Analysis
-
max time kernel
299s -
max time network
304s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16/08/2022, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
new orders.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
new orders.js
Resource
win10v2004-20220812-en
General
-
Target
new orders.js
-
Size
388KB
-
MD5
fbbfbf5e808c73443ce1045c58993b58
-
SHA1
32493b8d3858783d5098db1040f49d796e6475f0
-
SHA256
41a2892987c1d6a2d2815fe7a06897b873003d65e32ead538e5de8b2b09a904a
-
SHA512
30851c706dc2b5be2466085d4cef6994a4faaf1fa677d1012c727af6730cec88409131340d8c6fee93fd67fac004c565e51793dad451107ce4dfec3ba22b2c25
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.losbrothersconstruction.com - Port:
587 - Username:
[email protected] - Password:
508135Pry - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 33 IoCs
flow pid Process 2 2736 wscript.exe 12 2736 wscript.exe 15 2736 wscript.exe 16 2736 wscript.exe 26 2736 wscript.exe 30 2736 wscript.exe 33 2736 wscript.exe 37 2736 wscript.exe 39 2736 wscript.exe 40 2736 wscript.exe 42 2736 wscript.exe 43 2736 wscript.exe 44 2736 wscript.exe 45 2736 wscript.exe 46 2736 wscript.exe 47 2736 wscript.exe 48 2736 wscript.exe 49 2736 wscript.exe 50 2736 wscript.exe 51 2736 wscript.exe 52 2736 wscript.exe 53 2736 wscript.exe 54 2736 wscript.exe 55 2736 wscript.exe 56 2736 wscript.exe 59 2736 wscript.exe 60 2736 wscript.exe 61 2736 wscript.exe 62 2736 wscript.exe 63 2736 wscript.exe 64 2736 wscript.exe 65 2736 wscript.exe 66 2736 wscript.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts G&M.exe -
Executes dropped EXE 1 IoCs
pid Process 3080 G&M.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SiytxiPIfa.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SiytxiPIfa.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe" G&M.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3080 G&M.exe 3080 G&M.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3080 G&M.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3080 G&M.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4256 wrote to memory of 2736 4256 wscript.exe 81 PID 4256 wrote to memory of 2736 4256 wscript.exe 81 PID 4256 wrote to memory of 3080 4256 wscript.exe 82 PID 4256 wrote to memory of 3080 4256 wscript.exe 82 PID 4256 wrote to memory of 3080 4256 wscript.exe 82 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\new orders.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\SiytxiPIfa.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:2736
-
-
C:\Users\Admin\AppData\Local\Temp\G&M.exe"C:\Users\Admin\AppData\Local\Temp\G&M.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:3080
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD56c208094e087f84ad4c1790292260317
SHA1786c84e457c75151d7fd53ea7ca654af0d879495
SHA2568c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4
-
Filesize
210KB
MD56c208094e087f84ad4c1790292260317
SHA1786c84e457c75151d7fd53ea7ca654af0d879495
SHA2568c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4
-
Filesize
6KB
MD5a2079e0212dfd821a8ee552397bff943
SHA13464c8d0d2cfff3275714c0f9f506c81e53c27f2
SHA256cacdff6af2acf1838783fb80822df7a13ef9a4b0865ec067dbca6d7557498d0e
SHA512df99ec27d74cfd7cd513a6960b531bfe0bdb8151e5890bb1b35ce8d815c9560646bbc0efaa8f4f27e531ba932b08fc83d4bdaafcda04ff376e6f5aef9adaf845