Analysis
-
max time kernel
185s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:08
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipping Receipts.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DHL Shipping Receipts.exe
Resource
win10v2004-20220414-en
General
-
Target
DHL Shipping Receipts.exe
-
Size
448KB
-
MD5
69d9ceed5576ad950bcec177e86b0033
-
SHA1
c975b18994917b1dd93ee2e10ce2e15b586c02ba
-
SHA256
ad526f12fe479654bd0e631a03dffceea2f9c0e0f01cb16e03caa4a6b4ed209c
-
SHA512
82fe28daf753888704000f41c3202977110751bf4a08060f9bf4d8e85987cc8556d08cdae65a0292fdfc4abb351df0aeed9e7aa8a7e7b288b5d892f8cd84509b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cosur.pe - Port:
587 - Username:
[email protected] - Password:
C0m3rc14l%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1992-138-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DHL Shipping Receipts.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DHL Shipping Receipts.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DHL Shipping Receipts.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DHL Shipping Receipts.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation DHL Shipping Receipts.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DHL Shipping Receipts.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL Shipping Receipts.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL Shipping Receipts.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL Shipping Receipts.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
DHL Shipping Receipts.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DHL Shipping Receipts.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DHL Shipping Receipts.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL Shipping Receipts.exedescription pid process target process PID 3476 set thread context of 1992 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
DHL Shipping Receipts.exeDHL Shipping Receipts.exepid process 3476 DHL Shipping Receipts.exe 3476 DHL Shipping Receipts.exe 3476 DHL Shipping Receipts.exe 3476 DHL Shipping Receipts.exe 3476 DHL Shipping Receipts.exe 3476 DHL Shipping Receipts.exe 3476 DHL Shipping Receipts.exe 3476 DHL Shipping Receipts.exe 1992 DHL Shipping Receipts.exe 1992 DHL Shipping Receipts.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
DHL Shipping Receipts.exepid process 1992 DHL Shipping Receipts.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL Shipping Receipts.exeDHL Shipping Receipts.exedescription pid process Token: SeDebugPrivilege 3476 DHL Shipping Receipts.exe Token: SeDebugPrivilege 1992 DHL Shipping Receipts.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
DHL Shipping Receipts.exedescription pid process target process PID 3476 wrote to memory of 1344 3476 DHL Shipping Receipts.exe schtasks.exe PID 3476 wrote to memory of 1344 3476 DHL Shipping Receipts.exe schtasks.exe PID 3476 wrote to memory of 1344 3476 DHL Shipping Receipts.exe schtasks.exe PID 3476 wrote to memory of 2216 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe PID 3476 wrote to memory of 2216 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe PID 3476 wrote to memory of 2216 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe PID 3476 wrote to memory of 1992 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe PID 3476 wrote to memory of 1992 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe PID 3476 wrote to memory of 1992 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe PID 3476 wrote to memory of 1992 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe PID 3476 wrote to memory of 1992 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe PID 3476 wrote to memory of 1992 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe PID 3476 wrote to memory of 1992 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe PID 3476 wrote to memory of 1992 3476 DHL Shipping Receipts.exe DHL Shipping Receipts.exe -
outlook_office_path 1 IoCs
Processes:
DHL Shipping Receipts.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL Shipping Receipts.exe -
outlook_win_path 1 IoCs
Processes:
DHL Shipping Receipts.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL Shipping Receipts.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping Receipts.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping Receipts.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ekunPf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC515.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping Receipts.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping Receipts.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Shipping Receipts.exe.logFilesize
504B
MD57307db2ff60eeb1e5b8240651dda7149
SHA1f33508fd9d0482c988eb1a78e413859ff6ea7793
SHA2561c29ea2ae4eef73cc1058bdb694449c5674dd259e3eb0a388a50f586c77cb2af
SHA512c9cdc6526f8ae3ca942e5552f35cf6c6abc10714556570643a27db02bf32185fb3918fde75919f4db06bc89bcba8b7b79ae7c57bde359a5b59129d0acb65abac
-
C:\Users\Admin\AppData\Local\Temp\tmpC515.tmpFilesize
1KB
MD5878c11955d4377d6969b7ba69f757fe4
SHA1306b8caa09e803ec5a5af460bb1205b2dfb73ad1
SHA256e22c96e088658dff99c13a44242d554d70095554cfb95dea56dadab06f01b1c2
SHA512ecb93eb231b4bc14f283150d6240c0835da2bfdebf4404d10044ca13844eca00ff7004e7ee10aac3392e891b68d1d747744733c858d114c1d8cdb7ce05eefb1d
-
memory/1344-134-0x0000000000000000-mapping.dmp
-
memory/1992-138-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1992-142-0x00000000064F0000-0x00000000064FA000-memory.dmpFilesize
40KB
-
memory/1992-141-0x0000000006530000-0x0000000006580000-memory.dmpFilesize
320KB
-
memory/1992-140-0x0000000005550000-0x0000000005AF4000-memory.dmpFilesize
5.6MB
-
memory/1992-137-0x0000000000000000-mapping.dmp
-
memory/2216-136-0x0000000000000000-mapping.dmp
-
memory/3476-130-0x0000000000850000-0x00000000008C6000-memory.dmpFilesize
472KB
-
memory/3476-133-0x000000000BB80000-0x000000000BBE6000-memory.dmpFilesize
408KB
-
memory/3476-132-0x00000000056F0000-0x0000000005782000-memory.dmpFilesize
584KB
-
memory/3476-131-0x00000000055B0000-0x000000000564C000-memory.dmpFilesize
624KB