5057d8b5104c79609ea7234da4d51f6883622ee5e3e1b660489d247b920f6d90

General

Target

Shipment Docs.exe
Size

513KB
MD5

73e5451011ebf24c6ff6b945adf6f443
SHA1

33cd90107c301a1dc51b13142160dda8dc525483
SHA256

5057d8b5104c79609ea7234da4d51f6883622ee5e3e1b660489d247b920f6d90
SHA512

d7d405511c78565ff71887a93d5f7da6df4b3314249b2f5457678c28f1d5748558eca57d5ee1daaee45f49a9aab6506150781a5304ac5abffd679ed2bc70d463

Score

10^/10

collection persistence spyware stealer suricata

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.indiacarpet.in
Port:
587
Username:
[email protected]
Password:
india@12345

Signatures

suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata
Drops file in Drivers directory 1 IoCs

Processes:

Shipment Docs.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts Shipment Docs.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Shipment Docs.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Shipment Docs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipment Docs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipment Docs.exe
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipment Docs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Shipment Docs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kECjS = "C:\\Users\\Admin\\AppData\\Roaming\\kECjS\\kECjS.exe"	Shipment Docs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Shipment Docs.exe

description pid process target process

PID 1176 set thread context of 4856 1176 Shipment Docs.exe Shipment Docs.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Shipment Docs.exeShipment Docs.exe

pid process

1176 Shipment Docs.exe
4856 Shipment Docs.exe
4856 Shipment Docs.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Shipment Docs.exeShipment Docs.exe

description pid process

Token: SeDebugPrivilege 1176 Shipment Docs.exe
Token: SeDebugPrivilege 4856 Shipment Docs.exe

description	pid	process	target process
PID 1176 set thread context of 4856	1176	Shipment Docs.exe	Shipment Docs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

pid	process
1176	Shipment Docs.exe
4856	Shipment Docs.exe
4856	Shipment Docs.exe

description	pid	process
Token: SeDebugPrivilege	1176	Shipment Docs.exe
Token: SeDebugPrivilege	4856	Shipment Docs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Shipment Docs.exe

description	pid	process	target process
PID 1176 wrote to memory of 4856	1176	Shipment Docs.exe	Shipment Docs.exe
PID 1176 wrote to memory of 4856	1176	Shipment Docs.exe	Shipment Docs.exe
PID 1176 wrote to memory of 4856	1176	Shipment Docs.exe	Shipment Docs.exe
PID 1176 wrote to memory of 4856	1176	Shipment Docs.exe	Shipment Docs.exe
PID 1176 wrote to memory of 4856	1176	Shipment Docs.exe	Shipment Docs.exe
PID 1176 wrote to memory of 4856	1176	Shipment Docs.exe	Shipment Docs.exe
PID 1176 wrote to memory of 4856	1176	Shipment Docs.exe	Shipment Docs.exe
PID 1176 wrote to memory of 4856	1176	Shipment Docs.exe	Shipment Docs.exe

outlook_office_path 1 IoCs

Processes:

Shipment Docs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipment Docs.exe

outlook_win_path 1 IoCs

Processes:

Shipment Docs.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Shipment Docs.exe

C:\Users\Admin\AppData\Local\Temp\Shipment Docs.exe
"C:\Users\Admin\AppData\Local\Temp\Shipment Docs.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\Shipment Docs.exe
  "{path}"
  2⤵
  - Drops file in Drivers directory
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipment Docs.exe.log

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
memory/1176-130-0x0000000000180000-0x0000000000206000-memory.dmp

Filesize
536KB

Download
memory/1176-131-0x00000000050D0000-0x0000000005674000-memory.dmp

Filesize
5.6MB

Download
memory/1176-132-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/1176-133-0x0000000004C60000-0x0000000004CFC000-memory.dmp

Filesize
624KB

Download
memory/1176-134-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/1176-135-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/1176-136-0x0000000004BA0000-0x0000000004BAA000-memory.dmp

Filesize
40KB

Download
memory/4736-138-0x0000024EB13C0000-0x0000024EB13D0000-memory.dmp

Filesize
64KB

Download
memory/4736-139-0x0000024EB3940000-0x0000024EB3944000-memory.dmp

Filesize
16KB

Download
memory/4736-137-0x0000024EB1360000-0x0000024EB1370000-memory.dmp

Filesize
64KB

Download
memory/4856-140-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4856-142-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/4856-143-0x00000000057B0000-0x0000000005D54000-memory.dmp

Filesize
5.6MB

Download
memory/4856-144-0x0000000006550000-0x00000000065B6000-memory.dmp

Filesize
408KB

Download
memory/4856-145-0x0000000006BF0000-0x0000000006C40000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads