Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 14:56
Static task
static1
Behavioral task
behavioral1
Sample
Product Pics.js
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Product Pics.js
Resource
win10v2004-20220414-en
General
-
Target
Product Pics.js
-
Size
691KB
-
MD5
4e242d24414292cd483040d98077d9c0
-
SHA1
eb905837358a70d81ef596465fad195c4057a015
-
SHA256
2cbdc90aff35e74892a04e4ce75834f0c419996330f15692575c1862781e63b6
-
SHA512
4578ba5e7139da61a38907a8908374ce49668d8199b756e694db300e20459084a60adee335bc30ac15a0f4b1038e01ccc49e83991a593eb564fc8d541aba8826
Malware Config
Extracted
Protocol: smtp- Host:
mail.leaf.arvixe.com - Port:
587 - Username:
[email protected] - Password:
000000
Extracted
agenttesla
Protocol: smtp- Host:
mail.leaf.arvixe.com - Port:
587 - Username:
[email protected] - Password:
000000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
Blocklisted process makes network request 31 IoCs
Processes:
wscript.exewscript.exewscript.exeflow pid process 6 1236 wscript.exe 9 1728 wscript.exe 11 1336 wscript.exe 15 1236 wscript.exe 16 1336 wscript.exe 18 1236 wscript.exe 20 1336 wscript.exe 25 1236 wscript.exe 26 1336 wscript.exe 29 1236 wscript.exe 30 1336 wscript.exe 32 1236 wscript.exe 34 1336 wscript.exe 39 1236 wscript.exe 40 1336 wscript.exe 42 1236 wscript.exe 44 1336 wscript.exe 47 1236 wscript.exe 50 1336 wscript.exe 52 1236 wscript.exe 53 1336 wscript.exe 55 1236 wscript.exe 57 1336 wscript.exe 60 1236 wscript.exe 61 1336 wscript.exe 65 1236 wscript.exe 66 1336 wscript.exe 70 1236 wscript.exe 72 1336 wscript.exe 73 1236 wscript.exe 75 1336 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
ORIPAYLOADER.exepid process 1760 ORIPAYLOADER.exe -
Drops startup file 5 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Product Pics.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Product Pics.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CWVAxIEiro.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CWVAxIEiro.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CWVAxIEiro.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
ORIPAYLOADER.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORIPAYLOADER.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORIPAYLOADER.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORIPAYLOADER.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
wscript.exewscript.exewscript.exewscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CWVAxIEiro.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Product Pics = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Product Pics.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Product Pics = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Product Pics.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\YVBPFHTJIQ = "\"C:\\Users\\Admin\\AppData\\Roaming\\CWVAxIEiro.js\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Product Pics = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Product Pics.js\"" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Product Pics = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\Product Pics.js\"" wscript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run wscript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ORIPAYLOADER.exepid process 1760 ORIPAYLOADER.exe 1760 ORIPAYLOADER.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ORIPAYLOADER.exedescription pid process Token: SeDebugPrivilege 1760 ORIPAYLOADER.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ORIPAYLOADER.exepid process 1760 ORIPAYLOADER.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
wscript.exewscript.exedescription pid process target process PID 1564 wrote to memory of 1236 1564 wscript.exe wscript.exe PID 1564 wrote to memory of 1236 1564 wscript.exe wscript.exe PID 1564 wrote to memory of 1236 1564 wscript.exe wscript.exe PID 1564 wrote to memory of 1728 1564 wscript.exe wscript.exe PID 1564 wrote to memory of 1728 1564 wscript.exe wscript.exe PID 1564 wrote to memory of 1728 1564 wscript.exe wscript.exe PID 1728 wrote to memory of 1336 1728 wscript.exe wscript.exe PID 1728 wrote to memory of 1336 1728 wscript.exe wscript.exe PID 1728 wrote to memory of 1336 1728 wscript.exe wscript.exe PID 1728 wrote to memory of 1760 1728 wscript.exe ORIPAYLOADER.exe PID 1728 wrote to memory of 1760 1728 wscript.exe ORIPAYLOADER.exe PID 1728 wrote to memory of 1760 1728 wscript.exe ORIPAYLOADER.exe PID 1728 wrote to memory of 1760 1728 wscript.exe ORIPAYLOADER.exe -
