Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2023 07:47
Static task
static1
Behavioral task
behavioral1
Sample
Purchase_Order.pdf.js
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Purchase_Order.pdf.js
Resource
win10v2004-20230703-en
General
-
Target
Purchase_Order.pdf.js
-
Size
6KB
-
MD5
22ef674791168c60e62f62f00be76cbc
-
SHA1
edad10bc2c6491883a7a21ca36350e234d1a7f0e
-
SHA256
2e0cbf4f1d9cb97c620adc42521a0a10df04103d394f661e6255d3d20ee2715f
-
SHA512
446e14b693b05555310e4a63f7f5d7d30247fdd08c7a5e9872193cc56f2683d2961aef2c73782e16581d309eabf671181f604bddfac9aca782f786d393a5553b
-
SSDEEP
96:3mqLtJxkhmLILevLqyL8g4cLZL7SPLx7LELIL3LWLOVL+++d:3meJtUezR8g4gN7STxXIU7iOh+++d
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
pifgweijlylkellk - Email To:
[email protected]
Extracted
wshrat
http://chongmei33.publicvm.com:7045
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
WSHRAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SPESGK.vbs family_wshrat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPESGK.vbs family_wshrat -
Blocklisted process makes network request 30 IoCs
Processes:
wscript.exeWScript.exeflow pid process 8 4356 wscript.exe 16 4356 wscript.exe 18 4356 wscript.exe 40 4000 WScript.exe 43 4000 WScript.exe 49 4000 WScript.exe 50 4000 WScript.exe 57 4000 WScript.exe 67 4000 WScript.exe 74 4000 WScript.exe 75 4000 WScript.exe 76 4000 WScript.exe 77 4000 WScript.exe 78 4000 WScript.exe 79 4000 WScript.exe 80 4000 WScript.exe 81 4000 WScript.exe 82 4000 WScript.exe 83 4000 WScript.exe 84 4000 WScript.exe 85 4000 WScript.exe 86 4000 WScript.exe 87 4000 WScript.exe 88 4000 WScript.exe 89 4000 WScript.exe 90 4000 WScript.exe 91 4000 WScript.exe 94 4000 WScript.exe 96 4000 WScript.exe 97 4000 WScript.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exewscript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPESGK.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPESGK.vbs WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
Tempwinlogon.exepid process 2236 Tempwinlogon.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Tempwinlogon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
WScript.exeTempwinlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPESGK = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SPESGK.vbs\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" Tempwinlogon.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPESGK = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SPESGK.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 39 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
wscript.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings wscript.exe Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings WScript.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Tempwinlogon.exepid process 2236 Tempwinlogon.exe 2236 Tempwinlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Tempwinlogon.exedescription pid process Token: SeDebugPrivilege 2236 Tempwinlogon.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Tempwinlogon.exepid process 2236 Tempwinlogon.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
wscript.exeWScript.exeWScript.exedescription pid process target process PID 4356 wrote to memory of 4000 4356 wscript.exe WScript.exe PID 4356 wrote to memory of 4000 4356 wscript.exe WScript.exe PID 4000 wrote to memory of 2960 4000 WScript.exe WScript.exe PID 4000 wrote to memory of 2960 4000 WScript.exe WScript.exe PID 2960 wrote to memory of 2236 2960 WScript.exe Tempwinlogon.exe PID 2960 wrote to memory of 2236 2960 WScript.exe Tempwinlogon.exe PID 2960 wrote to memory of 2236 2960 WScript.exe Tempwinlogon.exe -
outlook_office_path 1 IoCs
Processes:
Tempwinlogon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe -
outlook_win_path 1 IoCs
Processes:
Tempwinlogon.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Tempwinlogon.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Purchase_Order.pdf.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SPESGK.vbs"2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Tempwinlogon.exe"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
323B
MD50c17abb0ed055fecf0c48bb6e46eb4eb
SHA1a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3
-
Filesize
558KB
MD5caec1686fe2f17ceb59db064b80a9b9c
SHA1de3fc1f6f4b94e327eb729a4290975e269f86fbe
SHA2560f7d03b6fe00c7ca6bf1a2325e65db44bdfafcd43397fdc52db335204eb129ac
SHA512375388568c6de97930605573528e3b064353a98eea3d73bf0fed72639dd248232c509d759b5cd0d6926ded263ca40e332d416364f72650bb8c873daa0d20d3b6
-
Filesize
331KB
MD5d593230ad945cc8c2db3237ff31624d4
SHA1a89e668a3026c2158b40489ddc8f211092472e1b
SHA256fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88
SHA512938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846
-
Filesize
165KB
MD5d78e00882aa872bb8daaa715d7014413
SHA1cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA25658fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6
-
Filesize
165KB
MD5d78e00882aa872bb8daaa715d7014413
SHA1cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA25658fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6
-
Filesize
165KB
MD5d78e00882aa872bb8daaa715d7014413
SHA1cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA25658fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6
-
Filesize
558KB
MD5caec1686fe2f17ceb59db064b80a9b9c
SHA1de3fc1f6f4b94e327eb729a4290975e269f86fbe
SHA2560f7d03b6fe00c7ca6bf1a2325e65db44bdfafcd43397fdc52db335204eb129ac
SHA512375388568c6de97930605573528e3b064353a98eea3d73bf0fed72639dd248232c509d759b5cd0d6926ded263ca40e332d416364f72650bb8c873daa0d20d3b6