Analysis
-
max time kernel
147s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 12:25
Static task
static1
Behavioral task
behavioral1
Sample
CARGO DECUMENT.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
CARGO DECUMENT.exe
Resource
win10v20210410
General
-
Target
CARGO DECUMENT.exe
-
Size
929KB
-
MD5
43ecd98b39cc9ebfc3f85d0c69449373
-
SHA1
419842c79a2c0a3ecc1e0137235d77a9b585949e
-
SHA256
db59b7cbcd7ffd902553d10a3aceab64f2020a04f169e167e25d01a14125f5c5
-
SHA512
35acec2737051bc816e894ca128cdf57b1a7272d19396b425923b61ce89792cf0d03ee0f565132a61c1936d5ac78c814fbebecf69a41ef34a8ba903da85375af
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cometshippings.com - Port:
587 - Username:
z@cometshippings.com - Password:
FNoY9fig8&Cyw];Fpk
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/108-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/108-69-0x000000000043692E-mapping.dmp family_agenttesla behavioral1/memory/108-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
CARGO DECUMENT.exedescription pid process target process PID 308 set thread context of 108 308 CARGO DECUMENT.exe CARGO DECUMENT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
CARGO DECUMENT.exeCARGO DECUMENT.exepid process 308 CARGO DECUMENT.exe 108 CARGO DECUMENT.exe 108 CARGO DECUMENT.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
CARGO DECUMENT.exeCARGO DECUMENT.exedescription pid process Token: SeDebugPrivilege 308 CARGO DECUMENT.exe Token: SeDebugPrivilege 108 CARGO DECUMENT.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CARGO DECUMENT.exepid process 108 CARGO DECUMENT.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
CARGO DECUMENT.exedescription pid process target process PID 308 wrote to memory of 1596 308 CARGO DECUMENT.exe schtasks.exe PID 308 wrote to memory of 1596 308 CARGO DECUMENT.exe schtasks.exe PID 308 wrote to memory of 1596 308 CARGO DECUMENT.exe schtasks.exe PID 308 wrote to memory of 1596 308 CARGO DECUMENT.exe schtasks.exe PID 308 wrote to memory of 108 308 CARGO DECUMENT.exe CARGO DECUMENT.exe PID 308 wrote to memory of 108 308 CARGO DECUMENT.exe CARGO DECUMENT.exe PID 308 wrote to memory of 108 308 CARGO DECUMENT.exe CARGO DECUMENT.exe PID 308 wrote to memory of 108 308 CARGO DECUMENT.exe CARGO DECUMENT.exe PID 308 wrote to memory of 108 308 CARGO DECUMENT.exe CARGO DECUMENT.exe PID 308 wrote to memory of 108 308 CARGO DECUMENT.exe CARGO DECUMENT.exe PID 308 wrote to memory of 108 308 CARGO DECUMENT.exe CARGO DECUMENT.exe PID 308 wrote to memory of 108 308 CARGO DECUMENT.exe CARGO DECUMENT.exe PID 308 wrote to memory of 108 308 CARGO DECUMENT.exe CARGO DECUMENT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CARGO DECUMENT.exe"C:\Users\Admin\AppData\Local\Temp\CARGO DECUMENT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mJBlfbIi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF0B5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\CARGO DECUMENT.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF0B5.tmpMD5
05fbc220d7ae3012e3c19aac1935680d
SHA198aaf7f7ec43746d14563560905b28af3b48660b
SHA256cca530a80e0246c792048a43f09909d663cffeca3bb95602db9c4453a53bfed6
SHA5126201621d46adc47968bc5dac2195dcbfd9781f4990c38bd776b5a5f615fc049d719866a8d18a81ca85baf321fcc85e4a9f073a35744ee53c3aca4e4b7b36803e
-
memory/108-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/108-69-0x000000000043692E-mapping.dmp
-
memory/108-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/108-72-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/308-60-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/308-62-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/308-63-0x00000000004E0000-0x00000000004EE000-memory.dmpFilesize
56KB
-
memory/308-64-0x0000000005150000-0x00000000051EB000-memory.dmpFilesize
620KB
-
memory/308-65-0x0000000000B50000-0x0000000000BAA000-memory.dmpFilesize
360KB
-
memory/1596-66-0x0000000000000000-mapping.dmp