Analysis
-
max time kernel
132s -
max time network
39s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-09-2021 07:31
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING ADV#202109.exe
Resource
win7v20210408
General
-
Target
SHIPPING ADV#202109.exe
-
Size
831KB
-
MD5
db00ed0da0d3e5a11fd18a042c5c0c76
-
SHA1
6de345db616385f220843d3c566710aa11a64681
-
SHA256
6674e9af3a42239eaa8455873f2ee7deb83add5bb32b3f40619d9efee701527b
-
SHA512
920aaf4919aeda252d7516e6c6e5c18af984aa3560fe62d34bb3bf84770b97f4ddfc17ea9829410d6e7faa91d8097408840fa33add292143dda734b9343f36ae
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bsia.co.in - Port:
587 - Username:
yogesh@bsia.co.in - Password:
21mbsia@)@!Y
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1008-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1008-69-0x00000000004374CE-mapping.dmp family_agenttesla behavioral1/memory/1008-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SHIPPING ADV#202109.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SHIPPING ADV#202109.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SHIPPING ADV#202109.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SHIPPING ADV#202109.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SHIPPING ADV#202109.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 SHIPPING ADV#202109.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHIPPING ADV#202109.exedescription pid process target process PID 368 set thread context of 1008 368 SHIPPING ADV#202109.exe SHIPPING ADV#202109.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SHIPPING ADV#202109.exepid process 1008 SHIPPING ADV#202109.exe 1008 SHIPPING ADV#202109.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SHIPPING ADV#202109.exedescription pid process Token: SeDebugPrivilege 1008 SHIPPING ADV#202109.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
SHIPPING ADV#202109.exedescription pid process target process PID 368 wrote to memory of 1748 368 SHIPPING ADV#202109.exe schtasks.exe PID 368 wrote to memory of 1748 368 SHIPPING ADV#202109.exe schtasks.exe PID 368 wrote to memory of 1748 368 SHIPPING ADV#202109.exe schtasks.exe PID 368 wrote to memory of 1748 368 SHIPPING ADV#202109.exe schtasks.exe PID 368 wrote to memory of 1008 368 SHIPPING ADV#202109.exe SHIPPING ADV#202109.exe PID 368 wrote to memory of 1008 368 SHIPPING ADV#202109.exe SHIPPING ADV#202109.exe PID 368 wrote to memory of 1008 368 SHIPPING ADV#202109.exe SHIPPING ADV#202109.exe PID 368 wrote to memory of 1008 368 SHIPPING ADV#202109.exe SHIPPING ADV#202109.exe PID 368 wrote to memory of 1008 368 SHIPPING ADV#202109.exe SHIPPING ADV#202109.exe PID 368 wrote to memory of 1008 368 SHIPPING ADV#202109.exe SHIPPING ADV#202109.exe PID 368 wrote to memory of 1008 368 SHIPPING ADV#202109.exe SHIPPING ADV#202109.exe PID 368 wrote to memory of 1008 368 SHIPPING ADV#202109.exe SHIPPING ADV#202109.exe PID 368 wrote to memory of 1008 368 SHIPPING ADV#202109.exe SHIPPING ADV#202109.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING ADV#202109.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING ADV#202109.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lipZGzghwiAyb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEB39.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING ADV#202109.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEB39.tmpMD5
e29e2bdb8be649976209d2aec55f5c50
SHA11c13c67f8171aae00ffa908c376999f6322cdc38
SHA2567580623611764679bfd9236ccc0b478a4eb21c9c25efeee8829ac0c823167ebf
SHA5124c670f4c4de25d159c4d6582678f6ed53aa7754644567d151a03346a7fdf8540423541eb64e8ae99367f3c0bf20285bf992dd40e02ad02b9c9a8cd41a924d915
-
memory/368-60-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/368-62-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/368-63-0x00000000004B0000-0x00000000004BE000-memory.dmpFilesize
56KB
-
memory/368-64-0x00000000050C0000-0x000000000513E000-memory.dmpFilesize
504KB
-
memory/368-65-0x0000000000AA0000-0x0000000000ADA000-memory.dmpFilesize
232KB
-
memory/1008-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1008-69-0x00000000004374CE-mapping.dmp
-
memory/1008-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1008-72-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB
-
memory/1008-73-0x0000000002231000-0x0000000002232000-memory.dmpFilesize
4KB
-
memory/1748-66-0x0000000000000000-mapping.dmp