Overview

overview

10

Static

static

DHL Shipme...df.exe

windows7_x64

3

DHL Shipme...df.exe

windows10_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    03-12-2021 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Shipment Notification 1953341372.pdf.exe

  • Size

    468KB

  • MD5

    621452b83a5cdf0a1e03ea6d3c56c595

  • SHA1

    0710b1580784a673daeaef5aeb259f05df5aee1e

  • SHA256

    8bd946b1e3dc26464602dfc0f7de0b2bb90637f4774213c7dcbea93dcc0e02fd

  • SHA512

    ce9960e5b0c534186a547341130422e2f6c76983f5d03a0acb88447997c412aa3927c5b2b8725036ad10e393fe1895f2ac0972f35b8b712479d73f2e9f9830ab

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    negozio@depadova.cf
  • Password:
    graceofgod@amen

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification 1953341372.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Shipment Notification 1953341372.pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wKLJLmiJQVwUSn.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4060
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wKLJLmiJQVwUSn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA871.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1552
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:2548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA871.tmp
    MD5

    32c569842563bd09753357f992020abe

    SHA1

    aa6d5cb079e602387fc1a6a0990b2aea4f1487ad

    SHA256

    6778ba584f03c4edf3b949300d02420c20868d6b442dda5017eb111105d45f3d

    SHA512

    1f91f8437595936bc98d2805d4f8fc7bad5a4c252e609fa9e8883025d0a4eb495106fddb290180af701499a322b487f11114afc44bad89db6b19ebf148f21c57

    Download Submit
  • memory/1272-125-0x00000000055B0000-0x00000000055B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1272-127-0x0000000005FD0000-0x0000000006039000-memory.dmp
    Filesize

    420KB

    Download
  • memory/1272-122-0x0000000005180000-0x0000000005181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1272-123-0x0000000005100000-0x00000000055FE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1272-124-0x00000000054D0000-0x00000000054D8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1272-120-0x0000000005600000-0x0000000005601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1272-126-0x0000000005F30000-0x0000000005F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1272-121-0x00000000051A0000-0x00000000051A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1272-118-0x00000000008A0000-0x00000000008A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1552-129-0x0000000000000000-mapping.dmp
    Download
  • memory/2548-147-0x0000000005570000-0x0000000005A6E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2548-391-0x0000000005570000-0x0000000005A6E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2548-135-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2548-136-0x000000000043760E-mapping.dmp
    Download
  • memory/4060-140-0x00000000074F0000-0x00000000074F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-149-0x00000000085F0000-0x00000000085F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-133-0x0000000004A70000-0x0000000004A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-131-0x0000000003100000-0x0000000003101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-141-0x0000000007E00000-0x0000000007E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-143-0x0000000007BE0000-0x0000000007BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-144-0x0000000007E70000-0x0000000007E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-145-0x0000000006F00000-0x0000000006F01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-146-0x0000000006F02000-0x0000000006F03000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-130-0x0000000003100000-0x0000000003101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-148-0x0000000007D90000-0x0000000007D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-134-0x0000000007540000-0x0000000007541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-150-0x0000000008550000-0x0000000008551000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-151-0x0000000003100000-0x0000000003101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-158-0x0000000009310000-0x0000000009343000-memory.dmp
    Filesize

    204KB

    Download
  • memory/4060-159-0x000000007E700000-0x000000007E701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-166-0x00000000092F0000-0x00000000092F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-171-0x00000000096B0000-0x00000000096B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-172-0x0000000009840000-0x0000000009841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-241-0x0000000006F03000-0x0000000006F04000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4060-128-0x0000000000000000-mapping.dmp
    Download