Overview

overview

10

Static

static

shipping d...df.exe

windows7_x64

10

shipping d...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    160s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 23:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shipping document.pdf.exe

  • Size

    764KB

  • MD5

    0889462bfd5453de7c9cc76349f4524b

  • SHA1

    5b51a1f647c62b5aafed85cf13437e1695ab32d3

  • SHA256

    b4acc93842006e649216fa6e4f9686443174eed13b91dfe359cd3c44d61e0ffa

  • SHA512

    a741ab113c5a83b9d2f01b6e62b01dfe9a70281b49fac5df9263d29e0fd099eba52c7da3ee6de158bcbae24a14ae5118aa8ee8b7ccc503d7b009a24bdbc9d5ca

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    server03.imanila.ph
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    sMh8K&LwfD2n

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shipping document.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\shipping document.pdf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NraBYkfQmJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB611.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2708
    • C:\Users\Admin\AppData\Local\Temp\shipping document.pdf.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipping document.pdf.exe.log
    Filesize

    1KB

    MD5

    400f1cc1a0a0ce1cdabda365ab3368ce

    SHA1

    1ecf683f14271d84f3b6063493dce00ff5f42075

    SHA256

    c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

    SHA512

    14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpB611.tmp
    Filesize

    1KB

    MD5

    43edb6cf23afe201e5eddc04d8427c71

    SHA1

    58404a1adb20b1a416166b850eb33c65c51a9ba4

    SHA256

    f6c1626a54c0527d32fc72e9c43ca4daf7bac37b4f7ebf99adc11d643c367da7

    SHA512

    d052b388257b21df63c2a00cd1625c42951265bcb237519595f76bcf0430742768112fccfbefb79e0510c6452af96c4223ff1ef60e48f98ab6a717f54691a58c

    Download Submit
  • memory/224-137-0x0000000000000000-mapping.dmp
    Download
  • memory/224-138-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/224-140-0x00000000061B0000-0x0000000006216000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1312-130-0x00000000003B0000-0x0000000000476000-memory.dmp
    Filesize

    792KB

    Download
  • memory/1312-131-0x0000000005540000-0x0000000005AE4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1312-132-0x0000000005130000-0x00000000051C2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1312-133-0x0000000004E60000-0x0000000004E6A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1312-134-0x000000000D440000-0x000000000D4DC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2708-135-0x0000000000000000-mapping.dmp
    Download