Analysis
-
max time kernel
127s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:21
Static task
static1
Behavioral task
behavioral1
Sample
Fedex_Commercial Invoice.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Fedex_Commercial Invoice.exe
Resource
win10v2004-20220414-en
General
-
Target
Fedex_Commercial Invoice.exe
-
Size
791KB
-
MD5
eb399d8e95e6b5d8b47eb7861d4a8631
-
SHA1
5a737e28680097c70b94e63b40766d60776d6023
-
SHA256
8e7934b4a6e7e21ef57fbc897a2f03cf5d487840b4434544919e40c7ba9c3021
-
SHA512
8e93d2c755aa5b1e980082334143ab4e16eb66ddabe5c3ecb6a43a356b350c52f9ac51ae708f6bbe7987d2f09cf995f6d59cdbfbf7514e42145df29ade2d069d
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
Remember@123#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1760-64-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/1760-65-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/1760-67-0x0000000000453DAE-mapping.dmp family_agenttesla behavioral1/memory/1760-66-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/1760-69-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/1760-71-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Fedex_Commercial Invoice.exedescription pid process target process PID 1524 set thread context of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Fedex_Commercial Invoice.exeRegSvcs.exepid process 1524 Fedex_Commercial Invoice.exe 1524 Fedex_Commercial Invoice.exe 1524 Fedex_Commercial Invoice.exe 1760 RegSvcs.exe 1760 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Fedex_Commercial Invoice.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1524 Fedex_Commercial Invoice.exe Token: SeDebugPrivilege 1760 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Fedex_Commercial Invoice.exedescription pid process target process PID 1524 wrote to memory of 2032 1524 Fedex_Commercial Invoice.exe schtasks.exe PID 1524 wrote to memory of 2032 1524 Fedex_Commercial Invoice.exe schtasks.exe PID 1524 wrote to memory of 2032 1524 Fedex_Commercial Invoice.exe schtasks.exe PID 1524 wrote to memory of 2032 1524 Fedex_Commercial Invoice.exe schtasks.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe PID 1524 wrote to memory of 1760 1524 Fedex_Commercial Invoice.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fedex_Commercial Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Fedex_Commercial Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\shOrItAQhQkbkF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB9FD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB9FD.tmpFilesize
1KB
MD5a9eef0bfe20c593edeab13c8661162a2
SHA1aad4644929d6a3922ab5ea9073ed213dcddf4521
SHA256b82cec0610f813b1779f63c8043eb5251adfc1d42cebd6cf5efd7aa2c4d8cd2c
SHA5127078f0c6e08b294ca8f806f01024746acd538b7a2d857d81b171dd924d1c3a5f7fabdb54a6906b59c912bee890bf540f9f9c25cea7e34b7bb396cff84ca2dfc1
-
memory/1524-57-0x0000000000AA0000-0x0000000000B0E000-memory.dmpFilesize
440KB
-
memory/1524-55-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1524-54-0x0000000000EE0000-0x0000000000FAA000-memory.dmpFilesize
808KB
-
memory/1524-58-0x0000000000BF0000-0x0000000000C48000-memory.dmpFilesize
352KB
-
memory/1524-56-0x0000000000310000-0x0000000000320000-memory.dmpFilesize
64KB
-
memory/1760-67-0x0000000000453DAE-mapping.dmp
-
memory/1760-61-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1760-62-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1760-64-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1760-65-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1760-66-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1760-69-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1760-71-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2032-59-0x0000000000000000-mapping.dmp