Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
17/08/2022, 06:30
Static task
static1
Behavioral task
behavioral1
Sample
Orders New.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Orders New.js
Resource
win10v2004-20220812-en
General
-
Target
Orders New.js
-
Size
429KB
-
MD5
405f578aca6ff3de5e4f82fc01bd041c
-
SHA1
50daff5a26144959f7baa8b7edd7c22cc7010609
-
SHA256
f4eb514871e587813c80882100952d05a17ea61bbb6a83ee197262e2ebd4e203
-
SHA512
fb9c4e66fe9c301ca152989cde21f0e2aa53554bbe5e93ff8a57e38958865595811af58e506e43b8dd4a1a8a9bec052ea82a4d4de68b3f588a4e4a93777e5747
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.losbrothersconstruction.com - Port:
587 - Username:
[email protected] - Password:
508135Pry - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 30 IoCs
flow pid Process 7 1328 wscript.exe 8 1684 wscript.exe 12 1684 wscript.exe 13 1328 wscript.exe 15 1684 wscript.exe 16 1328 wscript.exe 20 1684 wscript.exe 21 1328 wscript.exe 24 1684 wscript.exe 25 1328 wscript.exe 26 1328 wscript.exe 28 1684 wscript.exe 32 1684 wscript.exe 33 1328 wscript.exe 35 1684 wscript.exe 36 1328 wscript.exe 38 1684 wscript.exe 39 1328 wscript.exe 43 1684 wscript.exe 44 1328 wscript.exe 45 1328 wscript.exe 47 1684 wscript.exe 48 1328 wscript.exe 50 1684 wscript.exe 53 1328 wscript.exe 55 1684 wscript.exe 57 1684 wscript.exe 58 1328 wscript.exe 60 1684 wscript.exe 61 1328 wscript.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts G&M.exe -
Executes dropped EXE 1 IoCs
pid Process 1288 G&M.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtouVgELLW.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtouVgELLW.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe" G&M.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1288 G&M.exe 1288 G&M.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1288 G&M.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1288 G&M.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1684 1708 wscript.exe 27 PID 1708 wrote to memory of 1684 1708 wscript.exe 27 PID 1708 wrote to memory of 1684 1708 wscript.exe 27 PID 1708 wrote to memory of 1288 1708 wscript.exe 28 PID 1708 wrote to memory of 1288 1708 wscript.exe 28 PID 1708 wrote to memory of 1288 1708 wscript.exe 28 PID 1708 wrote to memory of 1288 1708 wscript.exe 28 PID 1684 wrote to memory of 1328 1684 wscript.exe 29 PID 1684 wrote to memory of 1328 1684 wscript.exe 29 PID 1684 wrote to memory of 1328 1684 wscript.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2591564548-2301609547-1748242483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Orders New.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TtouVgELLW.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:1328
-
-
-
C:\Users\Admin\AppData\Local\Temp\G&M.exe"C:\Users\Admin\AppData\Local\Temp\G&M.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1288
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD56c208094e087f84ad4c1790292260317
SHA1786c84e457c75151d7fd53ea7ca654af0d879495
SHA2568c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4
-
Filesize
210KB
MD56c208094e087f84ad4c1790292260317
SHA1786c84e457c75151d7fd53ea7ca654af0d879495
SHA2568c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4
-
Filesize
26KB
MD5fb29f8fba2be3cb1d69f788a7c77905c
SHA139028f5bff879e08f049bb352016a935bcd73c6d
SHA2565345841b45e28bdbcfcdf0382d414f6c3c58900aad828390b950e6eea3df1ffb
SHA512214187dd8d8e08a70933a390b52d988e523582838aa9343bce8d6c5c295258ccca601a8bc29e52889d343ab1eb62aa8ae7fc7caee190070e02990beb00ea7be9
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a