Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
24-04-2024 08:39
Static task
static1
Behavioral task
behavioral1
Sample
DHL EXPRESS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DHL EXPRESS.exe
Resource
win10v2004-20240412-en
General
-
Target
DHL EXPRESS.exe
-
Size
1.1MB
-
MD5
7bc30d8e9682aa4832cc11276c802d43
-
SHA1
344101f20049c6c9ebc082a8db3d398006a1a8bb
-
SHA256
0f646539e424b78145f10890170c52f952ef950c3530b3b36979ea805d1c3b22
-
SHA512
0d3afa12c8050ed2da39d34b549ff4cfd4a750e638796bedafd0c824c53f7b33e4faa97c3f053a0e1de9670edf2a2aa61106e2e55244f133421f51bae9b166a7
-
SSDEEP
24576:Q0QxU0g8+jwId+JTqovW4Ts3vCNaLe3gRuzh:Qg8GL4TRvW+0a8L4g0zh
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6701733689:AAGMmNWA2G1J2dS7tNzTXuPC1zohWE8wZcU/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Processes:
DHL EXPRESS.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" DHL EXPRESS.exe -
Processes:
DHL EXPRESS.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths DHL EXPRESS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DHL EXPRESS.exe = "0" DHL EXPRESS.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DHL EXPRESS.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation DHL EXPRESS.exe -
Processes:
DHL EXPRESS.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths DHL EXPRESS.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions DHL EXPRESS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\DHL EXPRESS.exe = "0" DHL EXPRESS.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eVnxs = "C:\\Users\\Admin\\AppData\\Roaming\\eVnxs\\eVnxs.exe" AddInProcess32.exe -
Processes:
DHL EXPRESS.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DHL EXPRESS.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" DHL EXPRESS.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 api.ipify.org 31 api.ipify.org 38 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL EXPRESS.exedescription pid process target process PID 2288 set thread context of 2044 2288 DHL EXPRESS.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3548 2044 WerFault.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeAddInProcess32.exepid process 4860 powershell.exe 4860 powershell.exe 2044 AddInProcess32.exe 2044 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DHL EXPRESS.exepowershell.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 2288 DHL EXPRESS.exe Token: SeDebugPrivilege 4860 powershell.exe Token: SeDebugPrivilege 2044 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
DHL EXPRESS.exedescription pid process target process PID 2288 wrote to memory of 4860 2288 DHL EXPRESS.exe powershell.exe PID 2288 wrote to memory of 4860 2288 DHL EXPRESS.exe powershell.exe PID 2288 wrote to memory of 2044 2288 DHL EXPRESS.exe AddInProcess32.exe PID 2288 wrote to memory of 2044 2288 DHL EXPRESS.exe AddInProcess32.exe PID 2288 wrote to memory of 2044 2288 DHL EXPRESS.exe AddInProcess32.exe PID 2288 wrote to memory of 2044 2288 DHL EXPRESS.exe AddInProcess32.exe PID 2288 wrote to memory of 2044 2288 DHL EXPRESS.exe AddInProcess32.exe PID 2288 wrote to memory of 2044 2288 DHL EXPRESS.exe AddInProcess32.exe PID 2288 wrote to memory of 2044 2288 DHL EXPRESS.exe AddInProcess32.exe PID 2288 wrote to memory of 2044 2288 DHL EXPRESS.exe AddInProcess32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
DHL EXPRESS.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" DHL EXPRESS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL EXPRESS.exe"C:\Users\Admin\AppData\Local\Temp\DHL EXPRESS.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2288 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL EXPRESS.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 22083⤵
- Program crash
PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2044 -ip 20441⤵PID:3952
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yvnvg4wg.ux3.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2044-20-0x0000000005500000-0x0000000005566000-memory.dmpFilesize
408KB
-
memory/2044-30-0x0000000074A10000-0x00000000751C0000-memory.dmpFilesize
7.7MB
-
memory/2044-18-0x0000000005940000-0x0000000005EE4000-memory.dmpFilesize
5.6MB
-
memory/2044-19-0x0000000074A10000-0x00000000751C0000-memory.dmpFilesize
7.7MB
-
memory/2044-29-0x00000000069B0000-0x0000000006A42000-memory.dmpFilesize
584KB
-
memory/2044-28-0x0000000006910000-0x00000000069AC000-memory.dmpFilesize
624KB
-
memory/2044-27-0x0000000006820000-0x0000000006870000-memory.dmpFilesize
320KB
-
memory/2044-4-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/2288-24-0x00007FF8CB8B0000-0x00007FF8CC371000-memory.dmpFilesize
10.8MB
-
memory/2288-3-0x000002AE5DBD0000-0x000002AE5DC6A000-memory.dmpFilesize
616KB
-
memory/2288-0-0x000002AE43750000-0x000002AE437D8000-memory.dmpFilesize
544KB
-
memory/2288-2-0x000002AE43BC0000-0x000002AE43BD0000-memory.dmpFilesize
64KB
-
memory/2288-1-0x00007FF8CB8B0000-0x00007FF8CC371000-memory.dmpFilesize
10.8MB
-
memory/4860-7-0x0000019855BA0000-0x0000019855BB0000-memory.dmpFilesize
64KB
-
memory/4860-23-0x00007FF8CB8B0000-0x00007FF8CC371000-memory.dmpFilesize
10.8MB
-
memory/4860-6-0x00007FF8CB8B0000-0x00007FF8CC371000-memory.dmpFilesize
10.8MB
-
memory/4860-5-0x0000019855E20000-0x0000019855E42000-memory.dmpFilesize
136KB
-
memory/4860-13-0x0000019855BA0000-0x0000019855BB0000-memory.dmpFilesize
64KB