Analysis

  • max time kernel
    113s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2024 22:55

General

  • Target

    Script-WareV2.zip

  • Size

    19.9MB

  • MD5

    df33376b6ec3248b62dd96d57f2afc9f

  • SHA1

    f39cdee7d9e7a9b70f21261cacd566d161484a3e

  • SHA256

    c4812e37aaf60bb0c03ba37a5de10cdf37171202c1fd1396e692916377556447

  • SHA512

    c53bdb4a19cc430e8f6b0b437f7f05fc6b3732ab97ad1d7b5fb806a532f98509d0d37e20a3cffefc3fc5675c827cd3ab59430bedcfbd8fe8aa8b9e77d39d7009

  • SSDEEP

    393216:4d/QGhhDiUBhJu9ssqrwW1t3fHe8apZclR8fAEpjI8r59VwBdRWlU/q7mkDcwEt7:k/ZhDJBhJFsqkqfXEGdX1r9pdH

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla payload 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Script-WareV2.zip
    1⤵
      PID:2940
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2732
      • C:\Users\Admin\Downloads\Script-ware\ScriptWare.exe
        "C:\Users\Admin\Downloads\Script-ware\ScriptWare.exe"
        1⤵
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1592
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 3216
          2⤵
          • Program crash
          PID:3928
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1592 -ip 1592
        1⤵
          PID:4316
        • C:\Windows\system32\notepad.exe
          "C:\Windows\system32\notepad.exe"
          1⤵
            PID:1868
          • C:\Users\Admin\Downloads\Script-ware\ScriptWare.exe
            "C:\Users\Admin\Downloads\Script-ware\ScriptWare.exe"
            1⤵
            • System Location Discovery: System Language Discovery
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:592
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 2972
              2⤵
              • Program crash
              PID:756
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 592 -ip 592
            1⤵
              PID:4940
            • C:\Users\Admin\Downloads\Script-ware\Installer.exe
              "C:\Users\Admin\Downloads\Script-ware\Installer.exe"
              1⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4348

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

              Filesize

              719B

              MD5

              19e7db931c42d8315a1d7363160322bf

              SHA1

              79e7a35dd2bc189349e0c4028d138bddac108881

              SHA256

              46694f9846a2d504ab57bb7d560dff95fd092934466373d2841747eb1816ada6

              SHA512

              9da2aab19cb97ab1fef493dfdd7fa6e9e21a333f74c952acf6513d5a550fba484e92335307c8735e30983958189a082a33236bb67a4b246423201dead4f10434

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D451DDCFFF94F1A6B8406468FA3558_E4A7C6A10F816F002B00DE3B58B7E44E

              Filesize

              1KB

              MD5

              9a1b3383b704352709d360126598b2e9

              SHA1

              011c13c488bcfda0863d0ce8d67814bfab5701d5

              SHA256

              0899abaa18ffa0394c013fe020c240e846a3e7e74b0aeab9eae3a2f6fdf98a03

              SHA512

              e34374b807683c7a927db835ab02cbc643f3f25595cc4de2338c6cdb2cea2b660e885cad0854771f3508e5103dff99542fdbe6b01d9fd5fbebde1a6273acb087

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\971E98FB192CF25D1FBA2923458B97CB

              Filesize

              1KB

              MD5

              5f80d85f629ffacea6fe251c92e1e6f1

              SHA1

              a4030b5006bb6321a66efb1778aa6af5666b3fa8

              SHA256

              dd8324ca16920e89c90c133897f859748e8479ba3a0c37e218e3e70d52155724

              SHA512

              4514f6a033e686cd317b045be8e9e5f2ccd0ad6c3cfbb588335451adf3817b8f66f7bb9e87ef82568fb633e6f22a7b1145917cc2db4e6d77373b0c6f3ddfb0ed

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D682FDDA10064185EC8111DC39DBA8EC

              Filesize

              76KB

              MD5

              0db329ee5c9fa9a2f3745f6e1c3b134c

              SHA1

              9375ca1252c9e65f3e9ad4cf72e5c2964202516b

              SHA256

              c5e1dc2b31efa76aa2e1b6ffe3ca88bee7f46b623d2499b523d2490675d94b3c

              SHA512

              135fbeb84b3260f06268c443423823e31f5957d486c18672ad4aef91254db06b148cf8d2c28df332c2ca4f7a2124ab1e4af5b9598713a4ea6c9b99556a2093ef

