Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/08/2022, 06:30

General

  • Target

    Orders New.js

  • Size

    429KB

  • MD5

    405f578aca6ff3de5e4f82fc01bd041c

  • SHA1

    50daff5a26144959f7baa8b7edd7c22cc7010609

  • SHA256

    f4eb514871e587813c80882100952d05a17ea61bbb6a83ee197262e2ebd4e203

  • SHA512

    fb9c4e66fe9c301ca152989cde21f0e2aa53554bbe5e93ff8a57e38958865595811af58e506e43b8dd4a1a8a9bec052ea82a4d4de68b3f588a4e4a93777e5747

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    mail.losbrothersconstruction.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    508135Pry

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 28 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Orders New.js"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4140
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TtouVgELLW.js"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:3876
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        PID:4380
    • C:\Users\Admin\AppData\Local\Temp\G&M.exe
      "C:\Users\Admin\AppData\Local\Temp\G&M.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1672

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\G&M.exe

          Filesize

          210KB

          MD5

          6c208094e087f84ad4c1790292260317

          SHA1

          786c84e457c75151d7fd53ea7ca654af0d879495

          SHA256

          8c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9

          SHA512

          d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4

        • C:\Users\Admin\AppData\Local\Temp\G&M.exe

          Filesize

          210KB

          MD5

          6c208094e087f84ad4c1790292260317

          SHA1

          786c84e457c75151d7fd53ea7ca654af0d879495

          SHA256

          8c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9

          SHA512

          d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4

        • C:\Users\Admin\AppData\Roaming\TtouVgELLW.js

          Filesize

          26KB

          MD5

          fb29f8fba2be3cb1d69f788a7c77905c

          SHA1

          39028f5bff879e08f049bb352016a935bcd73c6d

          SHA256

          5345841b45e28bdbcfcdf0382d414f6c3c58900aad828390b950e6eea3df1ffb

          SHA512

          214187dd8d8e08a70933a390b52d988e523582838aa9343bce8d6c5c295258ccca601a8bc29e52889d343ab1eb62aa8ae7fc7caee190070e02990beb00ea7be9

        • C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js

          Filesize

          6KB

          MD5

          a542a21ecaba36f6ba8c6457b8ab67f9

          SHA1

          3f05ddc6d6e59554cd9870b9e4b17919b81eaa6c

          SHA256

          bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b

          SHA512

          78ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a

        • memory/1672-139-0x0000000000360000-0x000000000039A000-memory.dmp

          Filesize

          232KB

        • memory/1672-140-0x0000000005260000-0x0000000005804000-memory.dmp

          Filesize

          5.6MB

        • memory/1672-141-0x0000000004D60000-0x0000000004DFC000-memory.dmp

          Filesize

          624KB

        • memory/1672-142-0x0000000005A50000-0x0000000005AB6000-memory.dmp

          Filesize

          408KB

        • memory/1672-143-0x0000000006190000-0x00000000061E0000-memory.dmp

          Filesize

          320KB

        • memory/1672-144-0x0000000006570000-0x0000000006602000-memory.dmp

          Filesize

          584KB

        • memory/1672-145-0x0000000006530000-0x000000000653A000-memory.dmp

          Filesize

          40KB