Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2023 08:50
Static task
static1
Behavioral task
behavioral1
Sample
Order-POF561.js
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Order-POF561.js
Resource
win10v2004-20230220-en
General
-
Target
Order-POF561.js
-
Size
4.4MB
-
MD5
600ff23c99cac605541142deb6d59d08
-
SHA1
609b030ed3ab2d856533efb140505ef77ab45e27
-
SHA256
b7c5d83bcb09217db3593681c1aab762b936b6bdcdef4c89b155ed5456d2224f
-
SHA512
f5143ca822ee39815cd7fd4e940451e3cf7a19ab6afc8052a2ce8b66525074c50033ae244de9950c4b30162d524972037ff0ea5f941663b8ab4377d73a6fd286
-
SSDEEP
24576:SnSV1KQRkYy4g47ycfEVP75BupG6wcBRpY3xxc9pURy26cJ39ftFvxwv9NeiObv4:GC
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.rzr0ngtai.com - Port:
587 - Username:
ofm@rzr0ngtai.com - Password:
TRhkGVZ4 - Email To:
ofm@rzr0ngtai.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 16 IoCs
Processes:
wscript.exeflow pid process 10 4772 wscript.exe 11 4772 wscript.exe 22 4772 wscript.exe 31 4772 wscript.exe 33 4772 wscript.exe 37 4772 wscript.exe 42 4772 wscript.exe 43 4772 wscript.exe 45 4772 wscript.exe 46 4772 wscript.exe 48 4772 wscript.exe 49 4772 wscript.exe 51 4772 wscript.exe 52 4772 wscript.exe 54 4772 wscript.exe 55 4772 wscript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NaWPCMeUbz.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NaWPCMeUbz.js wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bbnn.exepid process 4324 bbnn.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
bbnn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbnn.exe Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbnn.exe Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbnn.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bbnn.exedescription pid process Token: SeDebugPrivilege 4324 bbnn.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
wscript.exedescription pid process target process PID 540 wrote to memory of 4772 540 wscript.exe wscript.exe PID 540 wrote to memory of 4772 540 wscript.exe wscript.exe PID 540 wrote to memory of 4324 540 wscript.exe bbnn.exe PID 540 wrote to memory of 4324 540 wscript.exe bbnn.exe PID 540 wrote to memory of 4324 540 wscript.exe bbnn.exe -
outlook_office_path 1 IoCs
Processes:
bbnn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbnn.exe -
outlook_win_path 1 IoCs
Processes:
bbnn.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbnn.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Order-POF561.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\NaWPCMeUbz.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\bbnn.exe"C:\Users\Admin\AppData\Roaming\bbnn.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NaWPCMeUbz.jsFilesize
346KB
MD5893fc35e6777d07700009659b4df14ea
SHA1f06f4cb7e5e00e9513049e9491794cf7708d4660
SHA25662a741f015d45db0e868d0a0aaf58d5d2ed016dd29815baafd2978fc91b2355d
SHA512749394e8730850c7773950cb12183a72ffe825803be321849024e4b47879a4e619516889742f78d186fef3e5252a1cc648183525a0039826de29884268104eb2
-
C:\Users\Admin\AppData\Roaming\bbnn.exeFilesize
164KB
MD5c326600507ad2a761a7cff547b3a2272
SHA1fb4fe27a790f1961cbcdbeb7d527df3f5168177a
SHA2569e4d3b33ad0dc8b9d9cda29828a0ab0ce24800a4c3d932b0338bf35467c7d39f
SHA51289ed36699dff964d0d71938a7b744eb1ca6f9a63c94381c109c6a68891f4c8c7a3452a2dba75504d678154fdb88b79740cf409510571b47ed6a666521b3d9a8e
-
C:\Users\Admin\AppData\Roaming\bbnn.exeFilesize
164KB
MD5c326600507ad2a761a7cff547b3a2272
SHA1fb4fe27a790f1961cbcdbeb7d527df3f5168177a
SHA2569e4d3b33ad0dc8b9d9cda29828a0ab0ce24800a4c3d932b0338bf35467c7d39f
SHA51289ed36699dff964d0d71938a7b744eb1ca6f9a63c94381c109c6a68891f4c8c7a3452a2dba75504d678154fdb88b79740cf409510571b47ed6a666521b3d9a8e
-
C:\Users\Admin\AppData\Roaming\bbnn.exeFilesize
164KB
MD5c326600507ad2a761a7cff547b3a2272
SHA1fb4fe27a790f1961cbcdbeb7d527df3f5168177a
SHA2569e4d3b33ad0dc8b9d9cda29828a0ab0ce24800a4c3d932b0338bf35467c7d39f
SHA51289ed36699dff964d0d71938a7b744eb1ca6f9a63c94381c109c6a68891f4c8c7a3452a2dba75504d678154fdb88b79740cf409510571b47ed6a666521b3d9a8e
-
memory/4324-147-0x0000000000AD0000-0x0000000000B00000-memory.dmpFilesize
192KB
-
memory/4324-148-0x0000000005A10000-0x0000000005FB4000-memory.dmpFilesize
5.6MB
-
memory/4324-149-0x0000000005540000-0x00000000055A6000-memory.dmpFilesize
408KB
-
memory/4324-150-0x00000000054C0000-0x00000000054D0000-memory.dmpFilesize
64KB
-
memory/4324-151-0x0000000006620000-0x00000000066B2000-memory.dmpFilesize
584KB
-
memory/4324-152-0x00000000067B0000-0x00000000067BA000-memory.dmpFilesize
40KB
-
memory/4324-153-0x0000000006820000-0x0000000006870000-memory.dmpFilesize
320KB
-
memory/4324-154-0x0000000006A40000-0x0000000006C02000-memory.dmpFilesize
1.8MB
-
memory/4324-155-0x00000000054C0000-0x00000000054D0000-memory.dmpFilesize
64KB