Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
03-12-2023 16:18
Static task
static1
Behavioral task
behavioral1
Sample
Shipping commercial invoice #2303005328.pdf.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
Shipping commercial invoice #2303005328.pdf.exe
Resource
win10v2004-20231127-en
General
-
Target
Shipping commercial invoice #2303005328.pdf.exe
-
Size
690KB
-
MD5
e14c400a70aec81294d34f30eb122d1a
-
SHA1
943c1c2c4cc4226b35f9cf42c242db6d31692ec2
-
SHA256
4f893beea3529fc97caa4ead82e921233ba8f4c17f4f00767f667f51949f94a5
-
SHA512
e4bef66cebdbcb8ecc1411a6f9bd462b9a785ede24bb6d28287f8434c25711001615c54b67c18e2a6669c01663159141fa87d753be0edab056e200dd53856acf
-
SSDEEP
12288:f2iNtISmEjirr4ZOT1snVSUgOULOz/lI3pazh9oNFhrjDG+s8Ey5:f1jiraOT1MVfgLm/lI3pakNrjx
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
Lover boy @123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping commercial invoice #2303005328.pdf.exedescription pid process target process PID 1892 set thread context of 2748 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Shipping commercial invoice #2303005328.pdf.exeShipping commercial invoice #2303005328.pdf.exepowershell.exepid process 1892 Shipping commercial invoice #2303005328.pdf.exe 1892 Shipping commercial invoice #2303005328.pdf.exe 2748 Shipping commercial invoice #2303005328.pdf.exe 2748 Shipping commercial invoice #2303005328.pdf.exe 1196 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Shipping commercial invoice #2303005328.pdf.exeShipping commercial invoice #2303005328.pdf.exepowershell.exedescription pid process Token: SeDebugPrivilege 1892 Shipping commercial invoice #2303005328.pdf.exe Token: SeDebugPrivilege 2748 Shipping commercial invoice #2303005328.pdf.exe Token: SeDebugPrivilege 1196 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Shipping commercial invoice #2303005328.pdf.exedescription pid process target process PID 1892 wrote to memory of 1196 1892 Shipping commercial invoice #2303005328.pdf.exe powershell.exe PID 1892 wrote to memory of 1196 1892 Shipping commercial invoice #2303005328.pdf.exe powershell.exe PID 1892 wrote to memory of 1196 1892 Shipping commercial invoice #2303005328.pdf.exe powershell.exe PID 1892 wrote to memory of 1196 1892 Shipping commercial invoice #2303005328.pdf.exe powershell.exe PID 1892 wrote to memory of 2716 1892 Shipping commercial invoice #2303005328.pdf.exe schtasks.exe PID 1892 wrote to memory of 2716 1892 Shipping commercial invoice #2303005328.pdf.exe schtasks.exe PID 1892 wrote to memory of 2716 1892 Shipping commercial invoice #2303005328.pdf.exe schtasks.exe PID 1892 wrote to memory of 2716 1892 Shipping commercial invoice #2303005328.pdf.exe schtasks.exe PID 1892 wrote to memory of 2744 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2744 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2744 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2744 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2748 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2748 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2748 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2748 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2748 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2748 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2748 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2748 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe PID 1892 wrote to memory of 2748 1892 Shipping commercial invoice #2303005328.pdf.exe Shipping commercial invoice #2303005328.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping commercial invoice #2303005328.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Shipping commercial invoice #2303005328.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CZhhhh.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CZhhhh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7407.tmp"2⤵
- Creates scheduled task(s)
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\Shipping commercial invoice #2303005328.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Shipping commercial invoice #2303005328.pdf.exe"2⤵PID:2744
-
C:\Users\Admin\AppData\Local\Temp\Shipping commercial invoice #2303005328.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Shipping commercial invoice #2303005328.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5065e7854c7450d876f6dd70c14a87de9
SHA1095c7dcf51252dec188d513af933a4cc6cb1a5c0
SHA2561625a1c27a799a1d87fb2180219073b0b6142c1c2ef160dfc3d9a9a87673894f
SHA5121084eca0e23c9cb1fbd707a0ef5acf1a8f19ab9d36e3db07e4991e435c90f4b89c6f1be4dd909b00e86498f363f46235785426cc94794d3f3a0550550f2b95b8