Analysis
-
max time kernel
57s -
max time network
68s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 08:59
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Docments.exe
Resource
win7
Behavioral task
behavioral2
Sample
Shipping Docments.exe
Resource
win10v200430
General
-
Target
Shipping Docments.exe
-
Size
479KB
-
MD5
4d2bc1656cfe1547a4ab4f0433dea8be
-
SHA1
4f6bae02ef8c5da844da756ddb457b79e640d069
-
SHA256
bbbd6d62c9a751f4ce43c884d0c91f5a40bc78e381d56a5e10a99d278154dd80
-
SHA512
d55a487122d069606bbd5cf32a17202a856e75a12941e648144eddab3a26c8aefefaf1197d1684109fb4ed272cfb80ec847c2db2dc07994a295ad781c3725c2b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.saharanepal.coop.np - Port:
587 - Username:
sijuwa@saharanepal.coop.np - Password:
sijuwa@sahara
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1604-2-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1604-3-0x000000000044A6BE-mapping.dmp family_agenttesla behavioral1/memory/1604-4-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1604-5-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping Docments.exedescription pid process target process PID 1124 set thread context of 1604 1124 Shipping Docments.exe Shipping Docments.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Shipping Docments.exepid process 1604 Shipping Docments.exe 1604 Shipping Docments.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Shipping Docments.exedescription pid process Token: SeDebugPrivilege 1604 Shipping Docments.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Shipping Docments.exedescription pid process target process PID 1124 wrote to memory of 1308 1124 Shipping Docments.exe schtasks.exe PID 1124 wrote to memory of 1308 1124 Shipping Docments.exe schtasks.exe PID 1124 wrote to memory of 1308 1124 Shipping Docments.exe schtasks.exe PID 1124 wrote to memory of 1308 1124 Shipping Docments.exe schtasks.exe PID 1124 wrote to memory of 1604 1124 Shipping Docments.exe Shipping Docments.exe PID 1124 wrote to memory of 1604 1124 Shipping Docments.exe Shipping Docments.exe PID 1124 wrote to memory of 1604 1124 Shipping Docments.exe Shipping Docments.exe PID 1124 wrote to memory of 1604 1124 Shipping Docments.exe Shipping Docments.exe PID 1124 wrote to memory of 1604 1124 Shipping Docments.exe Shipping Docments.exe PID 1124 wrote to memory of 1604 1124 Shipping Docments.exe Shipping Docments.exe PID 1124 wrote to memory of 1604 1124 Shipping Docments.exe Shipping Docments.exe PID 1124 wrote to memory of 1604 1124 Shipping Docments.exe Shipping Docments.exe PID 1124 wrote to memory of 1604 1124 Shipping Docments.exe Shipping Docments.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Docments.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Docments.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\abCQyorJbUCtI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9CBB.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Shipping Docments.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9CBB.tmpMD5
86cbb98e0f4dde5bc40eac41d381f66b
SHA13c526875655f1ad705ef445b4d2846f8b82d709d
SHA2567bc9aec00dedf001beaf2ee2e20c5abe61b423b16142b0cec246913b46768eeb
SHA512debbe090c75f33e221ba5b30bd27cbd4117b5e0adea28188908f8157dbfa2e30c907283156fbf228afe0a307c2faac6e71f66e5335d27ac77f41b6172b2aa04f
-
memory/1308-0-0x0000000000000000-mapping.dmp
-
memory/1604-2-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1604-3-0x000000000044A6BE-mapping.dmp
-
memory/1604-4-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1604-5-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB