Analysis Overview
SHA256
6297ad7d2e748eb48b9572a3702188eeb569aad21afc52e0aa813df2294683cb
Threat Level: Known bad
The file Purchase Order No.002548.pdf.js was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Vjw0rm
Drops file in Drivers directory
Blocklisted process makes network request
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Accesses Microsoft Outlook profiles
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
outlook_win_path
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-11 08:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-11 08:47
Reported
2022-10-11 08:50
Platform
win7-20220812-en
Max time kernel
162s
Max time network
173s
Command Line
Signatures
AgentTesla
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnfkCWUlzy.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnfkCWUlzy.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\DeGrace.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order No.002548.pdf.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnfkCWUlzy.js"
C:\Users\Admin\AppData\Roaming\DeGrace.exe
"C:\Users\Admin\AppData\Roaming\DeGrace.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1312
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NG | 41.217.5.36:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | mail.walkerdaly.co.za | udp |
| ZA | 197.81.132.213:587 | mail.walkerdaly.co.za | tcp |
| NG | 41.217.5.36:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.5.36:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.5.36:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.5.36:5465 | javaautorun.duia.ro | tcp |
Files
memory/864-54-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp
memory/624-55-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\HnfkCWUlzy.js
| MD5 | c380d34c94785eed466d83b8945f61b5 |
| SHA1 | 82ddafdfa6559334bb734fdc38de4b09b3a1d7e0 |
| SHA256 | 9b7dbb2f7e53e0b6b6b0a439162aee7683acd0e3cade06e1050762c319b02474 |
| SHA512 | 955d6fd6f747c6af8b0b3638e73dac65ce5676e66daf1c8c572530ba8a52dcd11d176454c8c5293b06a8d102db93250a764a24034bcc44c0ca50bf3e054b8379 |
C:\Users\Admin\AppData\Roaming\DeGrace.exe
| MD5 | a7b2ef440655ae44c0647416f94b0cf5 |
| SHA1 | d2965894cc58ae8ef26360c08c99dcf08b161af1 |
| SHA256 | 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a |
| SHA512 | be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0 |
memory/1544-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\DeGrace.exe
| MD5 | a7b2ef440655ae44c0647416f94b0cf5 |
| SHA1 | d2965894cc58ae8ef26360c08c99dcf08b161af1 |
| SHA256 | 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a |
| SHA512 | be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0 |
memory/1544-61-0x00000000003A0000-0x00000000003DA000-memory.dmp
memory/1544-62-0x0000000076261000-0x0000000076263000-memory.dmp
memory/1260-63-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\DeGrace.exe
| MD5 | a7b2ef440655ae44c0647416f94b0cf5 |
| SHA1 | d2965894cc58ae8ef26360c08c99dcf08b161af1 |
| SHA256 | 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a |
| SHA512 | be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0 |
\Users\Admin\AppData\Roaming\DeGrace.exe
| MD5 | a7b2ef440655ae44c0647416f94b0cf5 |
| SHA1 | d2965894cc58ae8ef26360c08c99dcf08b161af1 |
| SHA256 | 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a |
| SHA512 | be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0 |
\Users\Admin\AppData\Roaming\DeGrace.exe
| MD5 | a7b2ef440655ae44c0647416f94b0cf5 |
| SHA1 | d2965894cc58ae8ef26360c08c99dcf08b161af1 |
| SHA256 | 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a |
| SHA512 | be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0 |
\Users\Admin\AppData\Roaming\DeGrace.exe
| MD5 | a7b2ef440655ae44c0647416f94b0cf5 |
| SHA1 | d2965894cc58ae8ef26360c08c99dcf08b161af1 |
| SHA256 | 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a |
| SHA512 | be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0 |
\Users\Admin\AppData\Roaming\DeGrace.exe
| MD5 | a7b2ef440655ae44c0647416f94b0cf5 |
| SHA1 | d2965894cc58ae8ef26360c08c99dcf08b161af1 |
| SHA256 | 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a |
| SHA512 | be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-11 08:47
Reported
2022-10-11 08:50
Platform
win10v2004-20220812-en
Max time kernel
152s
Max time network
177s
Command Line
Signatures
AgentTesla
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnfkCWUlzy.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnfkCWUlzy.js | C:\Windows\System32\wscript.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\DeGrace.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\DeGrace.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1840 wrote to memory of 256 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1840 wrote to memory of 256 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\wscript.exe |
| PID 1840 wrote to memory of 4560 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Roaming\DeGrace.exe |
| PID 1840 wrote to memory of 4560 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Roaming\DeGrace.exe |
| PID 1840 wrote to memory of 4560 | N/A | C:\Windows\system32\wscript.exe | C:\Users\Admin\AppData\Roaming\DeGrace.exe |
| PID 4560 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Roaming\DeGrace.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 4560 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Roaming\DeGrace.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 4560 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Roaming\DeGrace.exe | C:\Windows\SysWOW64\WerFault.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Roaming\DeGrace.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order No.002548.pdf.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnfkCWUlzy.js"
C:\Users\Admin\AppData\Roaming\DeGrace.exe
"C:\Users\Admin\AppData\Roaming\DeGrace.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4560 -ip 4560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1920
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| NG | 41.217.5.36:5465 | javaautorun.duia.ro | tcp |
| US | 20.189.173.14:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NG | 41.217.5.36:5465 | javaautorun.duia.ro | tcp |
| US | 8.8.8.8:53 | mail.walkerdaly.co.za | udp |
| ZA | 197.81.132.213:587 | mail.walkerdaly.co.za | tcp |
| NG | 41.217.5.36:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.5.36:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.5.36:5465 | javaautorun.duia.ro | tcp |
| NG | 41.217.5.36:5465 | javaautorun.duia.ro | tcp |
Files
memory/256-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\HnfkCWUlzy.js
| MD5 | c380d34c94785eed466d83b8945f61b5 |
| SHA1 | 82ddafdfa6559334bb734fdc38de4b09b3a1d7e0 |
| SHA256 | 9b7dbb2f7e53e0b6b6b0a439162aee7683acd0e3cade06e1050762c319b02474 |
| SHA512 | 955d6fd6f747c6af8b0b3638e73dac65ce5676e66daf1c8c572530ba8a52dcd11d176454c8c5293b06a8d102db93250a764a24034bcc44c0ca50bf3e054b8379 |
memory/4560-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\DeGrace.exe
| MD5 | a7b2ef440655ae44c0647416f94b0cf5 |
| SHA1 | d2965894cc58ae8ef26360c08c99dcf08b161af1 |
| SHA256 | 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a |
| SHA512 | be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0 |
C:\Users\Admin\AppData\Roaming\DeGrace.exe
| MD5 | a7b2ef440655ae44c0647416f94b0cf5 |
| SHA1 | d2965894cc58ae8ef26360c08c99dcf08b161af1 |
| SHA256 | 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a |
| SHA512 | be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0 |
memory/4560-137-0x0000000000260000-0x000000000029A000-memory.dmp
memory/4560-138-0x0000000005290000-0x0000000005834000-memory.dmp
memory/4560-139-0x0000000004CE0000-0x0000000004D7C000-memory.dmp
memory/4560-140-0x0000000005220000-0x0000000005286000-memory.dmp
memory/4560-141-0x0000000006130000-0x0000000006180000-memory.dmp
memory/5012-142-0x0000000000000000-mapping.dmp