Analysis
-
max time kernel
139s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:29
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Documents.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Shipping Documents.exe
Resource
win10v2004-20220414-en
General
-
Target
Shipping Documents.exe
-
Size
840KB
-
MD5
44960ebf188e49667e50b9c91d74f36b
-
SHA1
cc1a0a24d5ea507bb499631ecda54556b896b332
-
SHA256
eed899d24d21a18eedea77f8f2860b70aa843e3f3757e8c53105f6eadd655d41
-
SHA512
c84933a16df55262ad959fa0c1ce65c2fb670e9522cbc158fcfc714dccbb18dcbc85879913081159dad356f2ecceed88c25bee3191e78d51e8b06910e9ab8667
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.rezuit.pro - Port:
587 - Username:
[email protected] - Password:
chukwuma22
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1512-134-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Shipping Documents.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation Shipping Documents.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Shipping Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Documents.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Documents.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Documents.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping Documents.exedescription pid process target process PID 4192 set thread context of 1512 4192 Shipping Documents.exe Shipping Documents.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Shipping Documents.exepid process 1512 Shipping Documents.exe 1512 Shipping Documents.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Shipping Documents.exedescription pid process Token: SeDebugPrivilege 1512 Shipping Documents.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Shipping Documents.exedescription pid process target process PID 4192 wrote to memory of 4376 4192 Shipping Documents.exe schtasks.exe PID 4192 wrote to memory of 4376 4192 Shipping Documents.exe schtasks.exe PID 4192 wrote to memory of 4376 4192 Shipping Documents.exe schtasks.exe PID 4192 wrote to memory of 1512 4192 Shipping Documents.exe Shipping Documents.exe PID 4192 wrote to memory of 1512 4192 Shipping Documents.exe Shipping Documents.exe PID 4192 wrote to memory of 1512 4192 Shipping Documents.exe Shipping Documents.exe PID 4192 wrote to memory of 1512 4192 Shipping Documents.exe Shipping Documents.exe PID 4192 wrote to memory of 1512 4192 Shipping Documents.exe Shipping Documents.exe PID 4192 wrote to memory of 1512 4192 Shipping Documents.exe Shipping Documents.exe PID 4192 wrote to memory of 1512 4192 Shipping Documents.exe Shipping Documents.exe PID 4192 wrote to memory of 1512 4192 Shipping Documents.exe Shipping Documents.exe -
outlook_office_path 1 IoCs
Processes:
Shipping Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Documents.exe -
outlook_win_path 1 IoCs
Processes:
Shipping Documents.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Shipping Documents.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RARBGRpBsDG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDCD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Shipping Documents.exe.logFilesize
766B
MD5ed51a6403a5e7b1e7cc258b0c1c379bf
SHA1b9ddd29ceaa5027f8d2639d72b11bf9d5ded13d2
SHA256a999a4e4356c889cfa31973b7d89c25bc947f4e1017afd33edb8dedfb79e18c0
SHA5124f4539ddf7df72eb7ca0636a08bb1eeb6559097fa14c5fdc77f529231699a39bdd55e0260f3dacd35932e3788f55b8fd887b0b71d41b09e582ce34e880515b13
-
C:\Users\Admin\AppData\Local\Temp\tmpDDCD.tmpFilesize
1KB
MD53073afcb86bb2020982db940662ef1c6
SHA19de71f472c609af4633977b741459641c62bf035
SHA256ca18872cf7b782287d043ad4418f51df618e0233b0f2133791a1498a65557f37
SHA512123da0029abbca5bb04efd67ed43e03e148a2f19ba0f17de3440c65aa7eb14d2135877f8a28ad02c1e0d7272d221e240162c10a01b06755d4a435d13e5feeb24
-
memory/1512-133-0x0000000000000000-mapping.dmp
-
memory/1512-134-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1512-136-0x00000000752C0000-0x0000000075871000-memory.dmpFilesize
5.7MB
-
memory/4192-130-0x00000000752C0000-0x0000000075871000-memory.dmpFilesize
5.7MB
-
memory/4376-131-0x0000000000000000-mapping.dmp