Malware Analysis Report

2025-05-05 21:52

Sample ID 221011-kpv6eaehel
Target Purchase Order No.002548.pdf.js
SHA256 6297ad7d2e748eb48b9572a3702188eeb569aad21afc52e0aa813df2294683cb
Tags
agenttesla vjw0rm collection keylogger spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6297ad7d2e748eb48b9572a3702188eeb569aad21afc52e0aa813df2294683cb

Threat Level: Known bad

The file Purchase Order No.002548.pdf.js was found to be: Known bad.

Malicious Activity Summary

agenttesla vjw0rm collection keylogger spyware stealer trojan worm

AgentTesla

Vjw0rm

Drops file in Drivers directory

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Accesses Microsoft Outlook profiles

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

outlook_win_path

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-11 08:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-11 08:47

Reported

2022-10-11 08:50

Platform

win7-20220812-en

Max time kernel

162s

Max time network

173s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order No.002548.pdf.js"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnfkCWUlzy.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnfkCWUlzy.js C:\Windows\System32\wscript.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\DeGrace.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order No.002548.pdf.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnfkCWUlzy.js"

C:\Users\Admin\AppData\Roaming\DeGrace.exe

"C:\Users\Admin\AppData\Roaming\DeGrace.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 1312

Network

Country Destination Domain Proto
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 mail.walkerdaly.co.za udp
ZA 197.81.132.213:587 mail.walkerdaly.co.za tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp

Files

memory/864-54-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

memory/624-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HnfkCWUlzy.js

MD5 c380d34c94785eed466d83b8945f61b5
SHA1 82ddafdfa6559334bb734fdc38de4b09b3a1d7e0
SHA256 9b7dbb2f7e53e0b6b6b0a439162aee7683acd0e3cade06e1050762c319b02474
SHA512 955d6fd6f747c6af8b0b3638e73dac65ce5676e66daf1c8c572530ba8a52dcd11d176454c8c5293b06a8d102db93250a764a24034bcc44c0ca50bf3e054b8379

C:\Users\Admin\AppData\Roaming\DeGrace.exe

MD5 a7b2ef440655ae44c0647416f94b0cf5
SHA1 d2965894cc58ae8ef26360c08c99dcf08b161af1
SHA256 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a
SHA512 be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0

memory/1544-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\DeGrace.exe

MD5 a7b2ef440655ae44c0647416f94b0cf5
SHA1 d2965894cc58ae8ef26360c08c99dcf08b161af1
SHA256 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a
SHA512 be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0

memory/1544-61-0x00000000003A0000-0x00000000003DA000-memory.dmp

memory/1544-62-0x0000000076261000-0x0000000076263000-memory.dmp

memory/1260-63-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\DeGrace.exe

MD5 a7b2ef440655ae44c0647416f94b0cf5
SHA1 d2965894cc58ae8ef26360c08c99dcf08b161af1
SHA256 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a
SHA512 be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0

\Users\Admin\AppData\Roaming\DeGrace.exe

MD5 a7b2ef440655ae44c0647416f94b0cf5
SHA1 d2965894cc58ae8ef26360c08c99dcf08b161af1
SHA256 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a
SHA512 be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0

\Users\Admin\AppData\Roaming\DeGrace.exe

MD5 a7b2ef440655ae44c0647416f94b0cf5
SHA1 d2965894cc58ae8ef26360c08c99dcf08b161af1
SHA256 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a
SHA512 be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0

\Users\Admin\AppData\Roaming\DeGrace.exe

MD5 a7b2ef440655ae44c0647416f94b0cf5
SHA1 d2965894cc58ae8ef26360c08c99dcf08b161af1
SHA256 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a
SHA512 be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0

\Users\Admin\AppData\Roaming\DeGrace.exe

MD5 a7b2ef440655ae44c0647416f94b0cf5
SHA1 d2965894cc58ae8ef26360c08c99dcf08b161af1
SHA256 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a
SHA512 be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-11 08:47

Reported

2022-10-11 08:50

Platform

win10v2004-20220812-en

Max time kernel

152s

Max time network

177s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order No.002548.pdf.js"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Vjw0rm

trojan worm vjw0rm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A
N/A N/A C:\Windows\System32\wscript.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnfkCWUlzy.js C:\Windows\System32\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HnfkCWUlzy.js C:\Windows\System32\wscript.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\DeGrace.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Purchase Order No.002548.pdf.js"

C:\Windows\System32\wscript.exe

"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\HnfkCWUlzy.js"

C:\Users\Admin\AppData\Roaming\DeGrace.exe

"C:\Users\Admin\AppData\Roaming\DeGrace.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4560 -ip 4560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 1920

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 javaautorun.duia.ro udp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
US 20.189.173.14:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
US 8.8.8.8:53 mail.walkerdaly.co.za udp
ZA 197.81.132.213:587 mail.walkerdaly.co.za tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp
NG 41.217.5.36:5465 javaautorun.duia.ro tcp

Files

memory/256-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\HnfkCWUlzy.js

MD5 c380d34c94785eed466d83b8945f61b5
SHA1 82ddafdfa6559334bb734fdc38de4b09b3a1d7e0
SHA256 9b7dbb2f7e53e0b6b6b0a439162aee7683acd0e3cade06e1050762c319b02474
SHA512 955d6fd6f747c6af8b0b3638e73dac65ce5676e66daf1c8c572530ba8a52dcd11d176454c8c5293b06a8d102db93250a764a24034bcc44c0ca50bf3e054b8379

memory/4560-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\DeGrace.exe

MD5 a7b2ef440655ae44c0647416f94b0cf5
SHA1 d2965894cc58ae8ef26360c08c99dcf08b161af1
SHA256 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a
SHA512 be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0

C:\Users\Admin\AppData\Roaming\DeGrace.exe

MD5 a7b2ef440655ae44c0647416f94b0cf5
SHA1 d2965894cc58ae8ef26360c08c99dcf08b161af1
SHA256 51d922caf11a1956e6b46e55649826692b5226412d643c386dacdbcdc89bd34a
SHA512 be962aa707f7597014c762ee822b97162e92ed664bcf2e56d266f501b1f1f077a2f9e9bdf8361cf8df8ceb2d53224fc96c5557af258020da863f725f9ebf34f0

memory/4560-137-0x0000000000260000-0x000000000029A000-memory.dmp

memory/4560-138-0x0000000005290000-0x0000000005834000-memory.dmp

memory/4560-139-0x0000000004CE0000-0x0000000004D7C000-memory.dmp

memory/4560-140-0x0000000005220000-0x0000000005286000-memory.dmp

memory/4560-141-0x0000000006130000-0x0000000006180000-memory.dmp

memory/5012-142-0x0000000000000000-mapping.dmp