Analysis
-
max time kernel
118s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 08:12
Static task
static1
Behavioral task
behavioral1
Sample
Dhl Parcel.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Dhl Parcel.exe
Resource
win10-en-20210920
General
-
Target
Dhl Parcel.exe
-
Size
338KB
-
MD5
9a9edea8487b3aa7f0b92b131a2f100b
-
SHA1
48e21000745dc66d5614b3a9f246e4fea1d1c8c6
-
SHA256
ad47dd267e28398f802bab88cf1a9c75e9906e2c51eae57d0dcabad47540e700
-
SHA512
69d3f7b4a196f2c8f9374e9a868766071ff91021429afba600728d5fc340e25c62d15bce3fab2c3d4953bdde95e4f77c89bb1513945e38b679d948f7db54d2b6
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1803146213:AAHYyCRx7FggQ9LfPbrIs79ZUWCEc9wNnDo/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3520-116-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/3520-117-0x000000000040188B-mapping.dmp family_agenttesla behavioral2/memory/3520-118-0x0000000004770000-0x00000000047A7000-memory.dmp family_agenttesla behavioral2/memory/3520-122-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
Dhl Parcel.exepid process 2852 Dhl Parcel.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Dhl Parcel.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dhl Parcel.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dhl Parcel.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dhl Parcel.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Dhl Parcel.exedescription pid process target process PID 2852 set thread context of 3520 2852 Dhl Parcel.exe Dhl Parcel.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Dhl Parcel.exepid process 3520 Dhl Parcel.exe 3520 Dhl Parcel.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Dhl Parcel.exedescription pid process Token: SeDebugPrivilege 3520 Dhl Parcel.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Dhl Parcel.exedescription pid process target process PID 2852 wrote to memory of 3520 2852 Dhl Parcel.exe Dhl Parcel.exe PID 2852 wrote to memory of 3520 2852 Dhl Parcel.exe Dhl Parcel.exe PID 2852 wrote to memory of 3520 2852 Dhl Parcel.exe Dhl Parcel.exe PID 2852 wrote to memory of 3520 2852 Dhl Parcel.exe Dhl Parcel.exe PID 2852 wrote to memory of 3520 2852 Dhl Parcel.exe Dhl Parcel.exe PID 2852 wrote to memory of 3520 2852 Dhl Parcel.exe Dhl Parcel.exe PID 2852 wrote to memory of 3520 2852 Dhl Parcel.exe Dhl Parcel.exe PID 2852 wrote to memory of 3520 2852 Dhl Parcel.exe Dhl Parcel.exe PID 2852 wrote to memory of 3520 2852 Dhl Parcel.exe Dhl Parcel.exe PID 2852 wrote to memory of 3520 2852 Dhl Parcel.exe Dhl Parcel.exe -
outlook_office_path 1 IoCs
Processes:
Dhl Parcel.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dhl Parcel.exe -
outlook_win_path 1 IoCs
Processes:
Dhl Parcel.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Dhl Parcel.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Dhl Parcel.exe"C:\Users\Admin\AppData\Local\Temp\Dhl Parcel.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dhl Parcel.exe"C:\Users\Admin\AppData\Local\Temp\Dhl Parcel.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsuDC77.tmp\zwxoobcdhjo.dllMD5
35fcf029de669fe8d13f87d2622e4fcb
SHA1c691acb70efe7d3e34ca90dd4b94ff9b298dddf0
SHA256c2b18bc2d235c0c178f225678abb67ef702e23663da9a45c82732b5e90d98a9e
SHA512e8679833f30ce4c1c59afa13f6cae93b8ccf8d2ab954d5de4d3fd54119c90ad52e57f4ed2d944ae9a26062a91cd8aa39a20725e6a3b02b49119c05f6ef4c1cb4
-
memory/3520-116-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3520-117-0x000000000040188B-mapping.dmp
-
memory/3520-118-0x0000000004770000-0x00000000047A7000-memory.dmpFilesize
220KB
-
memory/3520-120-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/3520-121-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/3520-123-0x00000000048F0000-0x00000000048F1000-memory.dmpFilesize
4KB
-
memory/3520-122-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3520-124-0x00000000048F2000-0x00000000048F3000-memory.dmpFilesize
4KB
-
memory/3520-125-0x00000000048F3000-0x00000000048F4000-memory.dmpFilesize
4KB
-
memory/3520-126-0x00000000048F4000-0x00000000048F5000-memory.dmpFilesize
4KB
-
memory/3520-127-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/3520-128-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/3520-129-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/3520-130-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB