Analysis
-
max time kernel
130s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 02:29
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Documents.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Shipping Documents.exe
Resource
win10v2004-20220414-en
General
-
Target
Shipping Documents.exe
-
Size
840KB
-
MD5
44960ebf188e49667e50b9c91d74f36b
-
SHA1
cc1a0a24d5ea507bb499631ecda54556b896b332
-
SHA256
eed899d24d21a18eedea77f8f2860b70aa843e3f3757e8c53105f6eadd655d41
-
SHA512
c84933a16df55262ad959fa0c1ce65c2fb670e9522cbc158fcfc714dccbb18dcbc85879913081159dad356f2ecceed88c25bee3191e78d51e8b06910e9ab8667
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.rezuit.pro - Port:
587 - Username:
[email protected] - Password:
chukwuma22
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1524-61-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1524-62-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1524-63-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1524-64-0x0000000000446EBE-mapping.dmp family_agenttesla behavioral1/memory/1524-66-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1524-68-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Shipping Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Documents.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Documents.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Documents.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping Documents.exedescription pid process target process PID 2040 set thread context of 1524 2040 Shipping Documents.exe Shipping Documents.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Shipping Documents.exeShipping Documents.exepid process 2040 Shipping Documents.exe 2040 Shipping Documents.exe 1524 Shipping Documents.exe 1524 Shipping Documents.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Shipping Documents.exeShipping Documents.exedescription pid process Token: SeDebugPrivilege 2040 Shipping Documents.exe Token: SeDebugPrivilege 1524 Shipping Documents.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Shipping Documents.exedescription pid process target process PID 2040 wrote to memory of 1976 2040 Shipping Documents.exe schtasks.exe PID 2040 wrote to memory of 1976 2040 Shipping Documents.exe schtasks.exe PID 2040 wrote to memory of 1976 2040 Shipping Documents.exe schtasks.exe PID 2040 wrote to memory of 1976 2040 Shipping Documents.exe schtasks.exe PID 2040 wrote to memory of 1520 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1520 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1520 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1520 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1524 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1524 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1524 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1524 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1524 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1524 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1524 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1524 2040 Shipping Documents.exe Shipping Documents.exe PID 2040 wrote to memory of 1524 2040 Shipping Documents.exe Shipping Documents.exe -
outlook_office_path 1 IoCs
Processes:
Shipping Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Documents.exe -
outlook_win_path 1 IoCs
Processes:
Shipping Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Documents.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RARBGRpBsDG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2740.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2740.tmpFilesize
1KB
MD56082d0554f633919e5a67f8ef036afe0
SHA1faaf4786290134c1fd5fb09e6d1c58fc6e7f3260
SHA2563f9b3ecf3daf558fc03453ef8419a51ecc507c6e86ca63fe9b4a6bce8f127581
SHA51233769ebcc27ef6d416482bfab68692529d0ee163532e3982bb2b0b226fc6a075365da81cd5b477fec5bf45a99ec4a98076561f3ab3ed413af05425d83b586181
-
memory/1524-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1524-58-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1524-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1524-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1524-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1524-64-0x0000000000446EBE-mapping.dmp
-
memory/1524-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1524-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1524-70-0x0000000074C20000-0x00000000751CB000-memory.dmpFilesize
5.7MB
-
memory/1976-56-0x0000000000000000-mapping.dmp
-
memory/2040-55-0x0000000074C20000-0x00000000751CB000-memory.dmpFilesize
5.7MB
-
memory/2040-54-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB