Analysis
-
max time kernel
129s -
max time network
134s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe
Resource
win7
Behavioral task
behavioral2
Sample
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe
Resource
win10v200430
General
-
Target
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe
-
Size
1.4MB
-
MD5
4c44f7cd52dd7f496a3becf1c1de3dca
-
SHA1
dacdf39c0c61a74b8f30d406ab8d7e2575244e19
-
SHA256
301e1fa5855704be7f2c773cb7393098c89fe31b40dc6237420835d1c53a6a64
-
SHA512
33393a0187ae4005f3f4e569dda510b9d6abb89fbfb6da0038a13457fed9e5ef972f6919d15aa765c9ceec583bc9639359dbfc793f5a9c1aa3d7f3e43d518dce
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.rajalakshmi.co.in - Port:
587 - Username:
projects@rajalakshmi.co.in - Password:
016_PROjects*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 14 IoCs
Processes:
resource yara_rule behavioral2/memory/420-0-0x0000000000150000-0x00000000001A2000-memory.dmp family_agenttesla behavioral2/memory/420-1-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-9-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-10-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-11-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-12-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-13-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-14-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-15-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-16-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-17-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-18-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-19-0x000000000019D3AE-mapping.dmp family_agenttesla behavioral2/memory/420-20-0x000000000019D3AE-mapping.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
MSBuild.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exedescription pid process target process PID 3656 set thread context of 420 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3432 420 WerFault.exe MSBuild.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
MSBuild.exeSHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exeWerFault.exepid process 420 MSBuild.exe 420 MSBuild.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3432 WerFault.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
MSBuild.exeWerFault.exedescription pid process Token: SeDebugPrivilege 420 MSBuild.exe Token: SeRestorePrivilege 3432 WerFault.exe Token: SeBackupPrivilege 3432 WerFault.exe Token: SeDebugPrivilege 3432 WerFault.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exepid process 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exepid process 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exeMSBuild.exedescription pid process target process PID 3656 wrote to memory of 420 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe PID 3656 wrote to memory of 420 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe PID 3656 wrote to memory of 420 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe PID 3656 wrote to memory of 420 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe PID 3656 wrote to memory of 420 3656 SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe MSBuild.exe PID 420 wrote to memory of 2576 420 MSBuild.exe REG.exe PID 420 wrote to memory of 2576 420 MSBuild.exe REG.exe PID 420 wrote to memory of 2576 420 MSBuild.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS AND EXIT ENTRY NOTE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 15283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/420-13-0x000000000019D3AE-mapping.dmp
-
memory/420-9-0x000000000019D3AE-mapping.dmp
-
memory/420-0-0x0000000000150000-0x00000000001A2000-memory.dmpFilesize
328KB
-
memory/420-20-0x000000000019D3AE-mapping.dmp
-
memory/420-14-0x000000000019D3AE-mapping.dmp
-
memory/420-10-0x000000000019D3AE-mapping.dmp
-
memory/420-11-0x000000000019D3AE-mapping.dmp
-
memory/420-15-0x000000000019D3AE-mapping.dmp
-
memory/420-19-0x000000000019D3AE-mapping.dmp
-
memory/420-1-0x000000000019D3AE-mapping.dmp
-
memory/420-12-0x000000000019D3AE-mapping.dmp
-
memory/420-16-0x000000000019D3AE-mapping.dmp
-
memory/420-17-0x000000000019D3AE-mapping.dmp
-
memory/420-18-0x000000000019D3AE-mapping.dmp
-
memory/2576-3-0x0000000000000000-mapping.dmp
-
memory/3432-7-0x0000000004250000-0x0000000004251000-memory.dmpFilesize
4KB
-
memory/3432-21-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB