Analysis
-
max time kernel
58s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
30-03-2023 12:07
Static task
static1
Behavioral task
behavioral1
Sample
shipment 04629673893.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
shipment 04629673893.exe
Resource
win10v2004-20230220-en
General
-
Target
shipment 04629673893.exe
-
Size
743KB
-
MD5
4865f16a685bc3b34a91f595247f30e7
-
SHA1
c9e898e4c7c9026f0fded242d499ddb61b69a639
-
SHA256
64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057
-
SHA512
db1f449a2983bcaee04aa66852d94190ad02482c9944b0d13134cdb82379d6a86721d5412903090450ce0b4ec8e5e9a629cad321b76a2a762d6bc7f548ebd864
-
SSDEEP
12288:Qt1esNS+7GrRybegXjup/inqt0qKmwRZ5J+:ri7GrRyKTNh0awr5Y
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5970985875:AAGxcS7riy4ZlEmFj2Z031AsUoRvment2iI/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
shipment 04629673893.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 shipment 04629673893.exe Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 shipment 04629673893.exe Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 shipment 04629673893.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipment 04629673893.exedescription pid process target process PID 1720 set thread context of 1100 1720 shipment 04629673893.exe shipment 04629673893.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
shipment 04629673893.exeshipment 04629673893.exepid process 1720 shipment 04629673893.exe 1100 shipment 04629673893.exe 1100 shipment 04629673893.exe 1100 shipment 04629673893.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shipment 04629673893.exeshipment 04629673893.exedescription pid process Token: SeDebugPrivilege 1720 shipment 04629673893.exe Token: SeDebugPrivilege 1100 shipment 04629673893.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
shipment 04629673893.exepid process 1100 shipment 04629673893.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
shipment 04629673893.exedescription pid process target process PID 1720 wrote to memory of 1296 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1296 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1296 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1296 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1100 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1100 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1100 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1100 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1100 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1100 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1100 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1100 1720 shipment 04629673893.exe shipment 04629673893.exe PID 1720 wrote to memory of 1100 1720 shipment 04629673893.exe shipment 04629673893.exe -
outlook_office_path 1 IoCs
Processes:
shipment 04629673893.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 shipment 04629673893.exe -
outlook_win_path 1 IoCs
Processes:
shipment 04629673893.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 shipment 04629673893.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"{path}"2⤵PID:1296
-
C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1100-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-91-0x0000000004E40000-0x0000000004E80000-memory.dmpFilesize
256KB
-
memory/1100-90-0x0000000004E40000-0x0000000004E80000-memory.dmpFilesize
256KB
-
memory/1100-89-0x0000000004E40000-0x0000000004E80000-memory.dmpFilesize
256KB
-
memory/1100-59-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-68-0x0000000004E40000-0x0000000004E80000-memory.dmpFilesize
256KB
-
memory/1100-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-58-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1100-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1720-55-0x0000000000280000-0x000000000028C000-memory.dmpFilesize
48KB
-
memory/1720-54-0x0000000000AC0000-0x0000000000B80000-memory.dmpFilesize
768KB
-
memory/1720-57-0x0000000000530000-0x000000000056C000-memory.dmpFilesize
240KB
-
memory/1720-56-0x0000000004D40000-0x0000000004DBA000-memory.dmpFilesize
488KB