Analysis
-
max time kernel
126s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
18-10-2021 21:16
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Document PL&BL Draft.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Shipping Document PL&BL Draft.exe
Resource
win10-en-20211014
General
-
Target
Shipping Document PL&BL Draft.exe
-
Size
277KB
-
MD5
9e944f39542cf55c8cd0513307c507e3
-
SHA1
5dc457b12d42e9a91ba4ef70bbbf35494399cef7
-
SHA256
4a5d34fcda47700161c2fbc4ee64713e81e563d04e319b7a48e52d778e70e4b7
-
SHA512
469a7478e8d0957ca8bceed0a0f8f6dc028c8ec78e87a9212288974cdf5f752845a6d547dd27649ae2d022226cd53b37d17e2e78c3847da2dc5c7a4c34ec95ef
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1900836728:AAEDyoYbBJwtt1EA4hdgRlGTN1cq760KPNU/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/672-56-0x0000000000400000-0x000000000044B000-memory.dmp family_agenttesla behavioral1/memory/672-57-0x000000000040188B-mapping.dmp family_agenttesla behavioral1/memory/672-59-0x0000000000400000-0x000000000044B000-memory.dmp family_agenttesla behavioral1/memory/672-60-0x0000000004480000-0x00000000044B6000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
Shipping Document PL&BL Draft.exepid process 1324 Shipping Document PL&BL Draft.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Shipping Document PL&BL Draft.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Document PL&BL Draft.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Document PL&BL Draft.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Document PL&BL Draft.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping Document PL&BL Draft.exedescription pid process target process PID 1324 set thread context of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Shipping Document PL&BL Draft.exepid process 672 Shipping Document PL&BL Draft.exe 672 Shipping Document PL&BL Draft.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Shipping Document PL&BL Draft.exedescription pid process Token: SeDebugPrivilege 672 Shipping Document PL&BL Draft.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Shipping Document PL&BL Draft.exedescription pid process target process PID 1324 wrote to memory of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe PID 1324 wrote to memory of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe PID 1324 wrote to memory of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe PID 1324 wrote to memory of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe PID 1324 wrote to memory of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe PID 1324 wrote to memory of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe PID 1324 wrote to memory of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe PID 1324 wrote to memory of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe PID 1324 wrote to memory of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe PID 1324 wrote to memory of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe PID 1324 wrote to memory of 672 1324 Shipping Document PL&BL Draft.exe Shipping Document PL&BL Draft.exe -
outlook_office_path 1 IoCs
Processes:
Shipping Document PL&BL Draft.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Document PL&BL Draft.exe -
outlook_win_path 1 IoCs
Processes:
Shipping Document PL&BL Draft.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Document PL&BL Draft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Document PL&BL Draft.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4e4a9b4272db28101d5e6cf7e7368602
SHA1ddc50b6b2faf4ee923c097be2758f327b501792f
SHA2564b3dd1a214d3b1cf8fa9b9cdcffa76fb1823411db3e0bffc6c5a0ac356466530
SHA512120b86016789f37833e397155930c700e7fd3531d58a8e557691360bb2a1600fa5279099b1ce073a57139ffe157d9dc1d2037a5051eb38d5a0cab26ad5b88924