Analysis
-
max time kernel
105s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:40
Static task
static1
Behavioral task
behavioral1
Sample
BL-SHIPPING DOCUMENTS.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
BL-SHIPPING DOCUMENTS.exe
Resource
win10v2004-20220901-en
General
-
Target
BL-SHIPPING DOCUMENTS.exe
-
Size
928KB
-
MD5
45c41df318e24e20adb94219d4906ff4
-
SHA1
e771d4f59b1d95c5602d1e40f2da9e62c053b1ab
-
SHA256
2f3c179b97541b711d8926cf95673e1bcdbd2ce6ed22980abf88ba689ab2f21d
-
SHA512
cdb4c45a14fba31d6e002c8ef8a59412974d03d0671edbcc0e715089b38623a1817579c800bb6b3bd36ec423f58ce42a5ce40cbd8aa24a1f9d6e49bde527ebf1
-
SSDEEP
24576:Ha8XJqYPStVPYmOlLltOOr3C1zC+GGOG4emawVl9R9:HF1PSkl73H+GS4XawVrT
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
bbograbg.exebbograbg.exepid process 2496 bbograbg.exe 3028 bbograbg.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
bbograbg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbograbg.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbograbg.exe Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbograbg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bbograbg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cyevnqfjnjk = "C:\\Users\\Admin\\AppData\\Roaming\\oupuvxsdmyjjrq\\gjjolahdhcewpl.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bbograbg.exe\" \"C:\\Users\\Admin\\" bbograbg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bbograbg.exedescription pid process target process PID 2496 set thread context of 3028 2496 bbograbg.exe bbograbg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
bbograbg.exepid process 3028 bbograbg.exe 3028 bbograbg.exe 3028 bbograbg.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
bbograbg.exepid process 2496 bbograbg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bbograbg.exedescription pid process Token: SeDebugPrivilege 3028 bbograbg.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
bbograbg.exepid process 2496 bbograbg.exe 2496 bbograbg.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
bbograbg.exepid process 2496 bbograbg.exe 2496 bbograbg.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
BL-SHIPPING DOCUMENTS.exebbograbg.exedescription pid process target process PID 2224 wrote to memory of 2496 2224 BL-SHIPPING DOCUMENTS.exe bbograbg.exe PID 2224 wrote to memory of 2496 2224 BL-SHIPPING DOCUMENTS.exe bbograbg.exe PID 2224 wrote to memory of 2496 2224 BL-SHIPPING DOCUMENTS.exe bbograbg.exe PID 2496 wrote to memory of 3028 2496 bbograbg.exe bbograbg.exe PID 2496 wrote to memory of 3028 2496 bbograbg.exe bbograbg.exe PID 2496 wrote to memory of 3028 2496 bbograbg.exe bbograbg.exe PID 2496 wrote to memory of 3028 2496 bbograbg.exe bbograbg.exe -
outlook_office_path 1 IoCs
Processes:
bbograbg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbograbg.exe -
outlook_win_path 1 IoCs
Processes:
bbograbg.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 bbograbg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bbograbg.exe"C:\Users\Admin\AppData\Local\Temp\bbograbg.exe" "C:\Users\Admin\AppData\Local\Temp\pnfxc.au3"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bbograbg.exe"C:\Users\Admin\AppData\Local\Temp\bbograbg.exe" "C:\Users\Admin\AppData\Local\Temp\pnfxc.au3"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bbograbg.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\bbograbg.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\bbograbg.exeFilesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\epivs.kdFilesize
295KB
MD538a2786b590080213f63dcc3967127f5
SHA1b5b87e66ad7778044a00b6e5232cb833f0ccbf3d
SHA256de49ac9c35e73ae7410b46f2d0ac0eadb38a0f088e28ea90fdaf5793f017f1f2
SHA512cfca9e7da8f37e636db6cb2b161027a81f76eb1ea28e3736589215f0a942310e7bca2b01936c8ca719c547e8617c6e32021eaee055bd0ef1ce9d8e87855f1150
-
C:\Users\Admin\AppData\Local\Temp\flnfhvzb.mfbFilesize
57KB
MD59639f517d0a70b3591e6ae53fd4fbad9
SHA14ad59a6d5f8f37d11b42a1ecc5bf16fe2f83079f
SHA256d904bde2c2e74f218f795c24df824fe42ca01824cd74ad7e069aef4f814a899e
SHA512525bc0af6edea3912b7e61add88474b01cff6fa295dc33aefc7c0976e8ca2b4613d90f073bbff9f387798368f53016884e2789d66d6cad0be4d4b6fd5c6a3265
-
C:\Users\Admin\AppData\Local\Temp\pnfxc.au3Filesize
5KB
MD59b259373b2886de89bbf942070eb210e
SHA1b83f27fe56cdc82e891432bd436189da5e689948
SHA256b40e90cf1e999b3ed7cbd50281f9a3bee1a7dffa3896dbdb90bcce097cad577b
SHA512be271f9fa5b7bdc356f1d16517ebd0111327b2271f15c143d44697b7b0838d29252e66c031136570f9560ef0682f9501911ed3659df78f1ff15976534c60506a
-
memory/2496-136-0x0000000001BE0000-0x0000000001DF0000-memory.dmpFilesize
2.1MB
-
memory/2496-132-0x0000000000000000-mapping.dmp
-
memory/3028-139-0x0000000000000000-mapping.dmp
-
memory/3028-141-0x0000000005ED0000-0x0000000006474000-memory.dmpFilesize
5.6MB
-
memory/3028-142-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/3028-143-0x00000000059C0000-0x0000000005A5C000-memory.dmpFilesize
624KB
-
memory/3028-144-0x00000000071C0000-0x0000000007226000-memory.dmpFilesize
408KB
-
memory/3028-145-0x00000000073F0000-0x0000000007440000-memory.dmpFilesize
320KB
-
memory/3028-146-0x0000000007520000-0x00000000075B2000-memory.dmpFilesize
584KB
-
memory/3028-147-0x0000000007A10000-0x0000000007A1A000-memory.dmpFilesize
40KB