Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-05-2023 08:50
Static task
static1
Behavioral task
behavioral1
Sample
Order-POF561.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Order-POF561.js
Resource
win10v2004-20230220-en
General
-
Target
Order-POF561.js
-
Size
4.4MB
-
MD5
600ff23c99cac605541142deb6d59d08
-
SHA1
609b030ed3ab2d856533efb140505ef77ab45e27
-
SHA256
b7c5d83bcb09217db3593681c1aab762b936b6bdcdef4c89b155ed5456d2224f
-
SHA512
f5143ca822ee39815cd7fd4e940451e3cf7a19ab6afc8052a2ce8b66525074c50033ae244de9950c4b30162d524972037ff0ea5f941663b8ab4377d73a6fd286
-
SSDEEP
24576:SnSV1KQRkYy4g47ycfEVP75BupG6wcBRpY3xxc9pURy26cJ39ftFvxwv9NeiObv4:GC
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.rzr0ngtai.com - Port:
587 - Username:
ofm@rzr0ngtai.com - Password:
TRhkGVZ4 - Email To:
ofm@rzr0ngtai.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 4 2016 wscript.exe 5 2016 wscript.exe 7 2016 wscript.exe 9 2016 wscript.exe 10 2016 wscript.exe 11 2016 wscript.exe 13 2016 wscript.exe 14 2016 wscript.exe 15 2016 wscript.exe 17 2016 wscript.exe 18 2016 wscript.exe 19 2016 wscript.exe 21 2016 wscript.exe 22 2016 wscript.exe 23 2016 wscript.exe 25 2016 wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NaWPCMeUbz.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NaWPCMeUbz.js wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bbnn.exepid process 652 bbnn.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
bbnn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbnn.exe Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbnn.exe Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbnn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bbnn.exedescription pid process Token: SeDebugPrivilege 652 bbnn.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exedescription pid process target process PID 1712 wrote to memory of 2016 1712 wscript.exe wscript.exe PID 1712 wrote to memory of 2016 1712 wscript.exe wscript.exe PID 1712 wrote to memory of 2016 1712 wscript.exe wscript.exe PID 1712 wrote to memory of 652 1712 wscript.exe bbnn.exe PID 1712 wrote to memory of 652 1712 wscript.exe bbnn.exe PID 1712 wrote to memory of 652 1712 wscript.exe bbnn.exe PID 1712 wrote to memory of 652 1712 wscript.exe bbnn.exe -
outlook_office_path 1 IoCs
Processes:
bbnn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbnn.exe -
outlook_win_path 1 IoCs
Processes:
bbnn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbnn.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Order-POF561.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NaWPCMeUbz.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\bbnn.exe"C:\Users\Admin\AppData\Roaming\bbnn.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NaWPCMeUbz.jsFilesize
346KB
MD5893fc35e6777d07700009659b4df14ea
SHA1f06f4cb7e5e00e9513049e9491794cf7708d4660
SHA25662a741f015d45db0e868d0a0aaf58d5d2ed016dd29815baafd2978fc91b2355d
SHA512749394e8730850c7773950cb12183a72ffe825803be321849024e4b47879a4e619516889742f78d186fef3e5252a1cc648183525a0039826de29884268104eb2
-
C:\Users\Admin\AppData\Roaming\bbnn.exeFilesize
164KB
MD5c326600507ad2a761a7cff547b3a2272
SHA1fb4fe27a790f1961cbcdbeb7d527df3f5168177a
SHA2569e4d3b33ad0dc8b9d9cda29828a0ab0ce24800a4c3d932b0338bf35467c7d39f
SHA51289ed36699dff964d0d71938a7b744eb1ca6f9a63c94381c109c6a68891f4c8c7a3452a2dba75504d678154fdb88b79740cf409510571b47ed6a666521b3d9a8e
-
C:\Users\Admin\AppData\Roaming\bbnn.exeFilesize
164KB
MD5c326600507ad2a761a7cff547b3a2272
SHA1fb4fe27a790f1961cbcdbeb7d527df3f5168177a
SHA2569e4d3b33ad0dc8b9d9cda29828a0ab0ce24800a4c3d932b0338bf35467c7d39f
SHA51289ed36699dff964d0d71938a7b744eb1ca6f9a63c94381c109c6a68891f4c8c7a3452a2dba75504d678154fdb88b79740cf409510571b47ed6a666521b3d9a8e
-
memory/652-63-0x00000000001F0000-0x0000000000220000-memory.dmpFilesize
192KB
-
memory/652-64-0x0000000004D10000-0x0000000004D50000-memory.dmpFilesize
256KB
-
memory/652-65-0x0000000004D10000-0x0000000004D50000-memory.dmpFilesize
256KB