Analysis
-
max time kernel
136s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
28-11-2022 08:42
General
-
Target
SHIPPING INVOICE-PACKING LIST DOCS.exe
-
Size
555KB
-
MD5
5b7d13236bd0e3f952b7c7b68b04e55d
-
SHA1
4d4f83b41622cdc8e418681c4c15b7ffc702b421
-
SHA256
65c9b0f0953bfb1534836f0077fc7b14edf3c2d06649931cf39c26c7ec9d8f19
-
SHA512
91eed2ee379165f4a316b8cabff80610f7815080650e2eb41db155aa3e7ba629a5739b5ab33fef6ea7dc7b899316bbde1d70243b709350739bc596a02de8d684
-
SSDEEP
12288:XaZbIZlxbK9ESCYX4XP4upRj19sCdyGIz46mol:XaKxu7R242On9M6mol
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE-PACKING LIST DOCS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE-PACKING LIST DOCS.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dkixjr.exe"C:\Users\Admin\AppData\Local\Temp\dkixjr.exe" C:\Users\Admin\AppData\Local\Temp\hlhtoeysjn.mr2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dkixjr.exe"C:\Users\Admin\AppData\Local\Temp\dkixjr.exe" C:\Users\Admin\AppData\Local\Temp\hlhtoeysjn.mr3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD53530026ab3aa2fb86aa48d3e97ea4e92
SHA1d0b797210d85a28ee0b8344cc057c7cfad091a91
SHA256ce1161671512232159adcc0ae8d0d1b71aa87fecacbd916213e05ae8fec6c37b
SHA512f5c9ced6493a8703ed649eb015e1d544d45b33fe226185d44f2607fdad4256d17872b00c923870e19828a2f1073fc134183d9c43358da6e3d525f9cb439f74c8
-
Filesize
333KB
MD53530026ab3aa2fb86aa48d3e97ea4e92
SHA1d0b797210d85a28ee0b8344cc057c7cfad091a91
SHA256ce1161671512232159adcc0ae8d0d1b71aa87fecacbd916213e05ae8fec6c37b
SHA512f5c9ced6493a8703ed649eb015e1d544d45b33fe226185d44f2607fdad4256d17872b00c923870e19828a2f1073fc134183d9c43358da6e3d525f9cb439f74c8
-
Filesize
333KB
MD53530026ab3aa2fb86aa48d3e97ea4e92
SHA1d0b797210d85a28ee0b8344cc057c7cfad091a91
SHA256ce1161671512232159adcc0ae8d0d1b71aa87fecacbd916213e05ae8fec6c37b
SHA512f5c9ced6493a8703ed649eb015e1d544d45b33fe226185d44f2607fdad4256d17872b00c923870e19828a2f1073fc134183d9c43358da6e3d525f9cb439f74c8
-
Filesize
295KB
MD5cf366c6fa3c9ef7a9b1c15463392f530
SHA1765fb4bb4cc02d322c00f66ccdd812a437565275
SHA256650a32f883f5fbd02848ee065d89e56adee648786f0b0ffe81c78f8b1a6be45a
SHA5129a3f3d9fbed61935031c5927bb68ce6f84e8b1d06ef49d0d22b89ecdd55f4ab5921a27c9428bff4bfd3385a05397ccff38dc550a5f74ff1b2179fc69f92cea0f
-
Filesize
5KB
MD5f63eb37d3310026dbd77c9a413c4a0ad
SHA1a167b17dfc66e148217ec051c526d24d9cd94df0
SHA25613ef85bf9408f5338b453a5c52f872e66fec377db87c0675584d65649eca903a
SHA5127abd2250119e79eed2f97b5168a034ee5f1e5fac95ac49cb16481dc2a36c678ab6561abceba1a017dccba4175757c948cd125af4406d399482291024dc9a2b9b
-
-
Filesize
312KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
40KB
-