Analysis
-
max time kernel
146s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 23:50
Static task
static1
Behavioral task
behavioral1
Sample
Please Confirm Your Shipment Address.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Please Confirm Your Shipment Address.exe
Resource
win10v2004-20220414-en
General
-
Target
Please Confirm Your Shipment Address.exe
-
Size
4.6MB
-
MD5
ffab58789a8d188f10ae6b7a9c73c36a
-
SHA1
48bf4df2095bf4bb8fa53ddd10fbb0fef80dc494
-
SHA256
f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea
-
SHA512
c13ff615c4ae03dd33a5c4766be184c029aef24560703b8f59cf9fa54755dd9d68589234919ac4d02c77a05480f4c3795c53a1283cda1583ced8ea93f7dd322c
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 1 IoCs
Processes:
Mecury.exepid process 588 Mecury.exe -
Loads dropped DLL 1 IoCs
Processes:
Please Confirm Your Shipment Address.exepid process 1724 Please Confirm Your Shipment Address.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1724-56-0x00000000003C0000-0x00000000003D0000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Processs = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Local\\Mecury.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Please Confirm Your Shipment Address.exeMecury.exepid process 1724 Please Confirm Your Shipment Address.exe 1724 Please Confirm Your Shipment Address.exe 588 Mecury.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Please Confirm Your Shipment Address.exeMecury.exedescription pid process Token: SeDebugPrivilege 1724 Please Confirm Your Shipment Address.exe Token: SeDebugPrivilege 588 Mecury.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Please Confirm Your Shipment Address.execmd.exedescription pid process target process PID 1724 wrote to memory of 1764 1724 Please Confirm Your Shipment Address.exe cmd.exe PID 1724 wrote to memory of 1764 1724 Please Confirm Your Shipment Address.exe cmd.exe PID 1724 wrote to memory of 1764 1724 Please Confirm Your Shipment Address.exe cmd.exe PID 1724 wrote to memory of 1764 1724 Please Confirm Your Shipment Address.exe cmd.exe PID 1764 wrote to memory of 1956 1764 cmd.exe reg.exe PID 1764 wrote to memory of 1956 1764 cmd.exe reg.exe PID 1764 wrote to memory of 1956 1764 cmd.exe reg.exe PID 1764 wrote to memory of 1956 1764 cmd.exe reg.exe PID 1724 wrote to memory of 588 1724 Please Confirm Your Shipment Address.exe Mecury.exe PID 1724 wrote to memory of 588 1724 Please Confirm Your Shipment Address.exe Mecury.exe PID 1724 wrote to memory of 588 1724 Please Confirm Your Shipment Address.exe Mecury.exe PID 1724 wrote to memory of 588 1724 Please Confirm Your Shipment Address.exe Mecury.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Please Confirm Your Shipment Address.exe"C:\Users\Admin\AppData\Local\Temp\Please Confirm Your Shipment Address.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Processs /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\Mecury.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Processs /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Local\Mecury.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Mecury.exe"C:\Users\Admin\AppData\Local\Mecury.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mecury.exeFilesize
4.6MB
MD5ffab58789a8d188f10ae6b7a9c73c36a
SHA148bf4df2095bf4bb8fa53ddd10fbb0fef80dc494
SHA256f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea
SHA512c13ff615c4ae03dd33a5c4766be184c029aef24560703b8f59cf9fa54755dd9d68589234919ac4d02c77a05480f4c3795c53a1283cda1583ced8ea93f7dd322c
-
C:\Users\Admin\AppData\Local\Mecury.exeFilesize
4.6MB
MD5ffab58789a8d188f10ae6b7a9c73c36a
SHA148bf4df2095bf4bb8fa53ddd10fbb0fef80dc494
SHA256f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea
SHA512c13ff615c4ae03dd33a5c4766be184c029aef24560703b8f59cf9fa54755dd9d68589234919ac4d02c77a05480f4c3795c53a1283cda1583ced8ea93f7dd322c
-
\Users\Admin\AppData\Local\Mecury.exeFilesize
4.6MB
MD5ffab58789a8d188f10ae6b7a9c73c36a
SHA148bf4df2095bf4bb8fa53ddd10fbb0fef80dc494
SHA256f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea
SHA512c13ff615c4ae03dd33a5c4766be184c029aef24560703b8f59cf9fa54755dd9d68589234919ac4d02c77a05480f4c3795c53a1283cda1583ced8ea93f7dd322c
-
memory/588-60-0x0000000000000000-mapping.dmp
-
memory/588-63-0x0000000000BA0000-0x0000000001046000-memory.dmpFilesize
4.6MB
-
memory/1724-54-0x0000000001040000-0x00000000014E6000-memory.dmpFilesize
4.6MB
-
memory/1724-55-0x0000000000390000-0x00000000003BA000-memory.dmpFilesize
168KB
-
memory/1724-56-0x00000000003C0000-0x00000000003D0000-memory.dmpFilesize
64KB
-
memory/1764-57-0x0000000000000000-mapping.dmp
-
memory/1956-58-0x0000000000000000-mapping.dmp