Analysis
-
max time kernel
149s -
max time network
6s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe
Resource
win7
Behavioral task
behavioral2
Sample
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe
Resource
win10v200430
General
-
Target
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe
-
Size
1.4MB
-
MD5
4c44f7cd52dd7f496a3becf1c1de3dca
-
SHA1
dacdf39c0c61a74b8f30d406ab8d7e2575244e19
-
SHA256
301e1fa5855704be7f2c773cb7393098c89fe31b40dc6237420835d1c53a6a64
-
SHA512
33393a0187ae4005f3f4e569dda510b9d6abb89fbfb6da0038a13457fed9e5ef972f6919d15aa765c9ceec583bc9639359dbfc793f5a9c1aa3d7f3e43d518dce
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.rajalakshmi.co.in - Port:
587 - Username:
projects@rajalakshmi.co.in - Password:
016_PROjects*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1488-0-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1488-1-0x000000000044D3AE-mapping.dmp family_agenttesla behavioral1/memory/1488-2-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
MSBuild.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exedescription pid process target process PID 1424 set thread context of 1488 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
MSBuild.exeSHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exepid process 1488 MSBuild.exe 1488 MSBuild.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1488 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exepid process 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exepid process 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1488 MSBuild.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exeMSBuild.exedescription pid process target process PID 1424 wrote to memory of 1488 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe PID 1424 wrote to memory of 1488 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe PID 1424 wrote to memory of 1488 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe PID 1424 wrote to memory of 1488 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe PID 1424 wrote to memory of 1488 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe PID 1424 wrote to memory of 1488 1424 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe PID 1488 wrote to memory of 1500 1488 MSBuild.exe REG.exe PID 1488 wrote to memory of 1500 1488 MSBuild.exe REG.exe PID 1488 wrote to memory of 1500 1488 MSBuild.exe REG.exe PID 1488 wrote to memory of 1500 1488 MSBuild.exe REG.exe PID 1488 wrote to memory of 1800 1488 MSBuild.exe netsh.exe PID 1488 wrote to memory of 1800 1488 MSBuild.exe netsh.exe PID 1488 wrote to memory of 1800 1488 MSBuild.exe netsh.exe PID 1488 wrote to memory of 1800 1488 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1488-0-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1488-1-0x000000000044D3AE-mapping.dmp
-
memory/1488-2-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1500-3-0x0000000000000000-mapping.dmp
-
memory/1800-4-0x0000000000000000-mapping.dmp