Analysis
-
max time kernel
293s -
max time network
298s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
16/08/2022, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
new orders.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
new orders.js
Resource
win10v2004-20220812-en
General
-
Target
new orders.js
-
Size
388KB
-
MD5
fbbfbf5e808c73443ce1045c58993b58
-
SHA1
32493b8d3858783d5098db1040f49d796e6475f0
-
SHA256
41a2892987c1d6a2d2815fe7a06897b873003d65e32ead538e5de8b2b09a904a
-
SHA512
30851c706dc2b5be2466085d4cef6994a4faaf1fa677d1012c727af6730cec88409131340d8c6fee93fd67fac004c565e51793dad451107ce4dfec3ba22b2c25
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.losbrothersconstruction.com - Port:
587 - Username:
[email protected] - Password:
508135Pry - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 32 IoCs
flow pid Process 4 1888 wscript.exe 7 1888 wscript.exe 8 1888 wscript.exe 10 1888 wscript.exe 11 1888 wscript.exe 13 1888 wscript.exe 15 1888 wscript.exe 16 1888 wscript.exe 17 1888 wscript.exe 19 1888 wscript.exe 20 1888 wscript.exe 21 1888 wscript.exe 23 1888 wscript.exe 24 1888 wscript.exe 25 1888 wscript.exe 27 1888 wscript.exe 28 1888 wscript.exe 29 1888 wscript.exe 31 1888 wscript.exe 32 1888 wscript.exe 33 1888 wscript.exe 35 1888 wscript.exe 36 1888 wscript.exe 37 1888 wscript.exe 39 1888 wscript.exe 40 1888 wscript.exe 41 1888 wscript.exe 43 1888 wscript.exe 44 1888 wscript.exe 45 1888 wscript.exe 47 1888 wscript.exe 48 1888 wscript.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts G&M.exe -
Executes dropped EXE 1 IoCs
pid Process 1620 G&M.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SiytxiPIfa.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SiytxiPIfa.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe" G&M.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1620 G&M.exe 1620 G&M.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1620 G&M.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1620 G&M.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 760 wrote to memory of 1888 760 wscript.exe 27 PID 760 wrote to memory of 1888 760 wscript.exe 27 PID 760 wrote to memory of 1888 760 wscript.exe 27 PID 760 wrote to memory of 1620 760 wscript.exe 28 PID 760 wrote to memory of 1620 760 wscript.exe 28 PID 760 wrote to memory of 1620 760 wscript.exe 28 PID 760 wrote to memory of 1620 760 wscript.exe 28 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\new orders.js"1⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SiytxiPIfa.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1888
-
-
C:\Users\Admin\AppData\Local\Temp\G&M.exe"C:\Users\Admin\AppData\Local\Temp\G&M.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1620
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD56c208094e087f84ad4c1790292260317
SHA1786c84e457c75151d7fd53ea7ca654af0d879495
SHA2568c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4
-
Filesize
210KB
MD56c208094e087f84ad4c1790292260317
SHA1786c84e457c75151d7fd53ea7ca654af0d879495
SHA2568c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4
-
Filesize
6KB
MD5a2079e0212dfd821a8ee552397bff943
SHA13464c8d0d2cfff3275714c0f9f506c81e53c27f2
SHA256cacdff6af2acf1838783fb80822df7a13ef9a4b0865ec067dbca6d7557498d0e
SHA512df99ec27d74cfd7cd513a6960b531bfe0bdb8151e5890bb1b35ce8d815c9560646bbc0efaa8f4f27e531ba932b08fc83d4bdaafcda04ff376e6f5aef9adaf845