Analysis
-
max time kernel
144s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2024 01:45
Static task
static1
Behavioral task
behavioral1
Sample
ca4d0af48b50bd06f172eee41fb979e2d73defb5c51fd358bc6b36de4cab7369.vbe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ca4d0af48b50bd06f172eee41fb979e2d73defb5c51fd358bc6b36de4cab7369.vbe
Resource
win10v2004-20240802-en
General
-
Target
ca4d0af48b50bd06f172eee41fb979e2d73defb5c51fd358bc6b36de4cab7369.vbe
-
Size
10KB
-
MD5
90d3ad68895627841ba7ac18079fc0b1
-
SHA1
a00920b635b500f67983ab4bed25a38df9bd5549
-
SHA256
ca4d0af48b50bd06f172eee41fb979e2d73defb5c51fd358bc6b36de4cab7369
-
SHA512
8e3d459a1d11cadfc336c364918c97ecf0004418afb890bd3b36e9139d30bfe956266f2e87e29e2e5df46b01e94c1bc64b9964b3a556ad64f6a5b2a8afb493b6
-
SSDEEP
192:xXNM3lLrcABBqcDsPdSuXZlzrZ7gmUWoZl5FYleLMl/1uw5YOAxJhHFK:xNElLAAKjBLf1UWobElwMl/mHHs
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
162.254.34.31 - Port:
587 - Username:
[email protected] - Password:
M992uew1mw6Z - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 3516 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation WScript.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 85 api.ipify.org 86 api.ipify.org -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3500 set thread context of 3140 3500 powershell.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 4672 WINWORD.EXE 4672 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3500 powershell.exe 3500 powershell.exe 4872 powershell.exe 4872 powershell.exe 4872 powershell.exe 3500 powershell.exe 3500 powershell.exe 3140 MSBuild.exe 3140 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3500 powershell.exe Token: SeDebugPrivilege 4872 powershell.exe Token: SeDebugPrivilege 3140 MSBuild.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE 4672 WINWORD.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4968 wrote to memory of 3500 4968 WScript.exe 90 PID 4968 wrote to memory of 3500 4968 WScript.exe 90 PID 4968 wrote to memory of 4872 4968 WScript.exe 97 PID 4968 wrote to memory of 4872 4968 WScript.exe 97 PID 3500 wrote to memory of 3140 3500 powershell.exe 100 PID 3500 wrote to memory of 3140 3500 powershell.exe 100 PID 3500 wrote to memory of 3140 3500 powershell.exe 100 PID 3500 wrote to memory of 3140 3500 powershell.exe 100 PID 3500 wrote to memory of 3140 3500 powershell.exe 100 PID 3500 wrote to memory of 3140 3500 powershell.exe 100 PID 3500 wrote to memory of 3140 3500 powershell.exe 100 PID 3500 wrote to memory of 3140 3500 powershell.exe 100 PID 3500 wrote to memory of 4572 3500 powershell.exe 102 PID 3500 wrote to memory of 4572 3500 powershell.exe 102 PID 4872 wrote to memory of 1436 4872 powershell.exe 101 PID 4872 wrote to memory of 1436 4872 powershell.exe 101 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca4d0af48b50bd06f172eee41fb979e2d73defb5c51fd358bc6b36de4cab7369.vbe"1⤵
- Blocklisted process makes network request
PID:3516
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\FRMEMFMdrhTBazq.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140
-
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3500" "2752" "2696" "2756" "0" "0" "2760" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4572
-
-
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4872" "2760" "2684" "2764" "0" "0" "2768" "0" "0" "0" "0" "0"3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1436
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\StepMerge.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
Filesize
3KB
MD56e809f4c18466a0a63db912fb7a2441c
SHA1d88653e1426406c3175c3fee38d55cd94a1ec5b1
SHA2562a684a0f36716559ec3fef1d5cdcd0fa7d48cd59e40457b7adc4d7b1f9a0c9fa
SHA512b47bb55f42d8930277dcab4d3850aba5b1f40b794f07cf1a0858b7280dc8bab243f445c50d2a45fa183c8f664c4864f476d4565c85380fc10cf45fe53d16100c
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5e26532ee5fd577e459897da6e2d1fd35
SHA1fd22513992dd197796bdd70a15d0e91fedcc230c
SHA256e5441fd6bf5a366d4144553a3caf44ed09d6fb7cb085de728579c556def1e329
SHA512c44fe8cd1c9d0f3727d15a08cb288fec1593deecc2bee5bde9a00c7f8d241f014c0a539ae6c1c0c05e2243d81046855f62a19633f6b17d238303e475271055b4
-
Filesize
198B
MD570a649184a93877f49fab9d9f66a1c08
SHA144d7f83bcc03be91f24e9917035488a8e2dbc5c1
SHA256836b60bb0414105b0b8ea960003fa11a091230bdbf8b8b8671513cc9d2d7fc39
SHA5128145a9201aa2516f2b31c57c7ba82d59c8683c7705b18745b21c26d3c440ef22699dcffe208679f95104401e470d25969ca1be04bc102ebd1fa9838d3a581ac3
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
217B
MD5b7308fd36d821e4b12939ba167a10b1b
SHA1dedde2894b1737c12a39a326e66bbec9eff19f47
SHA256261f85cc5e607129d6fa7189a37ef2ce83ee877e48126571df26bf79ae5bf6da
SHA512c47106b2321be79f923f3d1a4c383246aac3482be60bad997160a9d0205631705280a62248b28192dc091d496af0975b0d6d7d87d34b897d28f8c877ceb123b6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD51c44b4bc24070011cc493ddd6bc41364
SHA16babf10af7a25dbc5b32cd042647b45c53af1fa8
SHA256a9f8c312b0d7b56195d6547e3c11b75b436f189cfab2fe793d622e4245710c65
SHA51245b777c2dbd152612624961777249f82c2b1bac714cc9bd9d430bc150efd5f9d882ff055fb3d841688ada2895553ef64d0d531052fc8b9971f0b1b153c7472ac
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD511f7c2eb870993496486f81d11fa8c76
SHA15606c534ce746514619d8c8cf337a4962bfefa67
SHA256796da785585012f74c41705fc11ad75268f772390f9a5649eeb91dce978ef849
SHA512822a400d8edac31cd7590662f480fb7c33e9d053edf0fe16e7088452862287a7cab3083d560bf8b9c1ddab8b186696319e1238c90ad1fff098553cea856e5245
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6KYOP34QPCL12ESBR5PV.temp
Filesize1KB
MD552b921fc88e34bbe11e07d99f9889de2
SHA14a03e353f9116b4ace07f194e01b88501ab3f10a
SHA25680e1d1764ca7104982e35a3e72fd1bb8875734f9c36a0115730d1e2ca2cf52f5
SHA5129b533341003c8f2f8e0e87f851693b311de10eaf2ef31edd092b5afd6d0380b64e0d5af005e36ba813ec3e837c73f10966b60c5563d109ec7fe66bac7a036432
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD5bc036bf5ee6ec4a26351eab577f7fa1e
SHA185ab91f3125e3b5e1a78f5664e3e3598ec7b2bdd
SHA2563261da0f849e82b38e72e8d6e1e6c2c8c9f5b72b0a919ee0a162502990c853a2
SHA5124d59af7d60f11f13b335428b4d60679776fe3774e03709a4e7ca9dda8c1a5c8886a9673ab9d4a37e63c42c1e381d39e201868baaccc6422bb9c58e6d67328955