Analysis
-
max time kernel
127s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:24
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
shipping documents.exe
Resource
win10v2004-20220414-en
General
-
Target
shipping documents.exe
-
Size
470KB
-
MD5
90fe75b49befcd3051bf0722a1dbf0b8
-
SHA1
3b40d36a7996beca071c28dc03b9e733b1f4bb08
-
SHA256
3c3790756d45d5d2b17d41fcde5441129464268dd6f9c0b6c0af689487a35137
-
SHA512
a314167a8f6b0bf2cca638ffb82a5b64f62ebb65e424551bbef6a061d0ee9dd613e57359ce22b30c34576f934182a250547f3eb8210c99f9c90906d148f8608d
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.tiig-eg.com - Port:
587 - Username:
[email protected] - Password:
servicelorch
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2200-138-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
shipping documents.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation shipping documents.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sRfDVrD = "C:\\Users\\Admin\\AppData\\Roaming\\sRfDVrD\\sRfDVrD.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipping documents.exedescription pid process target process PID 2272 set thread context of 2200 2272 shipping documents.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
shipping documents.exeRegSvcs.exepid process 2272 shipping documents.exe 2272 shipping documents.exe 2272 shipping documents.exe 2272 shipping documents.exe 2200 RegSvcs.exe 2200 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shipping documents.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2272 shipping documents.exe Token: SeDebugPrivilege 2200 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
shipping documents.exeRegSvcs.exedescription pid process target process PID 2272 wrote to memory of 4016 2272 shipping documents.exe schtasks.exe PID 2272 wrote to memory of 4016 2272 shipping documents.exe schtasks.exe PID 2272 wrote to memory of 4016 2272 shipping documents.exe schtasks.exe PID 2272 wrote to memory of 2200 2272 shipping documents.exe RegSvcs.exe PID 2272 wrote to memory of 2200 2272 shipping documents.exe RegSvcs.exe PID 2272 wrote to memory of 2200 2272 shipping documents.exe RegSvcs.exe PID 2272 wrote to memory of 2200 2272 shipping documents.exe RegSvcs.exe PID 2272 wrote to memory of 2200 2272 shipping documents.exe RegSvcs.exe PID 2272 wrote to memory of 2200 2272 shipping documents.exe RegSvcs.exe PID 2272 wrote to memory of 2200 2272 shipping documents.exe RegSvcs.exe PID 2272 wrote to memory of 2200 2272 shipping documents.exe RegSvcs.exe PID 2200 wrote to memory of 4808 2200 RegSvcs.exe REG.exe PID 2200 wrote to memory of 4808 2200 RegSvcs.exe REG.exe PID 2200 wrote to memory of 4808 2200 RegSvcs.exe REG.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RfRrpPOAcJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA299.tmp"2⤵
- Creates scheduled task(s)
PID:4016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2200 -
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System / v DisableTaskMgr / t REG_DWORD / d 1 / f3⤵
- Modifies registry key
PID:4808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpA299.tmpFilesize
1KB
MD58c92820389d4cadd8b9bd1e500ae15aa
SHA1bc0e126288bee7739c8f23f64c8de041251782c3
SHA256a58d49eaf0adbe5bb42a8ea63535324fd0d582def2db7ce7cb03c37866724650
SHA512a5189e4490fe3784b8550b9e329e47d7996080f4c81e694f527b281b829b9ef3c4b2b08ae307b8efe7c70e797b3c52bc5b02ebd9e8db08d1f7773c6172a2eeb1
-
memory/2200-137-0x0000000000000000-mapping.dmp
-
memory/2200-138-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2200-139-0x0000000005810000-0x0000000005876000-memory.dmpFilesize
408KB
-
memory/2200-140-0x00000000064F0000-0x0000000006540000-memory.dmpFilesize
320KB
-
memory/2272-130-0x0000000000EA0000-0x0000000000F1C000-memory.dmpFilesize
496KB
-
memory/2272-131-0x0000000005EB0000-0x0000000006454000-memory.dmpFilesize
5.6MB
-
memory/2272-132-0x0000000005900000-0x0000000005992000-memory.dmpFilesize
584KB
-
memory/2272-133-0x00000000058C0000-0x00000000058CA000-memory.dmpFilesize
40KB
-
memory/2272-134-0x0000000007DD0000-0x0000000007E6C000-memory.dmpFilesize
624KB
-
memory/4016-135-0x0000000000000000-mapping.dmp
-
memory/4808-141-0x0000000000000000-mapping.dmp