Analysis
-
max time kernel
113s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 22:55
General
-
Target
Script-WareV2.zip
-
Size
19.9MB
-
MD5
df33376b6ec3248b62dd96d57f2afc9f
-
SHA1
f39cdee7d9e7a9b70f21261cacd566d161484a3e
-
SHA256
c4812e37aaf60bb0c03ba37a5de10cdf37171202c1fd1396e692916377556447
-
SHA512
c53bdb4a19cc430e8f6b0b437f7f05fc6b3732ab97ad1d7b5fb806a532f98509d0d37e20a3cffefc3fc5675c827cd3ab59430bedcfbd8fe8aa8b9e77d39d7009
-
SSDEEP
393216:4d/QGhhDiUBhJu9ssqrwW1t3fHe8apZclR8fAEpjI8r59VwBdRWlU/q7mkDcwEt7:k/ZhDJBhJFsqkqfXEGdX1r9pdH
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral1/memory/1592-6-0x0000000006DB0000-0x0000000006FA6000-memory.dmp family_agenttesla -
Program crash 2 IoCs
pid pid_target Process procid_target 3928 1592 WerFault.exe 95 756 592 WerFault.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScriptWare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScriptWare.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Installer.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion ScriptWare.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS ScriptWare.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer ScriptWare.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion ScriptWare.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS ScriptWare.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer ScriptWare.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1592 ScriptWare.exe Token: SeDebugPrivilege 592 ScriptWare.exe Token: SeDebugPrivilege 4348 Installer.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Script-WareV2.zip1⤵PID:2940
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2732
-
C:\Users\Admin\Downloads\Script-ware\ScriptWare.exe"C:\Users\Admin\Downloads\Script-ware\ScriptWare.exe"1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 32162⤵
- Program crash
PID:3928
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1592 -ip 15921⤵PID:4316
-
C:\Windows\system32\notepad.exe"C:\Windows\system32\notepad.exe"1⤵PID:1868
-
C:\Users\Admin\Downloads\Script-ware\ScriptWare.exe"C:\Users\Admin\Downloads\Script-ware\ScriptWare.exe"1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 29722⤵
- Program crash
PID:756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 592 -ip 5921⤵PID:4940
-
C:\Users\Admin\Downloads\Script-ware\Installer.exe"C:\Users\Admin\Downloads\Script-ware\Installer.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC
Filesize719B
MD519e7db931c42d8315a1d7363160322bf
SHA179e7a35dd2bc189349e0c4028d138bddac108881
SHA25646694f9846a2d504ab57bb7d560dff95fd092934466373d2841747eb1816ada6
SHA5129da2aab19cb97ab1fef493dfdd7fa6e9e21a333f74c952acf6513d5a550fba484e92335307c8735e30983958189a082a33236bb67a4b246423201dead4f10434
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D451DDCFFF94F1A6B8406468FA3558_E4A7C6A10F816F002B00DE3B58B7E44E
Filesize1KB
MD59a1b3383b704352709d360126598b2e9
SHA1011c13c488bcfda0863d0ce8d67814bfab5701d5
SHA2560899abaa18ffa0394c013fe020c240e846a3e7e74b0aeab9eae3a2f6fdf98a03
SHA512e34374b807683c7a927db835ab02cbc643f3f25595cc4de2338c6cdb2cea2b660e885cad0854771f3508e5103dff99542fdbe6b01d9fd5fbebde1a6273acb087
-
Filesize
1KB
MD55f80d85f629ffacea6fe251c92e1e6f1
SHA1a4030b5006bb6321a66efb1778aa6af5666b3fa8
SHA256dd8324ca16920e89c90c133897f859748e8479ba3a0c37e218e3e70d52155724
SHA5124514f6a033e686cd317b045be8e9e5f2ccd0ad6c3cfbb588335451adf3817b8f66f7bb9e87ef82568fb633e6f22a7b1145917cc2db4e6d77373b0c6f3ddfb0ed
-
Filesize
76KB
MD50db329ee5c9fa9a2f3745f6e1c3b134c
SHA19375ca1252c9e65f3e9ad4cf72e5c2964202516b
SHA256c5e1dc2b31efa76aa2e1b6ffe3ca88bee7f46b623d2499b523d2490675d94b3c
SHA512135fbeb84b3260f06268c443423823e31f5957d486c18672ad4aef91254db06b148cf8d2c28df332c2ca4f7a2124ab1e4af5b9598713a4ea6c9b99556a2093ef
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC
Filesize446B
MD5c346d0cfa30b9a9d3b9542755e87e9b9
SHA19ae12ec38dc4c57204ddeb29deb5fea5cd2bd6ab
SHA256864235c802c4f390c9c7e49621eebfe3cbc1465293c22a4ecc86de674c4092c5
SHA512026813219638d0ddfe4618fa4ef74c4a717e72d19aff904c8f2733a07cc51c8d504cbdfa267a24b28180fca6c40538f226e5b1bbeeff9892dc74ccd0cdaccee7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D451DDCFFF94F1A6B8406468FA3558_E4A7C6A10F816F002B00DE3B58B7E44E
Filesize406B
MD545b421870798036917cbcb7de2e8ea71
SHA1c206d998d1899fa2c4559fc872e0064d2081076d
SHA256a68f815811e61037d3d5e23405d494a40c022238cee788f3ed01f66aff16a21b
SHA512b704abebede6d72ca708503a191a0e019c962fd941626d5e3093a3f88cad704ee6c7d9efbcdbd10df44bdcb8842760e424673a47f661b84b0d286236c3074c65
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\971E98FB192CF25D1FBA2923458B97CB
Filesize272B
MD57720a145ba6274e430ed79df6c677e82
SHA143e8ad8a98da495decc03278b4c20c9dac3dab12
SHA2569af359157947a06a2c1620e3e476a221bd79cc734424ba0f1e8244b03cb10086
SHA51207233cb04de71581b2b6f6778efa6987abd317f35df483cb4bcd6b1d6e95f6f10670b0e32477997dc8934a5f8bbdca25a8a59ec95bc1df7de982317d910be01f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D682FDDA10064185EC8111DC39DBA8EC
Filesize308B
MD571edfe2e1ad45541c98bec44e82ec80d
SHA1e5e34e15231628de30244482e668a6ce044588d6
SHA2567106ff8434e5c1d023c67ba414abad482cfe3aa1800b9df1917e1e48eab20f0c
SHA51278a670bd68c07e2d2bc96a363ef175247785db58eecdd264dbfd16f1ed51c0b346878f678b48c9a9afcc2381ce9a808761290cb2714b2c6256a285a1e7860d31