Analysis
-
max time kernel
146s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:24
Static task
static1
Behavioral task
behavioral1
Sample
DHL_23072020_AWB_998227999_INV..exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DHL_23072020_AWB_998227999_INV..exe
Resource
win10v2004-20220414-en
General
-
Target
DHL_23072020_AWB_998227999_INV..exe
-
Size
753KB
-
MD5
0e32ec9e0f671840b3d71e0044960d32
-
SHA1
0733f5c73342f380f6f5b3d1dcbebf0c1af00475
-
SHA256
2449c1f1a898c241fd99ef81dd67ea37db3944708a37a3229f19bf572d7136d8
-
SHA512
f16a828859633c5b40afa0de2087b88c91214c913c1ba7105e2a85fcb2cfebb5cd655b257332b899e028fd73ede35bea0c878caf39ad1b807d238e092c6632bd
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.wtgriderline.com - Port:
587 - Username:
[email protected] - Password:
T@sz^GL3
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1352-62-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/1352-63-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/1352-64-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/1352-65-0x0000000000452DFE-mapping.dmp family_agenttesla behavioral1/memory/1352-67-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla behavioral1/memory/1352-69-0x0000000000400000-0x0000000000458000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL_23072020_AWB_998227999_INV..exedescription pid process target process PID 376 set thread context of 1352 376 DHL_23072020_AWB_998227999_INV..exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
DHL_23072020_AWB_998227999_INV..exeMSBuild.exepid process 376 DHL_23072020_AWB_998227999_INV..exe 376 DHL_23072020_AWB_998227999_INV..exe 376 DHL_23072020_AWB_998227999_INV..exe 376 DHL_23072020_AWB_998227999_INV..exe 1352 MSBuild.exe 1352 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL_23072020_AWB_998227999_INV..exeMSBuild.exedescription pid process Token: SeDebugPrivilege 376 DHL_23072020_AWB_998227999_INV..exe Token: SeDebugPrivilege 1352 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
DHL_23072020_AWB_998227999_INV..exedescription pid process target process PID 376 wrote to memory of 1352 376 DHL_23072020_AWB_998227999_INV..exe MSBuild.exe PID 376 wrote to memory of 1352 376 DHL_23072020_AWB_998227999_INV..exe MSBuild.exe PID 376 wrote to memory of 1352 376 DHL_23072020_AWB_998227999_INV..exe MSBuild.exe PID 376 wrote to memory of 1352 376 DHL_23072020_AWB_998227999_INV..exe MSBuild.exe PID 376 wrote to memory of 1352 376 DHL_23072020_AWB_998227999_INV..exe MSBuild.exe PID 376 wrote to memory of 1352 376 DHL_23072020_AWB_998227999_INV..exe MSBuild.exe PID 376 wrote to memory of 1352 376 DHL_23072020_AWB_998227999_INV..exe MSBuild.exe PID 376 wrote to memory of 1352 376 DHL_23072020_AWB_998227999_INV..exe MSBuild.exe PID 376 wrote to memory of 1352 376 DHL_23072020_AWB_998227999_INV..exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL_23072020_AWB_998227999_INV..exe"C:\Users\Admin\AppData\Local\Temp\DHL_23072020_AWB_998227999_INV..exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/376-54-0x00000000012B0000-0x0000000001372000-memory.dmpFilesize
776KB
-
memory/376-55-0x00000000764C1000-0x00000000764C3000-memory.dmpFilesize
8KB
-
memory/376-56-0x0000000000230000-0x0000000000240000-memory.dmpFilesize
64KB
-
memory/376-57-0x0000000001070000-0x00000000010DE000-memory.dmpFilesize
440KB
-
memory/376-58-0x0000000000350000-0x00000000003A8000-memory.dmpFilesize
352KB
-
memory/1352-59-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1352-60-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1352-62-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1352-63-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1352-64-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1352-65-0x0000000000452DFE-mapping.dmp
-
memory/1352-67-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/1352-69-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB