Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 12:31
Static task
static1
Behavioral task
behavioral1
Sample
Shipment Receipt.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Shipment Receipt.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
Resource
win10v2004-20240226-en
General
-
Target
Shipment Receipt.exe
-
Size
526KB
-
MD5
63431a90363414f88d575f70f27762ce
-
SHA1
fd0268e6b54a60f2c04a577b1f0001a4176138c8
-
SHA256
865306d0b13516f7f33fbd707d0d92c8706e4bfb1a99153c1361559f710bd45e
-
SHA512
b51c3f6041c40a3a662d98cc2dc925629a86f927d08a71e76309c10694d45cec0ba498f4bb34fb6f48759618ec6edd9c365dcc2b091e15729d75f5b051667901
-
SSDEEP
12288:oS2dnErpbwb05qldvfvcf7Ac4kj3WdmrJheUuuUjvQ9B:L2dE1b405qldncMc4kjWSJUuUjvy
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6387496510:AAGzkvOV3EOvSZjPNfclsVSKq_tcdKpU-7o/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 71 api.ipify.org 72 api.ipify.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\chaptaliseringer\habsburgernes.rei Shipment Receipt.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2200 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3560 powershell.exe 2200 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3560 set thread context of 2200 3560 powershell.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 3560 powershell.exe 2200 wab.exe 2200 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3560 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3560 powershell.exe Token: SeDebugPrivilege 2200 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2200 wab.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2384 wrote to memory of 3560 2384 Shipment Receipt.exe 90 PID 2384 wrote to memory of 3560 2384 Shipment Receipt.exe 90 PID 2384 wrote to memory of 3560 2384 Shipment Receipt.exe 90 PID 3560 wrote to memory of 1984 3560 powershell.exe 93 PID 3560 wrote to memory of 1984 3560 powershell.exe 93 PID 3560 wrote to memory of 1984 3560 powershell.exe 93 PID 3560 wrote to memory of 2200 3560 powershell.exe 104 PID 3560 wrote to memory of 2200 3560 powershell.exe 104 PID 3560 wrote to memory of 2200 3560 powershell.exe 104 PID 3560 wrote to memory of 2200 3560 powershell.exe 104 PID 3560 wrote to memory of 2200 3560 powershell.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -windowstyle hidden "$Amningsmrkerne=Get-Content 'C:\Users\Admin\AppData\Local\mafficks\Regretable\Prferencetolden\Alluder152\Brinie29.Ban';$Hieromachy=$Amningsmrkerne.SubString(58610,3);.$Hieromachy($Amningsmrkerne)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:1984
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
336KB
MD57887bc8c00f4047fac6240ae2b268401
SHA117f09ef15224297fa2a3f86b71f00860c3c6ae7d
SHA25619e4e4dea076a8755f146fa6a539953e0c4ccb2af451759b370e9be88903d5c1
SHA51236618f70d27054150e91f1ab2f0cf0de329722ebdddddf7bbb3f5d48a4d0a3f81716ca4c93e339e432267e67a9db729f87d426d34c47b1a480181ec01190575f
-
Filesize
57KB
MD5606f3c0d77738574d051cf2f7140aafd
SHA1becf7fe1fe0af569c52c94abadc970cca66ec0a6
SHA2565bb0a1909d79ecf1060382416cd6df278b2be9af709e3b072ca983d62f9b4861
SHA5128bcd585c03b3e8a145a17da6c00e3423d6f0e00f8ca3c34959c49867f651371dd993478ef81e098a1cd8c8d9890c7d1c62ae0488f095b39d4f96278664b340e8