Analysis
-
max time kernel
4294198s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
16-03-2022 11:30
Static task
static1
Behavioral task
behavioral1
Sample
Shipment Docs.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
Shipment Docs.exe
Resource
win10v2004-en-20220113
General
-
Target
Shipment Docs.exe
-
Size
513KB
-
MD5
73e5451011ebf24c6ff6b945adf6f443
-
SHA1
33cd90107c301a1dc51b13142160dda8dc525483
-
SHA256
5057d8b5104c79609ea7234da4d51f6883622ee5e3e1b660489d247b920f6d90
-
SHA512
d7d405511c78565ff71887a93d5f7da6df4b3314249b2f5457678c28f1d5748558eca57d5ee1daaee45f49a9aab6506150781a5304ac5abffd679ed2bc70d463
Malware Config
Extracted
Protocol: smtp- Host:
mail.indiacarpet.in - Port:
587 - Username:
[email protected] - Password:
india@12345
Signatures
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Shipment Docs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipment Docs.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipment Docs.exe Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipment Docs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\kECjS = "C:\\Users\\Admin\\AppData\\Roaming\\kECjS\\kECjS.exe" Shipment Docs.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 812 set thread context of 1700 812 Shipment Docs.exe 29 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 812 Shipment Docs.exe 1700 Shipment Docs.exe 1700 Shipment Docs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 812 Shipment Docs.exe Token: SeDebugPrivilege 1700 Shipment Docs.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 812 wrote to memory of 1700 812 Shipment Docs.exe 29 PID 812 wrote to memory of 1700 812 Shipment Docs.exe 29 PID 812 wrote to memory of 1700 812 Shipment Docs.exe 29 PID 812 wrote to memory of 1700 812 Shipment Docs.exe 29 PID 812 wrote to memory of 1700 812 Shipment Docs.exe 29 PID 812 wrote to memory of 1700 812 Shipment Docs.exe 29 PID 812 wrote to memory of 1700 812 Shipment Docs.exe 29 PID 812 wrote to memory of 1700 812 Shipment Docs.exe 29 PID 812 wrote to memory of 1700 812 Shipment Docs.exe 29 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipment Docs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipment Docs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipment Docs.exe"C:\Users\Admin\AppData\Local\Temp\Shipment Docs.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\Shipment Docs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1700
-