Analysis
-
max time kernel
145s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 06:54
Static task
static1
Behavioral task
behavioral1
Sample
DHL AWB SHIPMENT DOCS.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
DHL AWB SHIPMENT DOCS.exe
Resource
win10v2004-20220812-en
General
-
Target
DHL AWB SHIPMENT DOCS.exe
-
Size
1.0MB
-
MD5
ae68aad90d2c563d7224615d4f8e6532
-
SHA1
3bafaff78a3654ec5fb1eb6e7c73a167ec619ba1
-
SHA256
ba4a2766012fbcfc2ed208ae30f8deaa5710aee9c72db381ed9047faeb052782
-
SHA512
3a3851e938b6d2ac8bfb291fcd9c9e28f0514c088400e6b8cf1d78021c0d64933bfb7a45b9771ba7d51e69d39d60f7b795ab072a3dceb56d4058bed741251210
-
SSDEEP
24576:NO4Kkygdqb66CvqcAPKOWOUcSsunDyK0:NO4Kky5u1NOxJSsuDyK
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.udupis.com - Port:
587 - Username:
sales@udupis.com - Password:
skills150
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1716-139-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DHL AWB SHIPMENT DOCS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB SHIPMENT DOCS.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB SHIPMENT DOCS.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB SHIPMENT DOCS.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{D1051BF8-7D1F-4BFA-A639-6FA4CCED4A25}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{10D23D55-25A1-42A5-AEDB-5D4696D02DDD}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL AWB SHIPMENT DOCS.exedescription pid process target process PID 2228 set thread context of 1716 2228 DHL AWB SHIPMENT DOCS.exe DHL AWB SHIPMENT DOCS.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
DHL AWB SHIPMENT DOCS.exepid process 1716 DHL AWB SHIPMENT DOCS.exe 1716 DHL AWB SHIPMENT DOCS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
DHL AWB SHIPMENT DOCS.exedescription pid process Token: SeDebugPrivilege 1716 DHL AWB SHIPMENT DOCS.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
DHL AWB SHIPMENT DOCS.exedescription pid process target process PID 2228 wrote to memory of 1716 2228 DHL AWB SHIPMENT DOCS.exe DHL AWB SHIPMENT DOCS.exe PID 2228 wrote to memory of 1716 2228 DHL AWB SHIPMENT DOCS.exe DHL AWB SHIPMENT DOCS.exe PID 2228 wrote to memory of 1716 2228 DHL AWB SHIPMENT DOCS.exe DHL AWB SHIPMENT DOCS.exe PID 2228 wrote to memory of 1716 2228 DHL AWB SHIPMENT DOCS.exe DHL AWB SHIPMENT DOCS.exe PID 2228 wrote to memory of 1716 2228 DHL AWB SHIPMENT DOCS.exe DHL AWB SHIPMENT DOCS.exe PID 2228 wrote to memory of 1716 2228 DHL AWB SHIPMENT DOCS.exe DHL AWB SHIPMENT DOCS.exe PID 2228 wrote to memory of 1716 2228 DHL AWB SHIPMENT DOCS.exe DHL AWB SHIPMENT DOCS.exe PID 2228 wrote to memory of 1716 2228 DHL AWB SHIPMENT DOCS.exe DHL AWB SHIPMENT DOCS.exe -
outlook_office_path 1 IoCs
Processes:
DHL AWB SHIPMENT DOCS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB SHIPMENT DOCS.exe -
outlook_win_path 1 IoCs
Processes:
DHL AWB SHIPMENT DOCS.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DHL AWB SHIPMENT DOCS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB SHIPMENT DOCS.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB SHIPMENT DOCS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB SHIPMENT DOCS.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB SHIPMENT DOCS.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1716-138-0x0000000000000000-mapping.dmp
-
memory/1716-139-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1716-140-0x00000000069D0000-0x0000000006A20000-memory.dmpFilesize
320KB
-
memory/2228-132-0x00000000009B0000-0x0000000000AC0000-memory.dmpFilesize
1.1MB
-
memory/2228-133-0x0000000005B50000-0x00000000060F4000-memory.dmpFilesize
5.6MB
-
memory/2228-134-0x00000000054B0000-0x0000000005542000-memory.dmpFilesize
584KB
-
memory/2228-135-0x0000000005450000-0x000000000545A000-memory.dmpFilesize
40KB
-
memory/2228-136-0x0000000007C90000-0x0000000007D2C000-memory.dmpFilesize
624KB
-
memory/2228-137-0x0000000007DA0000-0x0000000007E06000-memory.dmpFilesize
408KB