Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 01:00

General

  • Target

    010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs

  • Size

    3.2MB

  • MD5

    3a3f7a4a8b7ea91bd05523cb83456441

  • SHA1

    20bbbe54a25cced1f74f34521918effd6aa5877d

  • SHA256

    010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1

  • SHA512

    c86b406a756a9f5ad7f1368e741687af94e12ee258fc42c99c9f14d6118ded6976a09e7d7fa1840d17c72d827a900760bf69dceb774798db1a3e86fa293ba0ed

  • SSDEEP

    6144:0BRlhwEEM38fLACxm31KtNnzZnZjIylZLImb:0zYuIN/flHb

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Looks up external IP address via web service 8 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\icon-smile-kl.js"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Users\Admin\AppData\Local\Temp\Gcp.exe
        "C:\Users\Admin\AppData\Local\Temp\Gcp.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3424
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4172,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4152 /prefetch:8
    1⤵
      PID:5008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Gcp.exe

      Filesize

      243KB

      MD5

      d868c9dfdd377a1128f484a33c9d427d

      SHA1

      3cd816d84a5a06a669eb5cde82aa3eca272a6f13

      SHA256

      1f19267129cbabe2e50837f88eb2854c64521bd964f43a58f37365e60d5da5bd

      SHA512

      2702e2df330931d9fd2ed15e54aec37dbd68737cf3db642a8842cab813b9e3be67b7a5356d426772690b0b9e5c384931640d891f51662f870a9d3022eabce52b

    • C:\Users\Admin\AppData\Local\Temp\icon-smile-kl.js

      Filesize

      345KB

      MD5

      5ffa2f9b4305ee8ab9676456a5c41ae7

      SHA1

      9e517938920844699eddd8043df45e075682eef7

      SHA256

      0a75da170bd6e1cd271f48974d98345fb60b00ac3327b5e9d8fa8394c83800db

      SHA512

      06ed498e22a982b135c4c380cd01d296d2f05b106b5c75be4cccdaf41575750622eb7c8d5448dc935ebc6b5d525e803b9f4a3b132d503b6eccf4c28e42cad28d

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1.vbs

      Filesize

      3.2MB

      MD5

      3a3f7a4a8b7ea91bd05523cb83456441

      SHA1

      20bbbe54a25cced1f74f34521918effd6aa5877d

      SHA256

      010729194c08b557dc260c821d07d35b2c8fdfbaa18ff27c7f1f2fe233850fd1

      SHA512

      c86b406a756a9f5ad7f1368e741687af94e12ee258fc42c99c9f14d6118ded6976a09e7d7fa1840d17c72d827a900760bf69dceb774798db1a3e86fa293ba0ed

    • memory/3424-17-0x00000000743CE000-0x00000000743CF000-memory.dmp

      Filesize

      4KB

    • memory/3424-18-0x0000000000290000-0x00000000002D4000-memory.dmp

      Filesize

      272KB

    • memory/3424-19-0x0000000005370000-0x0000000005914000-memory.dmp

      Filesize

      5.6MB

    • memory/3424-20-0x0000000004CA0000-0x0000000004D06000-memory.dmp

      Filesize

      408KB

    • memory/3424-21-0x0000000005BD0000-0x0000000005C20000-memory.dmp

      Filesize

      320KB

    • memory/3424-22-0x0000000005CC0000-0x0000000005D5C000-memory.dmp

      Filesize

      624KB

    • memory/3424-23-0x00000000743CE000-0x00000000743CF000-memory.dmp

      Filesize

      4KB