Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 11:23
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING.EXE.exe
Resource
win7-20231023-en
General
-
Target
SHIPPING.EXE.exe
-
Size
629KB
-
MD5
3de3b2aec3580c30d26038ae32e441d2
-
SHA1
dfc2501866a225f36d61fe0fcbce7ed288a442cb
-
SHA256
b4603870f2a94658bd915f7255062c0629fd8b756e96ad465871f9173a7a0379
-
SHA512
56840bab4753d3c1ed380ee1092b3211fb2aeb723b964dbe2b046cd32b539a3d25b8becf39a117583d62415d6d57f55295a7f74d525aee0f553f535338ae22e1
-
SSDEEP
12288:w3IU8S6eUdUO2sMCqXHwJORW4iWEgH8CRRjZQ1TGvqbbZuGMkRiPPVFeh:OItSAdUOwMOk/WvjZQ1tZuGMEiPPVF
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mailo.com - Port:
587 - Username:
[email protected] - Password:
Bignosa1995
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mailo.com - Port:
587 - Username:
[email protected] - Password:
Bignosa1995 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2012-6-0x0000000005A10000-0x0000000005A28000-memory.dmp family_zgrat_v1 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SHIPPING.EXE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation SHIPPING.EXE.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 57 api.ipify.org 58 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHIPPING.EXE.exedescription pid process target process PID 2012 set thread context of 4556 2012 SHIPPING.EXE.exe SHIPPING.EXE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
SHIPPING.EXE.exepowershell.exepowershell.exeSHIPPING.EXE.exepid process 2012 SHIPPING.EXE.exe 2012 SHIPPING.EXE.exe 2012 SHIPPING.EXE.exe 1260 powershell.exe 1260 powershell.exe 548 powershell.exe 548 powershell.exe 2012 SHIPPING.EXE.exe 4556 SHIPPING.EXE.exe 4556 SHIPPING.EXE.exe 4556 SHIPPING.EXE.exe 548 powershell.exe 1260 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SHIPPING.EXE.exepowershell.exepowershell.exeSHIPPING.EXE.exedescription pid process Token: SeDebugPrivilege 2012 SHIPPING.EXE.exe Token: SeDebugPrivilege 1260 powershell.exe Token: SeDebugPrivilege 548 powershell.exe Token: SeDebugPrivilege 4556 SHIPPING.EXE.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SHIPPING.EXE.exepid process 4556 SHIPPING.EXE.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
SHIPPING.EXE.exedescription pid process target process PID 2012 wrote to memory of 548 2012 SHIPPING.EXE.exe powershell.exe PID 2012 wrote to memory of 548 2012 SHIPPING.EXE.exe powershell.exe PID 2012 wrote to memory of 548 2012 SHIPPING.EXE.exe powershell.exe PID 2012 wrote to memory of 1260 2012 SHIPPING.EXE.exe powershell.exe PID 2012 wrote to memory of 1260 2012 SHIPPING.EXE.exe powershell.exe PID 2012 wrote to memory of 1260 2012 SHIPPING.EXE.exe powershell.exe PID 2012 wrote to memory of 3120 2012 SHIPPING.EXE.exe schtasks.exe PID 2012 wrote to memory of 3120 2012 SHIPPING.EXE.exe schtasks.exe PID 2012 wrote to memory of 3120 2012 SHIPPING.EXE.exe schtasks.exe PID 2012 wrote to memory of 4556 2012 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2012 wrote to memory of 4556 2012 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2012 wrote to memory of 4556 2012 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2012 wrote to memory of 4556 2012 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2012 wrote to memory of 4556 2012 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2012 wrote to memory of 4556 2012 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2012 wrote to memory of 4556 2012 SHIPPING.EXE.exe SHIPPING.EXE.exe PID 2012 wrote to memory of 4556 2012 SHIPPING.EXE.exe SHIPPING.EXE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DYFnSoq.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DYFnSoq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7AD8.tmp"2⤵
- Creates scheduled task(s)
PID:3120 -
C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING.EXE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD5cc8a72984d56be5f3739eabe4021646d
SHA1a8f360327cd30bf7d7a01d66ff4bcd99b0e69138
SHA256757b2fafb5eea723ad2d9d807f5c0d9995c067d9cc55d183aaa55fa0bc0d07af
SHA51245e60a94353941c67c021f93b8639cd30e6e76eb9d33b5c912d5951244f4a935a739f10e87d6a44c5ef87d836e0e68d576b176e4ad6b5534779cac430aa9ab2b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5244ae71c6375bd8b57ea7772a9884844
SHA17bce2a9d67694f5f38f61bf6a46f74d4d548736d
SHA256f67c7dd3f7906e7c7831a549e6c8289b9df20991067e4b12b9a72f00f774a6f7
SHA512d96abe38e6728465bf1a5f2714a92b16f89a586131d7a7e5e4d329f458bbe4d17bd235c9ab7a2c1c5bc08af735492ff13527c630522ba33531d3a115313d661f