Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 11:38
Static task
static1
Behavioral task
behavioral1
Sample
printing labels and items shipping marks for order 200018808.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
printing labels and items shipping marks for order 200018808.exe
Resource
win10-en-20211014
General
-
Target
printing labels and items shipping marks for order 200018808.exe
-
Size
653KB
-
MD5
d66d39a631410003673f85a5c8293e85
-
SHA1
a9d4a8f39d2a58e6134faabc937ca8cce58dae93
-
SHA256
5e02cafcb735f048e38347099086988b2ee9d5c09956f95257602d3a45fd6716
-
SHA512
8cb1f697e0a7725913971d7bcaf5cf8614247f45dff0e443f96d9e79e775cebcf7ca80977fca7ba9c6ace74ae99d477ef61ea8c084b2e1a18b3632d2f0a41a42
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.electronmash.com - Port:
587 - Username:
office@electronmash.com - Password:
Zanzibar2018
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1000-62-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1000-63-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1000-64-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1000-65-0x00000000004374FE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
printing labels and items shipping marks for order 200018808.exedescription pid process target process PID 1236 set thread context of 1000 1236 printing labels and items shipping marks for order 200018808.exe printing labels and items shipping marks for order 200018808.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
printing labels and items shipping marks for order 200018808.exeprinting labels and items shipping marks for order 200018808.exepid process 1236 printing labels and items shipping marks for order 200018808.exe 1000 printing labels and items shipping marks for order 200018808.exe 1000 printing labels and items shipping marks for order 200018808.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
printing labels and items shipping marks for order 200018808.exeprinting labels and items shipping marks for order 200018808.exedescription pid process Token: SeDebugPrivilege 1236 printing labels and items shipping marks for order 200018808.exe Token: SeDebugPrivilege 1000 printing labels and items shipping marks for order 200018808.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
printing labels and items shipping marks for order 200018808.exeprinting labels and items shipping marks for order 200018808.exedescription pid process target process PID 1236 wrote to memory of 1472 1236 printing labels and items shipping marks for order 200018808.exe schtasks.exe PID 1236 wrote to memory of 1472 1236 printing labels and items shipping marks for order 200018808.exe schtasks.exe PID 1236 wrote to memory of 1472 1236 printing labels and items shipping marks for order 200018808.exe schtasks.exe PID 1236 wrote to memory of 1472 1236 printing labels and items shipping marks for order 200018808.exe schtasks.exe PID 1236 wrote to memory of 1000 1236 printing labels and items shipping marks for order 200018808.exe printing labels and items shipping marks for order 200018808.exe PID 1236 wrote to memory of 1000 1236 printing labels and items shipping marks for order 200018808.exe printing labels and items shipping marks for order 200018808.exe PID 1236 wrote to memory of 1000 1236 printing labels and items shipping marks for order 200018808.exe printing labels and items shipping marks for order 200018808.exe PID 1236 wrote to memory of 1000 1236 printing labels and items shipping marks for order 200018808.exe printing labels and items shipping marks for order 200018808.exe PID 1236 wrote to memory of 1000 1236 printing labels and items shipping marks for order 200018808.exe printing labels and items shipping marks for order 200018808.exe PID 1236 wrote to memory of 1000 1236 printing labels and items shipping marks for order 200018808.exe printing labels and items shipping marks for order 200018808.exe PID 1236 wrote to memory of 1000 1236 printing labels and items shipping marks for order 200018808.exe printing labels and items shipping marks for order 200018808.exe PID 1236 wrote to memory of 1000 1236 printing labels and items shipping marks for order 200018808.exe printing labels and items shipping marks for order 200018808.exe PID 1236 wrote to memory of 1000 1236 printing labels and items shipping marks for order 200018808.exe printing labels and items shipping marks for order 200018808.exe PID 1000 wrote to memory of 1564 1000 printing labels and items shipping marks for order 200018808.exe dw20.exe PID 1000 wrote to memory of 1564 1000 printing labels and items shipping marks for order 200018808.exe dw20.exe PID 1000 wrote to memory of 1564 1000 printing labels and items shipping marks for order 200018808.exe dw20.exe PID 1000 wrote to memory of 1564 1000 printing labels and items shipping marks for order 200018808.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\printing labels and items shipping marks for order 200018808.exe"C:\Users\Admin\AppData\Local\Temp\printing labels and items shipping marks for order 200018808.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GtFqyleloVs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp61EE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\printing labels and items shipping marks for order 200018808.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5163⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp61EE.tmpMD5
a7bcd828e930c80a47f3f8754dc13b53
SHA1363192d986610bd3d3edefdd3ea36b7ae2838065
SHA25628c81bea071f4c535b0a5f5434e0e60c48037cf87021d5088441f2ae32a030de
SHA51219999b8dfa3a5cf00a708b445cfaa4dbdb322a826a5c625f99a12833bdc9476444d6073d12320a1885ee3d11f2ca725553a0f73cb08b49a9777aa7caad886f86
-
memory/1000-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1000-65-0x00000000004374FE-mapping.dmp
-
memory/1000-67-0x0000000000E40000-0x0000000000E41000-memory.dmpFilesize
4KB
-
memory/1236-57-0x0000000000BE1000-0x0000000000BE2000-memory.dmpFilesize
4KB
-
memory/1236-56-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/1236-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB
-
memory/1472-58-0x0000000000000000-mapping.dmp
-
memory/1564-68-0x0000000000000000-mapping.dmp
-
memory/1564-70-0x0000000001C90000-0x0000000001C91000-memory.dmpFilesize
4KB