Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 19:29
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Documents.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Shipping Documents.exe
Resource
win10v2004-20231127-en
General
-
Target
Shipping Documents.exe
-
Size
647KB
-
MD5
c4a1c630b0f8185f81caeee3fb378744
-
SHA1
c57c38a18d2a349d621ab059c28f04ce68302d8c
-
SHA256
0b445847b8750637180e5c10be73bbb758082939394c3fd1ee2a2ea08d61e83d
-
SHA512
5470a96ebbb28efcb1959c0ff9a4a30f95f4e825de1fbe63797219465801eff6a2227baf476371c27ad8a52151cbf0060fc943a47626221959e26f01e870c34b
-
SSDEEP
12288:pHoZzsJ5QWsnm8O1OkfZFZllfvih/IpZAEbRCk9TN0IetKjWo7lb2SGopox:KJsdsPC9ZHfvihA//bRp9xFeAjWrXe
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
29ftOO+6H-ivsG5A - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping Documents.exedescription pid process target process PID 2348 set thread context of 2128 2348 Shipping Documents.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Shipping Documents.exeRegSvcs.exepowershell.exepowershell.exepid process 2348 Shipping Documents.exe 2348 Shipping Documents.exe 2348 Shipping Documents.exe 2348 Shipping Documents.exe 2128 RegSvcs.exe 2128 RegSvcs.exe 2096 powershell.exe 2484 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Shipping Documents.exeRegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2348 Shipping Documents.exe Token: SeDebugPrivilege 2128 RegSvcs.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Shipping Documents.exedescription pid process target process PID 2348 wrote to memory of 2484 2348 Shipping Documents.exe powershell.exe PID 2348 wrote to memory of 2484 2348 Shipping Documents.exe powershell.exe PID 2348 wrote to memory of 2484 2348 Shipping Documents.exe powershell.exe PID 2348 wrote to memory of 2484 2348 Shipping Documents.exe powershell.exe PID 2348 wrote to memory of 2096 2348 Shipping Documents.exe powershell.exe PID 2348 wrote to memory of 2096 2348 Shipping Documents.exe powershell.exe PID 2348 wrote to memory of 2096 2348 Shipping Documents.exe powershell.exe PID 2348 wrote to memory of 2096 2348 Shipping Documents.exe powershell.exe PID 2348 wrote to memory of 2124 2348 Shipping Documents.exe schtasks.exe PID 2348 wrote to memory of 2124 2348 Shipping Documents.exe schtasks.exe PID 2348 wrote to memory of 2124 2348 Shipping Documents.exe schtasks.exe PID 2348 wrote to memory of 2124 2348 Shipping Documents.exe schtasks.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe PID 2348 wrote to memory of 2128 2348 Shipping Documents.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EvmuRutsny.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EvmuRutsny" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFCF.tmp"2⤵
- Creates scheduled task(s)
PID:2124 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d53d188c0104b029bae3bf14c17469bc
SHA1c0695e1b5644cc5291da3d304aa4cfeacdc1f154
SHA256b88f6d22c40be47aabdd4e19ea4dbfee57285d3b88d4e5a86bb8134eac01729e
SHA512adf8080e77a1f7032bda6854d84faa986d2a15855caf353ccd3ae6983ece24f9f9438106113edd9df727fa4c5519ff1a27f80780e6fb620b8044e631eff7c760
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XAGTP6AYDMG7Y6TMZC3M.temp
Filesize7KB
MD5f15f54d8d247c9bcbe97b3a3a9878d4c
SHA1ed51987e3027e00eda353deba8a971a5a33be8a3
SHA2561db47aba4e7cdf5dda8d1b5a71ed66bde010e40fb5fc09bb33b9c29c73c3a96c
SHA512432a69c9d5b2ecfca3b243cedf6e0a7020c2c51399a217e7f8773ffcc859ec5b319dd96e2fd805e9638c341b8a8950a74d113fc8d9156506b0b68bd1b68c9cdf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f15f54d8d247c9bcbe97b3a3a9878d4c
SHA1ed51987e3027e00eda353deba8a971a5a33be8a3
SHA2561db47aba4e7cdf5dda8d1b5a71ed66bde010e40fb5fc09bb33b9c29c73c3a96c
SHA512432a69c9d5b2ecfca3b243cedf6e0a7020c2c51399a217e7f8773ffcc859ec5b319dd96e2fd805e9638c341b8a8950a74d113fc8d9156506b0b68bd1b68c9cdf