Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2022, 06:30
Static task
static1
Behavioral task
behavioral1
Sample
Orders New.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Orders New.js
Resource
win10v2004-20220812-en
General
-
Target
Orders New.js
-
Size
429KB
-
MD5
405f578aca6ff3de5e4f82fc01bd041c
-
SHA1
50daff5a26144959f7baa8b7edd7c22cc7010609
-
SHA256
f4eb514871e587813c80882100952d05a17ea61bbb6a83ee197262e2ebd4e203
-
SHA512
fb9c4e66fe9c301ca152989cde21f0e2aa53554bbe5e93ff8a57e38958865595811af58e506e43b8dd4a1a8a9bec052ea82a4d4de68b3f588a4e4a93777e5747
Malware Config
Extracted
Protocol: smtp- Host:
mail.losbrothersconstruction.com - Port:
587 - Username:
[email protected] - Password:
508135Pry
Extracted
agenttesla
Protocol: smtp- Host:
mail.losbrothersconstruction.com - Port:
587 - Username:
[email protected] - Password:
508135Pry - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 28 IoCs
flow pid Process 13 4380 wscript.exe 14 3876 wscript.exe 16 3876 wscript.exe 17 4380 wscript.exe 19 3876 wscript.exe 20 4380 wscript.exe 32 3876 wscript.exe 33 4380 wscript.exe 36 3876 wscript.exe 37 4380 wscript.exe 42 3876 wscript.exe 44 4380 wscript.exe 45 3876 wscript.exe 46 4380 wscript.exe 47 3876 wscript.exe 48 4380 wscript.exe 50 3876 wscript.exe 51 4380 wscript.exe 52 3876 wscript.exe 53 4380 wscript.exe 55 3876 wscript.exe 56 4380 wscript.exe 57 3876 wscript.exe 58 4380 wscript.exe 59 3876 wscript.exe 60 4380 wscript.exe 61 3876 wscript.exe 62 4380 wscript.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts G&M.exe -
Executes dropped EXE 1 IoCs
pid Process 1672 G&M.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bZQEUbJxNj.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtouVgELLW.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtouVgELLW.js wscript.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DnDcR = "C:\\Users\\Admin\\AppData\\Roaming\\DnDcR\\DnDcR.exe" G&M.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1672 G&M.exe 1672 G&M.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1672 G&M.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1672 G&M.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4140 wrote to memory of 3876 4140 wscript.exe 82 PID 4140 wrote to memory of 3876 4140 wscript.exe 82 PID 3876 wrote to memory of 4380 3876 wscript.exe 84 PID 3876 wrote to memory of 4380 3876 wscript.exe 84 PID 4140 wrote to memory of 1672 4140 wscript.exe 83 PID 4140 wrote to memory of 1672 4140 wscript.exe 83 PID 4140 wrote to memory of 1672 4140 wscript.exe 83 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 G&M.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Orders New.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TtouVgELLW.js"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bZQEUbJxNj.js"3⤵
- Blocklisted process makes network request
- Drops startup file
PID:4380
-
-
-
C:\Users\Admin\AppData\Local\Temp\G&M.exe"C:\Users\Admin\AppData\Local\Temp\G&M.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1672
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
210KB
MD56c208094e087f84ad4c1790292260317
SHA1786c84e457c75151d7fd53ea7ca654af0d879495
SHA2568c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4
-
Filesize
210KB
MD56c208094e087f84ad4c1790292260317
SHA1786c84e457c75151d7fd53ea7ca654af0d879495
SHA2568c5d8dfc636d3a5461186f7ce756881fe78cb82c305fce1d81b470474e7802f9
SHA512d31bfda484a83aa1a25ce5f86058227af34f6e8ecb84c7092331c560908971c551cff11801439df7a4df133b86fcf402f6aa692ed3cb21e58eba122614635fb4
-
Filesize
26KB
MD5fb29f8fba2be3cb1d69f788a7c77905c
SHA139028f5bff879e08f049bb352016a935bcd73c6d
SHA2565345841b45e28bdbcfcdf0382d414f6c3c58900aad828390b950e6eea3df1ffb
SHA512214187dd8d8e08a70933a390b52d988e523582838aa9343bce8d6c5c295258ccca601a8bc29e52889d343ab1eb62aa8ae7fc7caee190070e02990beb00ea7be9
-
Filesize
6KB
MD5a542a21ecaba36f6ba8c6457b8ab67f9
SHA13f05ddc6d6e59554cd9870b9e4b17919b81eaa6c
SHA256bc831f27e6da7b5e82be628a1564c8b6aee02ec9290c5d21f99733dd2d1db47b
SHA51278ca13a83bbd029470978b1e465ee6b0c2a9345a1fe8ee3e86d9f1d48bd52b7927a16e607f71084a91706213d8ddc0293ed06a1927e478b9bbc21ab0b47b9a2a