Analysis
-
max time kernel
117s -
max time network
137s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 17:40
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Docments.exe
Resource
win7
Behavioral task
behavioral2
Sample
Shipping Docments.exe
Resource
win10v200430
General
-
Target
Shipping Docments.exe
-
Size
415KB
-
MD5
264251a5c111ba36e7ae5b75033e064a
-
SHA1
0b2125badde35f7d6355832dfd87ef74de583293
-
SHA256
cf83e8ceb458dc6b06d83463d76155d9cfbab7a7cc7432e14892470a3e0a2590
-
SHA512
bffe527f86b169a3c80ee545e299689da8318b78513a53f99646eadd63f62d34e7f5bfe0616e9c9cac1fd05c3641f48347ca00788d023903963758ae347cb9d0
Malware Config
Extracted
Protocol: smtp- Host:
mail.saharanepal.coop.np - Port:
587 - Username:
sijuwa@saharanepal.coop.np - Password:
sijuwa@sahara
Extracted
agenttesla
Protocol: smtp- Host:
mail.saharanepal.coop.np - Port:
587 - Username:
sijuwa@saharanepal.coop.np - Password:
sijuwa@sahara
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3960-2-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral2/memory/3960-3-0x000000000044A6BE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping Docments.exedescription pid process target process PID 1820 set thread context of 3960 1820 Shipping Docments.exe Shipping Docments.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Shipping Docments.exepid process 3960 Shipping Docments.exe 3960 Shipping Docments.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Shipping Docments.exedescription pid process Token: SeDebugPrivilege 3960 Shipping Docments.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Shipping Docments.exedescription pid process target process PID 1820 wrote to memory of 2520 1820 Shipping Docments.exe schtasks.exe PID 1820 wrote to memory of 2520 1820 Shipping Docments.exe schtasks.exe PID 1820 wrote to memory of 2520 1820 Shipping Docments.exe schtasks.exe PID 1820 wrote to memory of 3960 1820 Shipping Docments.exe Shipping Docments.exe PID 1820 wrote to memory of 3960 1820 Shipping Docments.exe Shipping Docments.exe PID 1820 wrote to memory of 3960 1820 Shipping Docments.exe Shipping Docments.exe PID 1820 wrote to memory of 3960 1820 Shipping Docments.exe Shipping Docments.exe PID 1820 wrote to memory of 3960 1820 Shipping Docments.exe Shipping Docments.exe PID 1820 wrote to memory of 3960 1820 Shipping Docments.exe Shipping Docments.exe PID 1820 wrote to memory of 3960 1820 Shipping Docments.exe Shipping Docments.exe PID 1820 wrote to memory of 3960 1820 Shipping Docments.exe Shipping Docments.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Docments.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Docments.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KxrgVNXkAkSND" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9FFF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Shipping Docments.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Shipping Docments.exe.logMD5
3753b01eddc20f64178eaf3d55b5c146
SHA1ca50665940eb8519e1df0c1f185fb72a271c2a66
SHA25699096651b1d9b4a7562f56c8e42c06d1166f7f22a93816e2862317ada8154b37
SHA512566366e651e94fab25454fb0199508cd62a64723137b32fbd5bee531110403d9194b9a4fc053740c571a69e820c1c72e48d65fc3a5410a22b6ae9d2e55508bf3
-
C:\Users\Admin\AppData\Local\Temp\tmp9FFF.tmpMD5
a1cf2fbccfcd71286bddb8c829d6cc23
SHA153497d54f362676236e905e529258f917632a293
SHA256a25914b6c8c0f9e5a45ced45db58afe0e36c67a116fc6d507df983667338ca85
SHA51232a20c3ca67c33470c211560507ad78b1e6cbbac43ba7d0f8f296f1a5754605a6a2141c579d583917f653dc7a99e241749f9d3224eaccd6a04dd846dab10c47f
-
memory/2520-0-0x0000000000000000-mapping.dmp
-
memory/3960-2-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3960-3-0x000000000044A6BE-mapping.dmp