aaef6ce46df3a44761236c748a5960491f167f8f7c1d2f9feb8143956e9ca134d603431adcd80ea26811404deb6fc5
-
C:\Users\Admin\AppData\Roaming\lGAgOfKqAd.jsFilesize
10KB
MD5fa9d0f9f212317c220572faa7712088a
SHA1d9e7d578de835f00ecf97b08b35f4f658cfa6438
SHA256c42b2f4dbe43245dc08093394ff74dfb85ae95e2165f8cac39af88ae08eabfea
SHA5128c133db7ef32a34ed2a0716022fdbdba4e334113d75376b851b908b3bc99dda8aced16533c79451ae5edfe964295a3ad03c853490de1af31a1968b04deaed7b8
-
memory/4968-134-0x0000000000000000-mapping.dmp
-
memory/4968-137-0x0000000000940000-0x0000000000978000-memory.dmpFilesize
224KB
-
memory/4968-138-0x00000000058A0000-0x0000000005E44000-memory.dmpFilesize
5.6MB
-
memory/4968-139-0x0000000005390000-0x000000000542C000-memory.dmpFilesize
624KB
-
memory/4968-140-0x0000000005830000-0x0000000005896000-memory.dmpFilesize
408KB
-
memory/4968-141-0x0000000006AE0000-0x0000000006B30000-memory.dmpFilesize
320KB
-
memory/4968-142-0x0000000006C80000-0x0000000006D12000-memory.dmpFilesize
584KB
-
memory/4968-143-0x0000000006FB0000-0x0000000006FBA000-memory.dmpFilesize
40KB
-
memory/5004-132-0x0000000000000000-mapping.dmp