Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 07:24
Static task
static1
Behavioral task
behavioral1
Sample
HG987654567000.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
HG987654567000.vbs
Resource
win10v2004-20240802-en
General
-
Target
HG987654567000.vbs
-
Size
33KB
-
MD5
59a24e918603e8e13baece1f49ccb169
-
SHA1
84e045dcf3e4c49445abe4e61af4795e8091d5de
-
SHA256
c83fa0fe8fcce8c22dc31440b883ee13badb2438f6a35ddd56a7b8c7e03c335c
-
SHA512
85561f9127d28e46ccb0a7329892cece142e817f77dbe77e1d2583ba4b29bf234c8334fe5596e30fe08d3edb1d615cbc9c8da8790f037c065664f0c29dd68c86
-
SSDEEP
384:ljD6h5upiUy+I4B8Gyh6r4x8yGNy0wVS2fwspQsFXkInOEZfDBEwA0QmKCp:45uhyt4Xyh6r4x8ygGnusS3EZrp4ep
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.antoniomayol.com:21 - Port:
21 - Username:
[email protected] - Password:
cMhKDQUk1{;%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 1036 x.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1036 set thread context of 3512 1036 x.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3512 aspnet_compiler.exe 3512 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1036 x.exe Token: SeDebugPrivilege 3512 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4396 wrote to memory of 1036 4396 WScript.exe 83 PID 4396 wrote to memory of 1036 4396 WScript.exe 83 PID 1036 wrote to memory of 3512 1036 x.exe 86 PID 1036 wrote to memory of 3512 1036 x.exe 86 PID 1036 wrote to memory of 3512 1036 x.exe 86 PID 1036 wrote to memory of 3512 1036 x.exe 86 PID 1036 wrote to memory of 3512 1036 x.exe 86 PID 1036 wrote to memory of 3512 1036 x.exe 86 PID 1036 wrote to memory of 3512 1036 x.exe 86 PID 1036 wrote to memory of 3512 1036 x.exe 86
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HG987654567000.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD50895a48b8b3050333df73cab2c249efb
SHA197701a825d6c4462774ac1a7f98984c9a6a94c86
SHA256c8abfe8f42fa396f48b01eb6612c5620ae198a13ac8e2aa1f47a1e277d704c48
SHA5125bd55439b142d5f3145b7a952d1f964e963d89e47930c7616e7eaea244e3fd8e792b056d62c48bdcf9f5ba188949e0a81058bfcd355d89b87c7b8973b2e13ddc