Malware Analysis Report

2024-10-23 22:01

Sample ID 230716-jmhxmaeb3z
Target Purchase_Order.pdf.js
SHA256 2e0cbf4f1d9cb97c620adc42521a0a10df04103d394f661e6255d3d20ee2715f
Tags
agenttesla wshrat collection keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e0cbf4f1d9cb97c620adc42521a0a10df04103d394f661e6255d3d20ee2715f

Threat Level: Known bad

The file Purchase_Order.pdf.js was found to be: Known bad.

Malicious Activity Summary

agenttesla wshrat collection keylogger persistence spyware stealer trojan

AgentTesla

WSHRAT payload

WSHRAT

Blocklisted process makes network request

Drops startup file

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Adds Run key to start application

Enumerates physical storage devices

outlook_win_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-16 07:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-16 07:47

Reported

2023-07-16 07:49

Platform

win7-20230712-en

Max time kernel

121s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Purchase_Order.pdf.js

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Purchase_Order.pdf.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp
IN 103.50.163.157:443 grapemundo.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-16 07:47

Reported

2023-07-16 07:49

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Purchase_Order.pdf.js

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPESGK.vbs C:\Windows\System32\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPESGK.vbs C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPESGK = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SPESGK.vbs\"" C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPESGK = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SPESGK.vbs\"" C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings C:\Windows\System32\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Tempwinlogon.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Purchase_Order.pdf.js

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SPESGK.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 grapemundo.com udp
IN 103.50.163.157:443 grapemundo.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.163.50.103.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
US 8.8.8.8:53 9.101.122.92.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 155.245.36.23.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 35.144.47.103.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp
SG 103.47.144.35:7045 chongmei33.publicvm.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\SPESGK.vbs

MD5 caec1686fe2f17ceb59db064b80a9b9c
SHA1 de3fc1f6f4b94e327eb729a4290975e269f86fbe
SHA256 0f7d03b6fe00c7ca6bf1a2325e65db44bdfafcd43397fdc52db335204eb129ac
SHA512 375388568c6de97930605573528e3b064353a98eea3d73bf0fed72639dd248232c509d759b5cd0d6926ded263ca40e332d416364f72650bb8c873daa0d20d3b6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPESGK.vbs

MD5 caec1686fe2f17ceb59db064b80a9b9c
SHA1 de3fc1f6f4b94e327eb729a4290975e269f86fbe
SHA256 0f7d03b6fe00c7ca6bf1a2325e65db44bdfafcd43397fdc52db335204eb129ac
SHA512 375388568c6de97930605573528e3b064353a98eea3d73bf0fed72639dd248232c509d759b5cd0d6926ded263ca40e332d416364f72650bb8c873daa0d20d3b6

C:\Users\Admin\AppData\Local\Temp\origin.vbs

MD5 d593230ad945cc8c2db3237ff31624d4
SHA1 a89e668a3026c2158b40489ddc8f211092472e1b
SHA256 fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88
SHA512 938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

C:\Users\Admin\AppData\Local\Tempwinlogon.exe

MD5 d78e00882aa872bb8daaa715d7014413
SHA1 cb242a2e1d65263d733b45d0cda17ce50cb4e376
SHA256 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9
SHA512 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6

memory/2236-162-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/2236-163-0x0000000000ED0000-0x0000000000F00000-memory.dmp

memory/2236-164-0x0000000005F30000-0x00000000064D4000-memory.dmp

memory/2236-167-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

memory/2236-168-0x00000000058C0000-0x0000000005926000-memory.dmp

memory/2236-172-0x0000000006930000-0x0000000006980000-memory.dmp

memory/2236-173-0x0000000006B50000-0x0000000006D12000-memory.dmp

memory/2236-175-0x0000000006A20000-0x0000000006AB2000-memory.dmp

memory/2236-176-0x0000000006AC0000-0x0000000006ACA000-memory.dmp

memory/2236-177-0x00000000748D0000-0x0000000075080000-memory.dmp

memory/2236-178-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6V1Y4KVO\json[1].json

MD5 0c17abb0ed055fecf0c48bb6e46eb4eb
SHA1 a692730c8ec7353c31b94a888f359edb54aaa4c8
SHA256 f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0
SHA512 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3