Overview

overview

10

Static

static

SHIPPING D...DF.exe

windows7_x64

10

SHIPPING D...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    171s
  • max time network
    295s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    27-09-2021 18:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SHIPPING DOCUMENTS_PDF.exe

  • Size

    850KB

  • MD5

    ff8964351ff2ef7ae003d14cd494efb3

  • SHA1

    cff664fffb5c470d4d2ff5dbbdc198276cc77634

  • SHA256

    95e22edcb0a13b44fe04a41017a585c67faf91b47177887b40b1b6190599b4ae

  • SHA512

    2455338bd54e74bdcbcd781158f3888988a77040cf768e4295e25c56800411a76fda65fbf074d8d2edba4cea3e80b9942dee54e9634b98e9d13dad8d26287226

Score
10/10
agentteslamicrosoftevasionkeyloggerphishingspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.it-tel.eu
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    OZuw)N$0

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Detected potential entity reuse from brand microsoft.
    phishingmicrosoft
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS_PDF.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS_PDF.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4948
    • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS_PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS_PDF.exe"
      2⤵
      • Drops file in Drivers directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3812
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:592
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:1676
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1348
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2088
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:364
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4512
  • C:\Windows\System32\iexpress.exe
    "C:\Windows\System32\iexpress.exe"
    1⤵
      PID:4592

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SHIPPING DOCUMENTS_PDF.exe.log
      MD5

      702accedbb5f4330e71e04b0adcebcab

      SHA1

      8758b0e8bb8fb8036fd30134015c4eb3f6113b5b

      SHA256

      eac8901972a0bc1e30fe8451564817c5ea116870f8483c128650a0783e48c57f

      SHA512

      19d4fcd7a58b65282638a7bb633fbcbe4ddb24edba81d43d333fcbbbb38b114ce64bf7a5d45516249ceca343a2d854aa3e531af2960d03d468f6264e00a34f45

      Download Submit
    • memory/2156-126-0x00000000086E0000-0x0000000008748000-memory.dmp
      Filesize

      416KB

      Download
    • memory/2156-125-0x0000000008990000-0x0000000008991000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-119-0x0000000005010000-0x0000000005011000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-120-0x0000000008510000-0x0000000008511000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-127-0x0000000008750000-0x000000000878C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2156-122-0x00000000051A0000-0x000000000569E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2156-118-0x0000000005060000-0x0000000005061000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-115-0x00000000006F0000-0x00000000006F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-121-0x0000000005350000-0x0000000005357000-memory.dmp
      Filesize

      28KB

      Download
    • memory/2156-117-0x00000000056A0000-0x00000000056A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2156-129-0x00000000088A0000-0x00000000088A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3812-382-0x0000000005620000-0x0000000005621000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3812-145-0x00000000051C0000-0x00000000056BE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3812-134-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3812-135-0x00000000004375EE-mapping.dmp
      Download
    • memory/3812-391-0x00000000051C0000-0x00000000056BE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4948-141-0x00000000071C0000-0x00000000071C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-158-0x0000000009460000-0x0000000009493000-memory.dmp
      Filesize

      204KB

      Download
    • memory/4948-143-0x00000000076B0000-0x00000000076B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-142-0x00000000071C2000-0x00000000071C3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-133-0x0000000007800000-0x0000000007801000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-147-0x0000000008040000-0x0000000008041000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-148-0x0000000007E50000-0x0000000007E51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-149-0x00000000087F0000-0x00000000087F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-150-0x00000000086A0000-0x00000000086A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-139-0x0000000007610000-0x0000000007611000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-165-0x0000000009440000-0x0000000009441000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-170-0x00000000097F0000-0x00000000097F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-171-0x0000000009990000-0x0000000009991000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-240-0x000000007E130000-0x000000007E131000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-241-0x00000000071C3000-0x00000000071C4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-366-0x0000000009920000-0x0000000009921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-372-0x0000000009910000-0x0000000009911000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-132-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4948-128-0x0000000000000000-mapping.dmp
      Download