Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 17:45
Static task
static1
Behavioral task
behavioral1
Sample
AWB DHL 7214306201 Shipment_pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AWB DHL 7214306201 Shipment_pdf.exe
Resource
win10v2004-20230220-en
General
-
Target
AWB DHL 7214306201 Shipment_pdf.exe
-
Size
485KB
-
MD5
aecb508586356ab8ea6bf6ce6cc964f4
-
SHA1
a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
-
SHA256
145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
-
SHA512
6513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
-
SSDEEP
12288:sK3FTyoJ43erqBTIDkh0eTR46bTXEYCkjX2w4vU1upOQAW:UsaBBTRh04RJELkjXAcAs/W
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5409839916:AAEYUYZy0IhJQAm4VXi620si4okGW8FDL2w/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
AWB DHL 7214306201 Shipment_pdf.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions AWB DHL 7214306201 Shipment_pdf.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
AWB DHL 7214306201 Shipment_pdf.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools AWB DHL 7214306201 Shipment_pdf.exe Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools svchost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
AWB DHL 7214306201 Shipment_pdf.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AWB DHL 7214306201 Shipment_pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AWB DHL 7214306201 Shipment_pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AWB DHL 7214306201 Shipment_pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation AWB DHL 7214306201 Shipment_pdf.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4012 svchost.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AWB DHL 7214306201 Shipment_pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" AWB DHL 7214306201 Shipment_pdf.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
AWB DHL 7214306201 Shipment_pdf.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum AWB DHL 7214306201 Shipment_pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 AWB DHL 7214306201 Shipment_pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4012 set thread context of 1668 4012 svchost.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4608 timeout.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
AWB DHL 7214306201 Shipment_pdf.exesvchost.exejsc.exepid process 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 1548 AWB DHL 7214306201 Shipment_pdf.exe 4012 svchost.exe 4012 svchost.exe 1668 jsc.exe 1668 jsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
AWB DHL 7214306201 Shipment_pdf.exesvchost.exejsc.exedescription pid process Token: SeDebugPrivilege 1548 AWB DHL 7214306201 Shipment_pdf.exe Token: SeDebugPrivilege 4012 svchost.exe Token: SeDebugPrivilege 1668 jsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jsc.exepid process 1668 jsc.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
AWB DHL 7214306201 Shipment_pdf.execmd.execmd.exesvchost.exedescription pid process target process PID 1548 wrote to memory of 248 1548 AWB DHL 7214306201 Shipment_pdf.exe cmd.exe PID 1548 wrote to memory of 248 1548 AWB DHL 7214306201 Shipment_pdf.exe cmd.exe PID 1548 wrote to memory of 4952 1548 AWB DHL 7214306201 Shipment_pdf.exe cmd.exe PID 1548 wrote to memory of 4952 1548 AWB DHL 7214306201 Shipment_pdf.exe cmd.exe PID 248 wrote to memory of 1964 248 cmd.exe schtasks.exe PID 248 wrote to memory of 1964 248 cmd.exe schtasks.exe PID 4952 wrote to memory of 4608 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 4608 4952 cmd.exe timeout.exe PID 4952 wrote to memory of 4012 4952 cmd.exe svchost.exe PID 4952 wrote to memory of 4012 4952 cmd.exe svchost.exe PID 4012 wrote to memory of 1908 4012 svchost.exe EdmGen.exe PID 4012 wrote to memory of 1908 4012 svchost.exe EdmGen.exe PID 4012 wrote to memory of 1668 4012 svchost.exe jsc.exe PID 4012 wrote to memory of 1668 4012 svchost.exe jsc.exe PID 4012 wrote to memory of 1668 4012 svchost.exe jsc.exe PID 4012 wrote to memory of 1668 4012 svchost.exe jsc.exe PID 4012 wrote to memory of 1668 4012 svchost.exe jsc.exe PID 4012 wrote to memory of 1668 4012 svchost.exe jsc.exe PID 4012 wrote to memory of 1668 4012 svchost.exe jsc.exe PID 4012 wrote to memory of 1668 4012 svchost.exe jsc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB DHL 7214306201 Shipment_pdf.exe"C:\Users\Admin\AppData\Local\Temp\AWB DHL 7214306201 Shipment_pdf.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7AF1.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7AF1.tmp.batFilesize
151B
MD5d02c4f01f0b75a16198ba8cde3417b15
SHA13f85139fc2f060eb45ecae30a68f1f4696deda33
SHA25658cbea7e8da14f7322e7b74606fcb31cffb2b35bb49826d2f76d1b089fcc7cc7
SHA512e6066b1a860800c88abfc93d33785e774038a4e66218c342f54f422d6f4dcbc383796db3aadeac19775be850d599985f6c63e5273008a0bd4649dfecef968a7a
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
485KB
MD5aecb508586356ab8ea6bf6ce6cc964f4
SHA1a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
SHA256145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
SHA5126513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
485KB
MD5aecb508586356ab8ea6bf6ce6cc964f4
SHA1a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
SHA256145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
SHA5126513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
-
memory/1548-133-0x0000020A42300000-0x0000020A4237E000-memory.dmpFilesize
504KB
-
memory/1548-134-0x0000020A5C870000-0x0000020A5C880000-memory.dmpFilesize
64KB
-
memory/1668-145-0x0000000005C80000-0x0000000006224000-memory.dmpFilesize
5.6MB
-
memory/1668-143-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/1668-146-0x0000000005860000-0x00000000058FC000-memory.dmpFilesize
624KB
-
memory/1668-147-0x00000000057B0000-0x00000000057C0000-memory.dmpFilesize
64KB
-
memory/1668-148-0x00000000065E0000-0x0000000006646000-memory.dmpFilesize
408KB
-
memory/1668-149-0x0000000006BA0000-0x0000000006BF0000-memory.dmpFilesize
320KB
-
memory/1668-153-0x00000000073D0000-0x0000000007462000-memory.dmpFilesize
584KB
-
memory/1668-154-0x0000000007370000-0x000000000737A000-memory.dmpFilesize
40KB
-
memory/1668-155-0x00000000057B0000-0x00000000057C0000-memory.dmpFilesize
64KB