Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 01:00
Static task
static1
Behavioral task
behavioral1
Sample
010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs
Resource
win10v2004-20240508-en
General
-
Target
010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs
-
Size
3.2MB
-
MD5
3a3f7a4a8b7ea91bd05523cb83456441
-
SHA1
20bbbe54a25cced1f74f34521918effd6aa5877d
-
SHA256
010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1
-
SHA512
c86b406a756a9f5ad7f1368e741687af94e12ee258fc42c99c9f14d6118ded6976a09e7d7fa1840d17c72d827a900760bf69dceb774798db1a3e86fa293ba0ed
-
SSDEEP
6144:0BRlhwEEM38fLACxm31KtNnzZnZjIylZLImb:0zYuIN/flHb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
bizr usjt guapiims - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
resource yara_rule behavioral2/files/0x0002000000022a48-10.dat INDICATOR_EXE_Packed_GEN01 behavioral2/memory/3424-18-0x0000000000290000-0x00000000002D4000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
resource yara_rule behavioral2/files/0x0002000000022a48-10.dat INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/3424-18-0x0000000000290000-0x00000000002D4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
resource yara_rule behavioral2/files/0x0002000000022a48-10.dat INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/3424-18-0x0000000000290000-0x00000000002D4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
resource yara_rule behavioral2/files/0x0002000000022a48-10.dat INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/3424-18-0x0000000000290000-0x00000000002D4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
resource yara_rule behavioral2/files/0x0002000000022a48-10.dat INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/3424-18-0x0000000000290000-0x00000000002D4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
resource yara_rule behavioral2/files/0x0002000000022a48-10.dat INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/3424-18-0x0000000000290000-0x00000000002D4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 3424 Gcp.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs\"" WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1 = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs\"" WScript.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com 19 ip-api.com 21 ip-api.com 23 ip-api.com 26 ip-api.com 36 ip-api.com 3 ip-api.com 13 ip-api.com -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings WScript.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3424 Gcp.exe 3424 Gcp.exe 3424 Gcp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3424 Gcp.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2652 wrote to memory of 3956 2652 WScript.exe 92 PID 2652 wrote to memory of 3956 2652 WScript.exe 92 PID 3956 wrote to memory of 3424 3956 WScript.exe 94 PID 3956 wrote to memory of 3424 3956 WScript.exe 94 PID 3956 wrote to memory of 3424 3956 WScript.exe 94
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\icon-smile-kl.js"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\Gcp.exe"C:\Users\Admin\AppData\Local\Temp\Gcp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4172,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:81⤵PID:5008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243KB
MD5d868c9dfdd377a1128f484a33c9d427d
SHA13cd816d84a5a06a669eb5cde82aa3eca272a6f13
SHA2561f19267129cbabe2e50837f88eb2854c64521bd964f43a58f37365e60d5da5bd
SHA5122702e2df330931d9fd2ed15e54aec37dbd68737cf3db642a8842cab813b9e3be67b7a5356d426772690b0b9e5c384931640d891f51662f870a9d3022eabce52b
-
Filesize
345KB
MD55ffa2f9b4305ee8ab9676456a5c41ae7
SHA19e517938920844699eddd8043df45e075682eef7
SHA2560a75da170bd6e1cd271f48974d98345fb60b00ac3327b5e9d8fa8394c83800db
SHA51206ed498e22a982b135c4c380cd01d296d2f05b106b5c75be4cccdaf41575750622eb7c8d5448dc935ebc6b5d525e803b9f4a3b132d503b6eccf4c28e42cad28d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs
Filesize3.2MB
MD53a3f7a4a8b7ea91bd05523cb83456441
SHA120bbbe54a25cced1f74f34521918effd6aa5877d
SHA256010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1
SHA512c86b406a756a9f5ad7f1368e741687af94e12ee258fc42c99c9f14d6118ded6976a09e7d7fa1840d17c72d827a900760bf69dceb774798db1a3e86fa293ba0ed