Analysis
-
max time kernel
60s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 18:59
Static task
static1
Behavioral task
behavioral1
Sample
BL-SHIPPING DOCUMENTS.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
BL-SHIPPING DOCUMENTS.exe
Resource
win10v2004-20220901-en
General
-
Target
BL-SHIPPING DOCUMENTS.exe
-
Size
478KB
-
MD5
69fe54a9cafee09f25e0d3f7a51488c7
-
SHA1
747373a2640c7fca04258681c7ec313be3b0db24
-
SHA256
dc72c7525da8aa1afaadaf707499054dd9be20d0c78318d2f63af1fa37d58546
-
SHA512
4230111e1b90da8e5d628bcfd16f9381cb24e9c0e31d3772798ea5bf78c711bc2634bf0343f323d094f23f587b6be5fd41f7828323d09f8a3ce0506c65a50706
-
SSDEEP
12288:0ZYJmqS//u3ML7l++F7oNt6YkIwaD2YSHTK:0Sg43ML7cEs8VaYTK
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
BL-SHIPPING DOCUMENTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" BL-SHIPPING DOCUMENTS.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BL-SHIPPING DOCUMENTS.exedescription pid process target process PID 1928 set thread context of 1316 1928 BL-SHIPPING DOCUMENTS.exe CasPol.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
CasPol.exepid process 1316 CasPol.exe 1316 CasPol.exe 1316 CasPol.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
BL-SHIPPING DOCUMENTS.exepid process 1928 BL-SHIPPING DOCUMENTS.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
BL-SHIPPING DOCUMENTS.exeCasPol.exedescription pid process Token: SeDebugPrivilege 1928 BL-SHIPPING DOCUMENTS.exe Token: SeLoadDriverPrivilege 1928 BL-SHIPPING DOCUMENTS.exe Token: SeDebugPrivilege 1316 CasPol.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
BL-SHIPPING DOCUMENTS.exedescription pid process target process PID 1928 wrote to memory of 1316 1928 BL-SHIPPING DOCUMENTS.exe CasPol.exe PID 1928 wrote to memory of 1316 1928 BL-SHIPPING DOCUMENTS.exe CasPol.exe PID 1928 wrote to memory of 1316 1928 BL-SHIPPING DOCUMENTS.exe CasPol.exe PID 1928 wrote to memory of 1316 1928 BL-SHIPPING DOCUMENTS.exe CasPol.exe PID 1928 wrote to memory of 1316 1928 BL-SHIPPING DOCUMENTS.exe CasPol.exe PID 1928 wrote to memory of 1316 1928 BL-SHIPPING DOCUMENTS.exe CasPol.exe PID 1928 wrote to memory of 1316 1928 BL-SHIPPING DOCUMENTS.exe CasPol.exe PID 1928 wrote to memory of 1316 1928 BL-SHIPPING DOCUMENTS.exe CasPol.exe PID 1928 wrote to memory of 1316 1928 BL-SHIPPING DOCUMENTS.exe CasPol.exe -
outlook_office_path 1 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe -
outlook_win_path 1 IoCs
Processes:
CasPol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\BL-SHIPPING DOCUMENTS.exe"1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1316-56-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1316-57-0x0000000000437AAE-mapping.dmp
-
memory/1316-59-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1316-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1316-62-0x00000000762B1000-0x00000000762B3000-memory.dmpFilesize
8KB
-
memory/1928-54-0x0000000000A50000-0x0000000000ACC000-memory.dmpFilesize
496KB
-
memory/1928-55-0x0000000000960000-0x00000000009DA000-memory.dmpFilesize
488KB