Analysis Overview
SHA256
2e0cbf4f1d9cb97c620adc42521a0a10df04103d394f661e6255d3d20ee2715f
Threat Level: Known bad
The file Purchase_Order.pdf.js was found to be: Known bad.
Malicious Activity Summary
AgentTesla
WSHRAT payload
WSHRAT
Blocklisted process makes network request
Drops startup file
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Adds Run key to start application
Enumerates physical storage devices
outlook_win_path
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-16 07:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-16 07:47
Reported
2023-07-16 07:49
Platform
win7-20230712-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Purchase_Order.pdf.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | grapemundo.com | udp |
| IN | 103.50.163.157:443 | grapemundo.com | tcp |
| IN | 103.50.163.157:443 | grapemundo.com | tcp |
| IN | 103.50.163.157:443 | grapemundo.com | tcp |
| IN | 103.50.163.157:443 | grapemundo.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-16 07:47
Reported
2023-07-16 07:49
Platform
win10v2004-20230703-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
AgentTesla
WSHRAT
WSHRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPESGK.vbs | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPESGK.vbs | C:\Windows\System32\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPESGK = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SPESGK.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Update\\Windows Update.exe" | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SPESGK = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SPESGK.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings | C:\Windows\System32\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4356 wrote to memory of 4000 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 4356 wrote to memory of 4000 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WScript.exe |
| PID 4000 wrote to memory of 2960 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WScript.exe |
| PID 4000 wrote to memory of 2960 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WScript.exe |
| PID 2960 wrote to memory of 2236 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Tempwinlogon.exe |
| PID 2960 wrote to memory of 2236 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Tempwinlogon.exe |
| PID 2960 wrote to memory of 2236 | N/A | C:\Windows\System32\WScript.exe | C:\Users\Admin\AppData\Local\Tempwinlogon.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Tempwinlogon.exe | N/A |
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Purchase_Order.pdf.js
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SPESGK.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\origin.vbs"
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
"C:\Users\Admin\AppData\Local\Tempwinlogon.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | grapemundo.com | udp |
| IN | 103.50.163.157:443 | grapemundo.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.163.50.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.33.222.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.101.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.245.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chongmei33.publicvm.com | udp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 35.144.47.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
| SG | 103.47.144.35:7045 | chongmei33.publicvm.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\SPESGK.vbs
| MD5 | caec1686fe2f17ceb59db064b80a9b9c |
| SHA1 | de3fc1f6f4b94e327eb729a4290975e269f86fbe |
| SHA256 | 0f7d03b6fe00c7ca6bf1a2325e65db44bdfafcd43397fdc52db335204eb129ac |
| SHA512 | 375388568c6de97930605573528e3b064353a98eea3d73bf0fed72639dd248232c509d759b5cd0d6926ded263ca40e332d416364f72650bb8c873daa0d20d3b6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SPESGK.vbs
| MD5 | caec1686fe2f17ceb59db064b80a9b9c |
| SHA1 | de3fc1f6f4b94e327eb729a4290975e269f86fbe |
| SHA256 | 0f7d03b6fe00c7ca6bf1a2325e65db44bdfafcd43397fdc52db335204eb129ac |
| SHA512 | 375388568c6de97930605573528e3b064353a98eea3d73bf0fed72639dd248232c509d759b5cd0d6926ded263ca40e332d416364f72650bb8c873daa0d20d3b6 |
C:\Users\Admin\AppData\Local\Temp\origin.vbs
| MD5 | d593230ad945cc8c2db3237ff31624d4 |
| SHA1 | a89e668a3026c2158b40489ddc8f211092472e1b |
| SHA256 | fbe3fe3d46d3037f1a770e778a69dac55db62929b9571746e19c63ea59b28d88 |
| SHA512 | 938e43724b56bd4a23a122b22b366bc0564f77a1ee1b8b3a576ab2e5c9f6877d36cdb68fcd9f762d617f94b8cf309ad378a2ab321eaf34e5542f5f0cd9ac3846 |
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
| MD5 | d78e00882aa872bb8daaa715d7014413 |
| SHA1 | cb242a2e1d65263d733b45d0cda17ce50cb4e376 |
| SHA256 | 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9 |
| SHA512 | 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6 |
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
| MD5 | d78e00882aa872bb8daaa715d7014413 |
| SHA1 | cb242a2e1d65263d733b45d0cda17ce50cb4e376 |
| SHA256 | 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9 |
| SHA512 | 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6 |
C:\Users\Admin\AppData\Local\Tempwinlogon.exe
| MD5 | d78e00882aa872bb8daaa715d7014413 |
| SHA1 | cb242a2e1d65263d733b45d0cda17ce50cb4e376 |
| SHA256 | 58fe22735658313bf69b6e34aac69887063aa1d9618a1ae1e99822f47087dfe9 |
| SHA512 | 613fed6c36d26fa18544eae2316e6e6e43a6e67eeb31fd043bd2833ca6b5b88b9b1a16db43a592196c365bf1326eac3a4511171d896bfcdcf5454566327e1ac6 |
memory/2236-162-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/2236-163-0x0000000000ED0000-0x0000000000F00000-memory.dmp
memory/2236-164-0x0000000005F30000-0x00000000064D4000-memory.dmp
memory/2236-167-0x0000000005AB0000-0x0000000005AC0000-memory.dmp
memory/2236-168-0x00000000058C0000-0x0000000005926000-memory.dmp
memory/2236-172-0x0000000006930000-0x0000000006980000-memory.dmp
memory/2236-173-0x0000000006B50000-0x0000000006D12000-memory.dmp
memory/2236-175-0x0000000006A20000-0x0000000006AB2000-memory.dmp
memory/2236-176-0x0000000006AC0000-0x0000000006ACA000-memory.dmp
memory/2236-177-0x00000000748D0000-0x0000000075080000-memory.dmp
memory/2236-178-0x0000000005AB0000-0x0000000005AC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6V1Y4KVO\json[1].json
| MD5 | 0c17abb0ed055fecf0c48bb6e46eb4eb |
| SHA1 | a692730c8ec7353c31b94a888f359edb54aaa4c8 |
| SHA256 | f41e99f954e33e7b0e39930ec8620bf29801efc44275c1ee6b5cfa5e1be202c0 |
| SHA512 | 645a9f2f94461d8a187261b736949df398ece5cfbf1af8653d18d3487ec1269d9f565534c1e249c12f31b3b1a41a8512953b1e991b001fc1360059e3fd494ec3 |