outlook_office_path 1 IoCs
Processes:
ORIPAYLOADER.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORIPAYLOADER.exe -
outlook_win_path 1 IoCs
Processes:
ORIPAYLOADER.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ORIPAYLOADER.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Product Pics.js"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\CWVAxIEiro.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1236 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\Product Pics.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\CWVAxIEiro.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1336 -
C:\Users\Admin\AppData\Roaming\ORIPAYLOADER.exe"C:\Users\Admin\AppData\Roaming\ORIPAYLOADER.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\CWVAxIEiro.jsFilesize
29KB
MD59e4865661dfeef56b34e67927e101678
SHA11df4763cc100f665394d12c8a6a3884ed2b8f20c
SHA256205a826a0a736729d14fac1d6d4c388eeb5a62192bbfb01e84cb9ad91f180881
SHA512bad583bd2d67bb7e93115fde98a20a3607d25e93019aae7564210e1d05c18ce68f0b66543eda184a5d7166a9d22af860aff71629ef5dccab9986ccbc17abb879
-
C:\Users\Admin\AppData\Roaming\CWVAxIEiro.jsFilesize
29KB
MD59e4865661dfeef56b34e67927e101678
SHA11df4763cc100f665394d12c8a6a3884ed2b8f20c
SHA256205a826a0a736729d14fac1d6d4c388eeb5a62192bbfb01e84cb9ad91f180881
SHA512bad583bd2d67bb7e93115fde98a20a3607d25e93019aae7564210e1d05c18ce68f0b66543eda184a5d7166a9d22af860aff71629ef5dccab9986ccbc17abb879
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CWVAxIEiro.jsFilesize
29KB
MD59e4865661dfeef56b34e67927e101678
SHA11df4763cc100f665394d12c8a6a3884ed2b8f20c
SHA256205a826a0a736729d14fac1d6d4c388eeb5a62192bbfb01e84cb9ad91f180881
SHA512bad583bd2d67bb7e93115fde98a20a3607d25e93019aae7564210e1d05c18ce68f0b66543eda184a5d7166a9d22af860aff71629ef5dccab9986ccbc17abb879
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Product Pics.jsFilesize
691KB
MD54e242d24414292cd483040d98077d9c0
SHA1eb905837358a70d81ef596465fad195c4057a015
SHA2562cbdc90aff35e74892a04e4ce75834f0c419996330f15692575c1862781e63b6
SHA5124578ba5e7139da61a38907a8908374ce49668d8199b756e694db300e20459084a60adee335bc30ac15a0f4b1038e01ccc49e83991a593eb564fc8d541aba8826
-
C:\Users\Admin\AppData\Roaming\ORIPAYLOADER.exeFilesize
209KB
MD5c6d715ba404ae78085eb7caba3ad8118
SHA1720e3ef336871278f87f6eb596147edc4f1e3c4b
SHA2560f33ab5276f7ea785bb119795431a7be45e2ada3428ea1718d799cb654c2bdb2
SHA51261612720aa252713ecdc86e665eaee223f747e602626bf140dceb34ae7e7c18d75cf123de881b36b56c190014513a40375bc8e5267d1c120cc6e8eb8039364e7
-
C:\Users\Admin\AppData\Roaming\ORIPAYLOADER.exeFilesize
209KB
MD5c6d715ba404ae78085eb7caba3ad8118
SHA1720e3ef336871278f87f6eb596147edc4f1e3c4b
SHA2560f33ab5276f7ea785bb119795431a7be45e2ada3428ea1718d799cb654c2bdb2
SHA51261612720aa252713ecdc86e665eaee223f747e602626bf140dceb34ae7e7c18d75cf123de881b36b56c190014513a40375bc8e5267d1c120cc6e8eb8039364e7
-
C:\Users\Admin\AppData\Roaming\Product Pics.jsFilesize
691KB
MD54e242d24414292cd483040d98077d9c0
SHA1eb905837358a70d81ef596465fad195c4057a015
SHA2562cbdc90aff35e74892a04e4ce75834f0c419996330f15692575c1862781e63b6
SHA5124578ba5e7139da61a38907a8908374ce49668d8199b756e694db300e20459084a60adee335bc30ac15a0f4b1038e01ccc49e83991a593eb564fc8d541aba8826
-
memory/1236-55-0x0000000000000000-mapping.dmp
-
memory/1336-61-0x0000000000000000-mapping.dmp
-
memory/1564-54-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmpFilesize
8KB
-
memory/1728-58-0x0000000000000000-mapping.dmp
-
memory/1760-64-0x0000000000000000-mapping.dmp
-
memory/1760-69-0x0000000000CE0000-0x0000000000D1A000-memory.dmpFilesize
232KB
-
memory/1760-70-0x0000000075CD1000-0x0000000075CD3000-memory.dmpFilesize
8KB