Analysis
-
max time kernel
150s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 15:25
Static task
static1
Behavioral task
behavioral1
Sample
DHL-AW1258901FE2021_pdf.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
DHL-AW1258901FE2021_pdf.exe
Resource
win10v20210408
General
-
Target
DHL-AW1258901FE2021_pdf.exe
-
Size
741KB
-
MD5
dbf6a8d2aee3ee5ba2cd2f88e567ebcd
-
SHA1
9be4bb39f0c58b83a4f5571c1fb08cd6e2445a4c
-
SHA256
5b8456fbfb62922ce7383ffb8e070c0524768a40bda22da415640128baef40b0
-
SHA512
901c0da35636ae8a4dc9b71232de31c76565837c33b384461990f6f77fef82fb4f9b51c8023d44ebcda2ff5d928e0da01253f6d606162e2c16c8bb851d409657
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtpout.secureserver.net - Port:
587 - Username:
sales1@ashtavinayaka.com - Password:
123456789
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1516-66-0x00000000004374EE-mapping.dmp family_agenttesla behavioral1/memory/1516-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL-AW1258901FE2021_pdf.exedescription pid process target process PID 1268 set thread context of 1516 1268 DHL-AW1258901FE2021_pdf.exe DHL-AW1258901FE2021_pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
DHL-AW1258901FE2021_pdf.exeDHL-AW1258901FE2021_pdf.exepid process 1268 DHL-AW1258901FE2021_pdf.exe 1516 DHL-AW1258901FE2021_pdf.exe 1516 DHL-AW1258901FE2021_pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL-AW1258901FE2021_pdf.exeDHL-AW1258901FE2021_pdf.exedescription pid process Token: SeDebugPrivilege 1268 DHL-AW1258901FE2021_pdf.exe Token: SeDebugPrivilege 1516 DHL-AW1258901FE2021_pdf.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
DHL-AW1258901FE2021_pdf.exeDHL-AW1258901FE2021_pdf.exedescription pid process target process PID 1268 wrote to memory of 396 1268 DHL-AW1258901FE2021_pdf.exe schtasks.exe PID 1268 wrote to memory of 396 1268 DHL-AW1258901FE2021_pdf.exe schtasks.exe PID 1268 wrote to memory of 396 1268 DHL-AW1258901FE2021_pdf.exe schtasks.exe PID 1268 wrote to memory of 396 1268 DHL-AW1258901FE2021_pdf.exe schtasks.exe PID 1268 wrote to memory of 1516 1268 DHL-AW1258901FE2021_pdf.exe DHL-AW1258901FE2021_pdf.exe PID 1268 wrote to memory of 1516 1268 DHL-AW1258901FE2021_pdf.exe DHL-AW1258901FE2021_pdf.exe PID 1268 wrote to memory of 1516 1268 DHL-AW1258901FE2021_pdf.exe DHL-AW1258901FE2021_pdf.exe PID 1268 wrote to memory of 1516 1268 DHL-AW1258901FE2021_pdf.exe DHL-AW1258901FE2021_pdf.exe PID 1268 wrote to memory of 1516 1268 DHL-AW1258901FE2021_pdf.exe DHL-AW1258901FE2021_pdf.exe PID 1268 wrote to memory of 1516 1268 DHL-AW1258901FE2021_pdf.exe DHL-AW1258901FE2021_pdf.exe PID 1268 wrote to memory of 1516 1268 DHL-AW1258901FE2021_pdf.exe DHL-AW1258901FE2021_pdf.exe PID 1268 wrote to memory of 1516 1268 DHL-AW1258901FE2021_pdf.exe DHL-AW1258901FE2021_pdf.exe PID 1268 wrote to memory of 1516 1268 DHL-AW1258901FE2021_pdf.exe DHL-AW1258901FE2021_pdf.exe PID 1516 wrote to memory of 936 1516 DHL-AW1258901FE2021_pdf.exe dw20.exe PID 1516 wrote to memory of 936 1516 DHL-AW1258901FE2021_pdf.exe dw20.exe PID 1516 wrote to memory of 936 1516 DHL-AW1258901FE2021_pdf.exe dw20.exe PID 1516 wrote to memory of 936 1516 DHL-AW1258901FE2021_pdf.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL-AW1258901FE2021_pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL-AW1258901FE2021_pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IwamjWzmFC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC0F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\DHL-AW1258901FE2021_pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL-AW1258901FE2021_pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5203⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBC0F.tmpMD5
1d31a28dad67dec153b6a0afed41e998
SHA180250ef030a36a163443a1727c024da8721ae2c0
SHA2563d65d2d18b7cb13bd5a5d5b92fcbeb47b0e32b341c81b92c2ae32700ec09f349
SHA512840f2e95debff41bb5ed7d02f120b1639975d1e66396cf5782913860f95bce584cad35df5df26fe365ae66a37c02a40d9ec4a3c8ff77b80b8274136414a707b2
-
memory/396-63-0x0000000000000000-mapping.dmp
-
memory/936-69-0x0000000000000000-mapping.dmp
-
memory/936-71-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/1268-60-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB
-
memory/1268-61-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/1268-62-0x00000000002F1000-0x00000000002F2000-memory.dmpFilesize
4KB
-
memory/1516-66-0x00000000004374EE-mapping.dmp
-
memory/1516-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1516-68-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB