Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 17:45
Static task
static1
Behavioral task
behavioral1
Sample
AWB DHL 7214306201 Shipment_pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AWB DHL 7214306201 Shipment_pdf.exe
Resource
win10v2004-20230220-en
General
-
Target
AWB DHL 7214306201 Shipment_pdf.exe
-
Size
485KB
-
MD5
aecb508586356ab8ea6bf6ce6cc964f4
-
SHA1
a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
-
SHA256
145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
-
SHA512
6513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
-
SSDEEP
12288:sK3FTyoJ43erqBTIDkh0eTR46bTXEYCkjX2w4vU1upOQAW:UsaBBTRh04RJELkjXAcAs/W
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5409839916:AAEYUYZy0IhJQAm4VXi620si4okGW8FDL2w/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
AWB DHL 7214306201 Shipment_pdf.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions AWB DHL 7214306201 Shipment_pdf.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
svchost.exeAWB DHL 7214306201 Shipment_pdf.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools AWB DHL 7214306201 Shipment_pdf.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
AWB DHL 7214306201 Shipment_pdf.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AWB DHL 7214306201 Shipment_pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AWB DHL 7214306201 Shipment_pdf.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 608 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 564 cmd.exe 564 cmd.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AWB DHL 7214306201 Shipment_pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" AWB DHL 7214306201 Shipment_pdf.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
AWB DHL 7214306201 Shipment_pdf.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum AWB DHL 7214306201 Shipment_pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 AWB DHL 7214306201 Shipment_pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 608 set thread context of 1628 608 svchost.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1544 timeout.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
AWB DHL 7214306201 Shipment_pdf.exesvchost.exejsc.exepid process 288 AWB DHL 7214306201 Shipment_pdf.exe 608 svchost.exe 608 svchost.exe 608 svchost.exe 608 svchost.exe 608 svchost.exe 608 svchost.exe 608 svchost.exe 608 svchost.exe 608 svchost.exe 608 svchost.exe 608 svchost.exe 608 svchost.exe 1628 jsc.exe 1628 jsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
AWB DHL 7214306201 Shipment_pdf.exesvchost.exejsc.exedescription pid process Token: SeDebugPrivilege 288 AWB DHL 7214306201 Shipment_pdf.exe Token: SeDebugPrivilege 608 svchost.exe Token: SeDebugPrivilege 1628 jsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jsc.exepid process 1628 jsc.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
AWB DHL 7214306201 Shipment_pdf.execmd.execmd.exesvchost.exedescription pid process target process PID 288 wrote to memory of 1756 288 AWB DHL 7214306201 Shipment_pdf.exe cmd.exe PID 288 wrote to memory of 1756 288 AWB DHL 7214306201 Shipment_pdf.exe cmd.exe PID 288 wrote to memory of 1756 288 AWB DHL 7214306201 Shipment_pdf.exe cmd.exe PID 288 wrote to memory of 564 288 AWB DHL 7214306201 Shipment_pdf.exe cmd.exe PID 288 wrote to memory of 564 288 AWB DHL 7214306201 Shipment_pdf.exe cmd.exe PID 288 wrote to memory of 564 288 AWB DHL 7214306201 Shipment_pdf.exe cmd.exe PID 1756 wrote to memory of 1332 1756 cmd.exe schtasks.exe PID 1756 wrote to memory of 1332 1756 cmd.exe schtasks.exe PID 1756 wrote to memory of 1332 1756 cmd.exe schtasks.exe PID 564 wrote to memory of 1544 564 cmd.exe timeout.exe PID 564 wrote to memory of 1544 564 cmd.exe timeout.exe PID 564 wrote to memory of 1544 564 cmd.exe timeout.exe PID 564 wrote to memory of 608 564 cmd.exe svchost.exe PID 564 wrote to memory of 608 564 cmd.exe svchost.exe PID 564 wrote to memory of 608 564 cmd.exe svchost.exe PID 608 wrote to memory of 1940 608 svchost.exe aspnet_regsql.exe PID 608 wrote to memory of 1940 608 svchost.exe aspnet_regsql.exe PID 608 wrote to memory of 1940 608 svchost.exe aspnet_regsql.exe