Analysis
-
max time kernel
119s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 09:20
Static task
static1
Behavioral task
behavioral1
Sample
Documents Of Shipping.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Documents Of Shipping.exe
Resource
win10-en-20210920
General
-
Target
Documents Of Shipping.exe
-
Size
346KB
-
MD5
5fe507eb6a76faf15380d259508346f4
-
SHA1
0050d63477be4f3d5d807d1cea67a5bad03edb38
-
SHA256
ec75c480db2874572e44afbf2bd961b1f744a45dc4eb1f2557c5d299093089b1
-
SHA512
9707c6ce53c9f5d345eb44da851ff3640f7341acf9752d5af8f89981e1bc15c93d5a2bd9e6a289d2f69dc7e4bfd0dbd3451e585b331dc0ccf9e83d568f966253
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot2021562129:AAG5jOD-8o1ZVDhFUnGUw6bzmNZXXfUtGN0/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3852-116-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/3852-117-0x000000000040188B-mapping.dmp family_agenttesla behavioral2/memory/3852-118-0x00000000047A0000-0x00000000047D7000-memory.dmp family_agenttesla behavioral2/memory/3852-120-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
Documents Of Shipping.exepid process 2784 Documents Of Shipping.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Documents Of Shipping.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents Of Shipping.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents Of Shipping.exe Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents Of Shipping.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Documents Of Shipping.exedescription pid process target process PID 2784 set thread context of 3852 2784 Documents Of Shipping.exe Documents Of Shipping.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Documents Of Shipping.exepid process 3852 Documents Of Shipping.exe 3852 Documents Of Shipping.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Documents Of Shipping.exedescription pid process Token: SeDebugPrivilege 3852 Documents Of Shipping.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Documents Of Shipping.exedescription pid process target process PID 2784 wrote to memory of 3852 2784 Documents Of Shipping.exe Documents Of Shipping.exe PID 2784 wrote to memory of 3852 2784 Documents Of Shipping.exe Documents Of Shipping.exe PID 2784 wrote to memory of 3852 2784 Documents Of Shipping.exe Documents Of Shipping.exe PID 2784 wrote to memory of 3852 2784 Documents Of Shipping.exe Documents Of Shipping.exe PID 2784 wrote to memory of 3852 2784 Documents Of Shipping.exe Documents Of Shipping.exe PID 2784 wrote to memory of 3852 2784 Documents Of Shipping.exe Documents Of Shipping.exe PID 2784 wrote to memory of 3852 2784 Documents Of Shipping.exe Documents Of Shipping.exe PID 2784 wrote to memory of 3852 2784 Documents Of Shipping.exe Documents Of Shipping.exe PID 2784 wrote to memory of 3852 2784 Documents Of Shipping.exe Documents Of Shipping.exe PID 2784 wrote to memory of 3852 2784 Documents Of Shipping.exe Documents Of Shipping.exe -
outlook_office_path 1 IoCs
Processes:
Documents Of Shipping.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents Of Shipping.exe -
outlook_win_path 1 IoCs
Processes:
Documents Of Shipping.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Documents Of Shipping.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents Of Shipping.exe"C:\Users\Admin\AppData\Local\Temp\Documents Of Shipping.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Documents Of Shipping.exe"C:\Users\Admin\AppData\Local\Temp\Documents Of Shipping.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsuDB8D.tmp\dkznkxdbox.dllMD5
0b7ad8699439ce182b38af57ce27df00
SHA1be832ae4c9122e1daf351a6724cbefcd4e4ff710
SHA25640e4279cf55da1330a38525edaacba9c3d7ad3b135f932475825da7eaad5c5b2
SHA512b8b1ddb60a38c0981ba97089a902dea44ffd32fd91c6a8d6a7412680cb7fa32d3a944e9c230ab40a0a0c9cbbf181cfab3a164e84f3007d4004f9e8b2930aa6a6
-
memory/3852-116-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3852-117-0x000000000040188B-mapping.dmp
-
memory/3852-118-0x00000000047A0000-0x00000000047D7000-memory.dmpFilesize
220KB
-
memory/3852-121-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/3852-120-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3852-122-0x00000000048C2000-0x00000000048C3000-memory.dmpFilesize
4KB
-
memory/3852-123-0x00000000048C3000-0x00000000048C4000-memory.dmpFilesize
4KB
-
memory/3852-124-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/3852-125-0x0000000004ED0000-0x0000000004ED1000-memory.dmpFilesize
4KB
-
memory/3852-126-0x00000000048C4000-0x00000000048C5000-memory.dmpFilesize
4KB
-
memory/3852-127-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB
-
memory/3852-128-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/3852-129-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/3852-130-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB