Analysis
-
max time kernel
122s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:36
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCS _234372.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SHIPPING DOCS _234372.PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
SHIPPING DOCS _234372.PDF.exe
-
Size
385KB
-
MD5
a08a2bda9c51b2d5ca1e38435629cacc
-
SHA1
46107a6be4613e6c2d1f9e08af63de089417ea10
-
SHA256
6f4d9739f62d219787f6de178ab8f5fb29f317cac258c567d8d51cddea7aa4ac
-
SHA512
d3be87d66877a4cf71f2edccd0863c180630b979214c40170fa5585a878f5ea32efa2c10fbd7f6129362b672230978af32f9618cd71a69be3f087f3b56aaf411
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.microtechlab.in - Port:
587 - Username:
reports@microtechlab.in - Password:
pune@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5048-139-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SHIPPING DOCS _234372.PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation SHIPPING DOCS _234372.PDF.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHIPPING DOCS _234372.PDF.exedescription pid process target process PID 2156 set thread context of 5048 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2504 5048 WerFault.exe RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
SHIPPING DOCS _234372.PDF.exeRegSvcs.exepid process 2156 SHIPPING DOCS _234372.PDF.exe 2156 SHIPPING DOCS _234372.PDF.exe 2156 SHIPPING DOCS _234372.PDF.exe 5048 RegSvcs.exe 5048 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SHIPPING DOCS _234372.PDF.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2156 SHIPPING DOCS _234372.PDF.exe Token: SeDebugPrivilege 5048 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
SHIPPING DOCS _234372.PDF.exeRegSvcs.exedescription pid process target process PID 2156 wrote to memory of 4396 2156 SHIPPING DOCS _234372.PDF.exe schtasks.exe PID 2156 wrote to memory of 4396 2156 SHIPPING DOCS _234372.PDF.exe schtasks.exe PID 2156 wrote to memory of 4396 2156 SHIPPING DOCS _234372.PDF.exe schtasks.exe PID 2156 wrote to memory of 4512 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe PID 2156 wrote to memory of 4512 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe PID 2156 wrote to memory of 4512 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe PID 2156 wrote to memory of 5048 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe PID 2156 wrote to memory of 5048 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe PID 2156 wrote to memory of 5048 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe PID 2156 wrote to memory of 5048 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe PID 2156 wrote to memory of 5048 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe PID 2156 wrote to memory of 5048 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe PID 2156 wrote to memory of 5048 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe PID 2156 wrote to memory of 5048 2156 SHIPPING DOCS _234372.PDF.exe RegSvcs.exe PID 5048 wrote to memory of 3228 5048 RegSvcs.exe REG.exe PID 5048 wrote to memory of 3228 5048 RegSvcs.exe REG.exe PID 5048 wrote to memory of 3228 5048 RegSvcs.exe REG.exe PID 5048 wrote to memory of 3748 5048 RegSvcs.exe netsh.exe PID 5048 wrote to memory of 3748 5048 RegSvcs.exe netsh.exe PID 5048 wrote to memory of 3748 5048 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS _234372.PDF.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCS _234372.PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uWSnfNAErz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58BF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 15603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5048 -ip 50481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp58BF.tmpFilesize
1KB
MD50188d888ca9076f1c8d34192055e9c25
SHA1db40472c83a393f9a056820b2dcd48f517e7d463
SHA256726ab7fc7597d83c8821ff8ddd5bec3ee90c18f42fe44a3d6256882a35774ab2
SHA5128f66afa53d6e0221d51fa19951ff8fe1d4711ed3268bd8c00fed8d30a695684747baeb8479b36bff3e4d493809673a4198e4c7efe6c7c931926143a22409b5d8
-
memory/2156-132-0x0000000005560000-0x00000000055FC000-memory.dmpFilesize
624KB
-
memory/2156-133-0x00000000056A0000-0x0000000005732000-memory.dmpFilesize
584KB
-
memory/2156-134-0x0000000006350000-0x00000000068F4000-memory.dmpFilesize
5.6MB
-
memory/2156-131-0x0000000000B70000-0x0000000000BD6000-memory.dmpFilesize
408KB
-
memory/3228-141-0x0000000000000000-mapping.dmp
-
memory/3748-143-0x0000000000000000-mapping.dmp
-
memory/4396-135-0x0000000000000000-mapping.dmp
-
memory/4512-137-0x0000000000000000-mapping.dmp
-
memory/5048-140-0x0000000005AA0000-0x0000000005B06000-memory.dmpFilesize
408KB
-
memory/5048-139-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/5048-142-0x0000000006640000-0x0000000006690000-memory.dmpFilesize
320KB
-
memory/5048-138-0x0000000000000000-mapping.dmp