Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2024, 19:23
Static task
static1
Behavioral task
behavioral1
Sample
470009d741e322fe3c1325400818adb1.vbs
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
470009d741e322fe3c1325400818adb1.vbs
Resource
win10v2004-20231215-en
General
-
Target
470009d741e322fe3c1325400818adb1.vbs
-
Size
2.1MB
-
MD5
470009d741e322fe3c1325400818adb1
-
SHA1
b820684ec4f06ecd27ca84bfd5c36f83d14144fa
-
SHA256
3037bc78a5195bafc18d9b77704137680db76d2261895e96d876753bb2598b43
-
SHA512
7625698b872e20bc14bb9c60b97162be94ea1ccbca736f448a20dad420d7358518be49a5699af68d354997f420856720fe5fa48abc0b3197c3f8779a9b8787a0
-
SSDEEP
24576:OQOFZDEVQiHz09jcAVQYc7RtyXZxolR7UMx9ke7zxV1a3Xh6gvEycpryXxoOR7Un:u/g/BdRWol1nPkMgvMpgoOfuj
Malware Config
Extracted
nanocore
1.2.2.0
sys2021.linkpc.net:11940
23.94.82.41:11940
de7e01ad-963b-4e14-81aa-08dfb351f0fe
-
activate_away_mode
false
-
backup_connection_host
23.94.82.41
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2021-04-24T08:14:59.254967636Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
11940
-
default_group
Do
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
de7e01ad-963b-4e14-81aa-08dfb351f0fe
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
sys2021.linkpc.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
agenttesla
Protocol: smtp- Host:
mail.jetport-aero.com - Port:
587 - Username:
[email protected] - Password:
Niniola@456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 36 IoCs
resource yara_rule behavioral2/memory/4152-34-0x0000000007670000-0x00000000076EC000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-35-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-37-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/384-42-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-41-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-45-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/384-50-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-49-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/384-53-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/384-57-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-58-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/384-62-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-66-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/384-65-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-70-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/384-69-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-74-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/384-73-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-78-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-82-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/384-86-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-85-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-91-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/384-96-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/384-100-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-99-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-95-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/384-90-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/384-81-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/384-77-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-61-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/4152-54-0x0000000007670000-0x00000000076E6000-memory.dmp family_zgrat_v1 behavioral2/memory/384-46-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/384-38-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/384-36-0x00000000082D0000-0x0000000008337000-memory.dmp family_zgrat_v1 behavioral2/memory/384-33-0x00000000082D0000-0x000000000833C000-memory.dmp family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Chromes64\\Explorer64.exe\"," name.exe -
AgentTesla payload 1 IoCs
resource yara_rule behavioral2/memory/2456-4261-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 3 IoCs
pid Process 4152 file.exe 384 name.exe 4476 name.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 384 set thread context of 4476 384 name.exe 113 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 384 name.exe 384 name.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4152 file.exe Token: SeDebugPrivilege 384 name.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2808 wrote to memory of 4152 2808 WScript.exe 19 PID 2808 wrote to memory of 4152 2808 WScript.exe 19 PID 2808 wrote to memory of 4152 2808 WScript.exe 19 PID 2808 wrote to memory of 384 2808 WScript.exe 23 PID 2808 wrote to memory of 384 2808 WScript.exe 23 PID 2808 wrote to memory of 384 2808 WScript.exe 23 PID 384 wrote to memory of 4476 384 name.exe 113 PID 384 wrote to memory of 4476 384 name.exe 113 PID 384 wrote to memory of 4476 384 name.exe 113 PID 384 wrote to memory of 4476 384 name.exe 113 PID 384 wrote to memory of 4476 384 name.exe 113 PID 384 wrote to memory of 4476 384 name.exe 113 PID 384 wrote to memory of 4476 384 name.exe 113 PID 384 wrote to memory of 4476 384 name.exe 113
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\470009d741e322fe3c1325400818adb1.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe3⤵PID:2456
-
-
-
C:\Users\Admin\AppData\Local\Temp\name.exe"C:\Users\Admin\AppData\Local\Temp\name.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\name.exeC:\Users\Admin\AppData\Local\Temp\name.exe3⤵
- Executes dropped EXE
PID:4476
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57ebe314bf617dc3e48b995a6c352740c
SHA1538f643b7b30f9231a3035c448607f767527a870
SHA25648178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA5120ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e
-
Filesize
773KB
MD5843b05b31229171651f06a8e6c92a2de
SHA125ff3a13a7766197486cf50b9e659b73baa4fced
SHA256e5636d46ceb380625fb6b1a22cad3877efc8af5e030c48e31ea73a8942f44705
SHA512740b50424e64a1c77f01b41f1a7686d674d9326b238fcf10cfb163f1b12854bf864d6ff96b07133699650129f47ef7ce74f41fb0f0a4f03c751d3c10dd29196c