Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 11:23
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING.EXE.exe
Resource
win7-20231023-en
General
-
Target
SHIPPING.EXE.exe
-
Size
629KB
-
MD5
3de3b2aec3580c30d26038ae32e441d2
-
SHA1
dfc2501866a225f36d61fe0fcbce7ed288a442cb
-
SHA256
b4603870f2a94658bd915f7255062c0629fd8b756e96ad465871f9173a7a0379
-
SHA512
56840bab4753d3c1ed380ee1092b3211fb2aeb723b964dbe2b046cd32b539a3d25b8becf39a117583d62415d6d57f55295a7f74d525aee0f553f535338ae22e1
-
SSDEEP
12288:w3IU8S6eUdUO2sMCqXHwJORW4iWEgH8CRRjZQ1TGvqbbZuGMkRiPPVFeh:OItSAdUOwMOk/WvjZQ1tZuGMEiPPVF
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mailo.com - Port:
587 - Username:
[email protected] - Password:
Bignosa1995 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2248-3-0x0000000000460000-0x0000000000478000-memory.dmp family_zgrat_v1 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHIPPING.EXE.exedescription pid process target process PID 2248 set thread context of 2456 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SHIPPING.EXE.exeSHIPPING.EXE.exepowershell.exepowershell.exepid process 2248 SHIPPING.EXE.exe 2248 SHIPPING.EXE.exe 2248 SHIPPING.EXE.exe 2248 SHIPPING.EXE.exe 2248 SHIPPING.EXE.exe 2248 SHIPPING.EXE.exe 2456 SHIPPING.EXE.exe 2456 SHIPPING.EXE.exe 2668 powershell.exe 2700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SHIPPING.EXE.exeSHIPPING.EXE.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2248 SHIPPING.EXE.exe Token: SeDebugPrivilege 2456 SHIPPING.EXE.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SHIPPING.EXE.exepid process 2456 SHIPPING.EXE.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
SHIPPING.EXE.exedescription pid process target process PID 2248 wrote to memory of 2668 2248 SHIPPING.EXE.exe powershell.exe PID 2248 wrote to memory of 2668 2248 SHIPPING.EXE.exe powershell.exe PID 2248 wrote to memory of 2668 2248 SHIPPING.EXE.exe powershell.exe PID 2248 wrote to memory of 2668 2248 SHIPPING.EXE.exe powershell.exe PID 2248 wrote to memory of 2700 2248 SHIPPING.EXE.exe powershell.exe PID 2248 wrote to memory of 2700 2248 SHIPPING.EXE.exe powershell.exe PID 2248 wrote to memory of 2700 2248 SHIPPING.EXE.exe powershell.exe PID 2248 wrote to memory of 2700 2248 SHIPPING.EXE.exe powershell.exe PID 2248 wrote to memory of 2572 2248 SHIPPING.EXE.exe schtasks.exe PID 2248 wrote to memory of 2572 2248 SHIPPING.EXE.exe schtasks.exe PID 2248 wrote to memory of 2572 2248 SHIPPING.EXE.exe schtasks.exe PID 2248 wrote to memory of 2572 2248 SHIPPING.EXE.exe schtasks.exe PID 2248 wrote to memory of 2440 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2440 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2440 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2440 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2448 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2448 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2448 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2448 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2456 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2456 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2456 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2456 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2456 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2456 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2456 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2456 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2248 wrote to memory of 2456 2248 SHIPPING.EXE.exe SHIPPING.EXE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DYFnSoq.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DYFnSoq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD643.tmp"2⤵
- Creates scheduled task(s)
PID:2572 -
C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"2⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"2⤵PID:2448
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e76492ad9372ff77abca565604535c47
SHA14ca0adfefca098b05fb240a90f57d955f2f4533b
SHA256b173db1dc1ccacb62b81d3e1742f187c361380a5e9dcfcb8aeaba147dd234bc2
SHA512e5e6cd6bc8c7e675eadca734aceddd8a99dc999e9d73a2956d74b9287e82f031473a4214a3eea3dac60bef5ed9270257286ffc0e2e562bd57524cd3b41f1aeb3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD51f9e1276776ced3585c72376e84e3611
SHA13dc3c525765dc4bc432bf532470e582908858141
SHA256413fea8e83acfbc23c2c81d1f4eb65e79092994519feb8bec72b2424d64c53b0
SHA512209f93291cb7b70e50039343b01077c88de5762ffc69b5f101e6f662bcc50b44c05bb1fb3051d152e5f70e2c47eb6f53177e87d27c3edcd35e42c4a632d483be