Analysis
-
max time kernel
160s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:57
Static task
static1
Behavioral task
behavioral1
Sample
shipping document.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
shipping document.pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
shipping document.pdf.exe
-
Size
764KB
-
MD5
0889462bfd5453de7c9cc76349f4524b
-
SHA1
5b51a1f647c62b5aafed85cf13437e1695ab32d3
-
SHA256
b4acc93842006e649216fa6e4f9686443174eed13b91dfe359cd3c44d61e0ffa
-
SHA512
a741ab113c5a83b9d2f01b6e62b01dfe9a70281b49fac5df9263d29e0fd099eba52c7da3ee6de158bcbae24a14ae5118aa8ee8b7ccc503d7b009a24bdbc9d5ca
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
server03.imanila.ph - Port:
587 - Username:
[email protected] - Password:
sMh8K&LwfD2n
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/224-138-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
shipping document.pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation shipping document.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipping document.pdf.exedescription pid process target process PID 1312 set thread context of 224 1312 shipping document.pdf.exe shipping document.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
shipping document.pdf.exeshipping document.pdf.exepid process 1312 shipping document.pdf.exe 1312 shipping document.pdf.exe 1312 shipping document.pdf.exe 1312 shipping document.pdf.exe 1312 shipping document.pdf.exe 1312 shipping document.pdf.exe 1312 shipping document.pdf.exe 224 shipping document.pdf.exe 224 shipping document.pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shipping document.pdf.exeshipping document.pdf.exedescription pid process Token: SeDebugPrivilege 1312 shipping document.pdf.exe Token: SeDebugPrivilege 224 shipping document.pdf.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
shipping document.pdf.exedescription pid process target process PID 1312 wrote to memory of 2708 1312 shipping document.pdf.exe schtasks.exe PID 1312 wrote to memory of 2708 1312 shipping document.pdf.exe schtasks.exe PID 1312 wrote to memory of 2708 1312 shipping document.pdf.exe schtasks.exe PID 1312 wrote to memory of 224 1312 shipping document.pdf.exe shipping document.pdf.exe PID 1312 wrote to memory of 224 1312 shipping document.pdf.exe shipping document.pdf.exe PID 1312 wrote to memory of 224 1312 shipping document.pdf.exe shipping document.pdf.exe PID 1312 wrote to memory of 224 1312 shipping document.pdf.exe shipping document.pdf.exe PID 1312 wrote to memory of 224 1312 shipping document.pdf.exe shipping document.pdf.exe PID 1312 wrote to memory of 224 1312 shipping document.pdf.exe shipping document.pdf.exe PID 1312 wrote to memory of 224 1312 shipping document.pdf.exe shipping document.pdf.exe PID 1312 wrote to memory of 224 1312 shipping document.pdf.exe shipping document.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping document.pdf.exe"C:\Users\Admin\AppData\Local\Temp\shipping document.pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NraBYkfQmJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB611.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\shipping document.pdf.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipping document.pdf.exe.logFilesize
1KB
MD5400f1cc1a0a0ce1cdabda365ab3368ce
SHA11ecf683f14271d84f3b6063493dce00ff5f42075
SHA256c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA51214c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45
-
C:\Users\Admin\AppData\Local\Temp\tmpB611.tmpFilesize
1KB
MD543edb6cf23afe201e5eddc04d8427c71
SHA158404a1adb20b1a416166b850eb33c65c51a9ba4
SHA256f6c1626a54c0527d32fc72e9c43ca4daf7bac37b4f7ebf99adc11d643c367da7
SHA512d052b388257b21df63c2a00cd1625c42951265bcb237519595f76bcf0430742768112fccfbefb79e0510c6452af96c4223ff1ef60e48f98ab6a717f54691a58c
-
memory/224-137-0x0000000000000000-mapping.dmp
-
memory/224-138-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/224-140-0x00000000061B0000-0x0000000006216000-memory.dmpFilesize
408KB
-
memory/1312-130-0x00000000003B0000-0x0000000000476000-memory.dmpFilesize
792KB
-
memory/1312-131-0x0000000005540000-0x0000000005AE4000-memory.dmpFilesize
5.6MB
-
memory/1312-132-0x0000000005130000-0x00000000051C2000-memory.dmpFilesize
584KB
-
memory/1312-133-0x0000000004E60000-0x0000000004E6A000-memory.dmpFilesize
40KB
-
memory/1312-134-0x000000000D440000-0x000000000D4DC000-memory.dmpFilesize
624KB
-
memory/2708-135-0x0000000000000000-mapping.dmp