PID 608 wrote to memory of 1096 608 svchost.exe ilasm.exe PID 608 wrote to memory of 1096 608 svchost.exe ilasm.exe PID 608 wrote to memory of 1096 608 svchost.exe ilasm.exe PID 608 wrote to memory of 1532 608 svchost.exe aspnet_compiler.exe PID 608 wrote to memory of 1532 608 svchost.exe aspnet_compiler.exe PID 608 wrote to memory of 1532 608 svchost.exe aspnet_compiler.exe PID 608 wrote to memory of 964 608 svchost.exe regtlibv12.exe PID 608 wrote to memory of 964 608 svchost.exe regtlibv12.exe PID 608 wrote to memory of 964 608 svchost.exe regtlibv12.exe PID 608 wrote to memory of 1388 608 svchost.exe ServiceModelReg.exe PID 608 wrote to memory of 1388 608 svchost.exe ServiceModelReg.exe PID 608 wrote to memory of 1388 608 svchost.exe ServiceModelReg.exe PID 608 wrote to memory of 1884 608 svchost.exe csc.exe PID 608 wrote to memory of 1884 608 svchost.exe csc.exe PID 608 wrote to memory of 1884 608 svchost.exe csc.exe PID 608 wrote to memory of 1628 608 svchost.exe jsc.exe PID 608 wrote to memory of 1628 608 svchost.exe jsc.exe PID 608 wrote to memory of 1628 608 svchost.exe jsc.exe PID 608 wrote to memory of 1628 608 svchost.exe jsc.exe PID 608 wrote to memory of 1628 608 svchost.exe jsc.exe PID 608 wrote to memory of 1628 608 svchost.exe jsc.exe PID 608 wrote to memory of 1628 608 svchost.exe jsc.exe PID 608 wrote to memory of 1628 608 svchost.exe jsc.exe PID 608 wrote to memory of 1628 608 svchost.exe jsc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB DHL 7214306201 Shipment_pdf.exe"C:\Users\Admin\AppData\Local\Temp\AWB DHL 7214306201 Shipment_pdf.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1E6A.tmp.bat""2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1E6A.tmp.batFilesize
151B
MD51349103288dbea706998c54854f8812b
SHA1d1a7443940dd1a1dfedb30fa8f63630db54338db
SHA2562c0b03237e540a05ddc713c40c15c4605bc84ac38e55cc0f9c4733140d54084b
SHA5120417289a37c598f122d74440269f2d78f567134d93f217136e68be91eda46aef99d93871492650ce682ba6ccf84702e1e65a52831708729d2cd650fc866d4f18
-
C:\Users\Admin\AppData\Local\Temp\tmp1E6A.tmp.batFilesize
151B
MD51349103288dbea706998c54854f8812b
SHA1d1a7443940dd1a1dfedb30fa8f63630db54338db
SHA2562c0b03237e540a05ddc713c40c15c4605bc84ac38e55cc0f9c4733140d54084b
SHA5120417289a37c598f122d74440269f2d78f567134d93f217136e68be91eda46aef99d93871492650ce682ba6ccf84702e1e65a52831708729d2cd650fc866d4f18
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
485KB
MD5aecb508586356ab8ea6bf6ce6cc964f4
SHA1a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
SHA256145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
SHA5126513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
485KB
MD5aecb508586356ab8ea6bf6ce6cc964f4
SHA1a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
SHA256145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
SHA5126513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
485KB
MD5aecb508586356ab8ea6bf6ce6cc964f4
SHA1a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
SHA256145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
SHA5126513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
-
\Users\Admin\AppData\Roaming\svchost.exeFilesize
485KB
MD5aecb508586356ab8ea6bf6ce6cc964f4
SHA1a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
SHA256145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
SHA5126513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
-
memory/288-56-0x000000001A880000-0x000000001A8FA000-memory.dmpFilesize
488KB
-
memory/288-55-0x0000000001000000-0x0000000001080000-memory.dmpFilesize
512KB
-
memory/288-54-0x0000000001080000-0x00000000010FE000-memory.dmpFilesize
504KB
-
memory/608-70-0x0000000000070000-0x00000000000EE000-memory.dmpFilesize
504KB
-
memory/608-71-0x00000000006B0000-0x0000000000730000-memory.dmpFilesize
512KB
-
memory/1628-72-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1628-74-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1628-76-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1628-77-0x00000000021C0000-0x0000000002200000-memory.dmpFilesize
256KB
-
memory/1628-81-0x00000000021C0000-0x0000000002200000-memory.dmpFilesize
256KB