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

              Filesize

              446B

              MD5

              c346d0cfa30b9a9d3b9542755e87e9b9

              SHA1

              9ae12ec38dc4c57204ddeb29deb5fea5cd2bd6ab

              SHA256

              864235c802c4f390c9c7e49621eebfe3cbc1465293c22a4ecc86de674c4092c5

              SHA512

              026813219638d0ddfe4618fa4ef74c4a717e72d19aff904c8f2733a07cc51c8d504cbdfa267a24b28180fca6c40538f226e5b1bbeeff9892dc74ccd0cdaccee7

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D451DDCFFF94F1A6B8406468FA3558_E4A7C6A10F816F002B00DE3B58B7E44E

              Filesize

              406B

              MD5

              45b421870798036917cbcb7de2e8ea71

              SHA1

              c206d998d1899fa2c4559fc872e0064d2081076d

              SHA256

              a68f815811e61037d3d5e23405d494a40c022238cee788f3ed01f66aff16a21b

              SHA512

              b704abebede6d72ca708503a191a0e019c962fd941626d5e3093a3f88cad704ee6c7d9efbcdbd10df44bdcb8842760e424673a47f661b84b0d286236c3074c65

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\971E98FB192CF25D1FBA2923458B97CB

              Filesize

              272B

              MD5

              7720a145ba6274e430ed79df6c677e82

              SHA1

              43e8ad8a98da495decc03278b4c20c9dac3dab12

              SHA256

              9af359157947a06a2c1620e3e476a221bd79cc734424ba0f1e8244b03cb10086

              SHA512

              07233cb04de71581b2b6f6778efa6987abd317f35df483cb4bcd6b1d6e95f6f10670b0e32477997dc8934a5f8bbdca25a8a59ec95bc1df7de982317d910be01f

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D682FDDA10064185EC8111DC39DBA8EC

              Filesize

              308B

              MD5

              71edfe2e1ad45541c98bec44e82ec80d

              SHA1

              e5e34e15231628de30244482e668a6ce044588d6

              SHA256

              7106ff8434e5c1d023c67ba414abad482cfe3aa1800b9df1917e1e48eab20f0c

              SHA512

              78a670bd68c07e2d2bc96a363ef175247785db58eecdd264dbfd16f1ed51c0b346878f678b48c9a9afcc2381ce9a808761290cb2714b2c6256a285a1e7860d31

            • memory/1592-3-0x0000000006140000-0x00000000061D2000-memory.dmp

              Filesize

              584KB

            • memory/1592-5-0x0000000006600000-0x000000000660A000-memory.dmp

              Filesize

              40KB

            • memory/1592-24-0x0000000074470000-0x0000000074C20000-memory.dmp

              Filesize

              7.7MB

            • memory/1592-21-0x0000000074470000-0x0000000074C20000-memory.dmp

              Filesize

              7.7MB

            • memory/1592-22-0x0000000007EF0000-0x0000000007FA2000-memory.dmp

              Filesize

              712KB

            • memory/1592-6-0x0000000006DB0000-0x0000000006FA6000-memory.dmp

              Filesize

              2.0MB

            • memory/1592-23-0x000000007447E000-0x000000007447F000-memory.dmp

              Filesize

              4KB

            • memory/1592-4-0x0000000074470000-0x0000000074C20000-memory.dmp

              Filesize

              7.7MB

            • memory/1592-0-0x000000007447E000-0x000000007447F000-memory.dmp

              Filesize

              4KB

            • memory/1592-2-0x0000000006650000-0x0000000006BF4000-memory.dmp

              Filesize

              5.6MB

            • memory/1592-1-0x0000000000880000-0x00000000016A0000-memory.dmp

              Filesize

              14.1MB

            • memory/4348-33-0x0000000000060000-0x00000000001BC000-memory.dmp

              Filesize

              1.4MB

            • memory/4348-34-0x0000000004C60000-0x0000000004C70000-memory.dmp

              Filesize

              64KB

            • memory/4348-35-0x0000000008FC0000-0x0000000008FC8000-memory.dmp

              Filesize

              32KB

            • memory/4348-36-0x0000000009390000-0x00000000093C8000-memory.dmp

              Filesize

              224KB

            • memory/4348-37-0x0000000008FD0000-0x0000000008FDE000-memory.dmp

              Filesize

              56KB