Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 10:51
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCUMENTS.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
SHIPPING DOCUMENTS.exe
Resource
win10v2004-20240508-en
General
-
Target
SHIPPING DOCUMENTS.exe
-
Size
673KB
-
MD5
947f933a1a4ef419ed23aaf93c837668
-
SHA1
b9d752237aee95d3335a16522827b3d03921e8c9
-
SHA256
21d546daca396508a4777d88c6b07a198fd84e0b368ffa19d2c7eaa961ec014d
-
SHA512
66c0d58206ae3025f6bb0a943d1639e9623fecbffcbe21c95e1dd8eeeb0ec81f9efef2bbc0837ae798127fd75b91fcabe090f0fa84169fce7e6514b023d25fdf
-
SSDEEP
12288:oaIfB/bX0GROFMrhVqK2BKrLc7Hz/dogK69ln45ydK3tBB:YJ/rpROFCvqhBKrLOTlsI2ydg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.santexknit.com - Port:
587 - Username:
[email protected] - Password:
036971sklctg - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2512 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\NcnBt = "C:\\Users\\Admin\\AppData\\Roaming\\NcnBt\\NcnBt.exe" SHIPPING DOCUMENTS.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2820 set thread context of 2444 2820 SHIPPING DOCUMENTS.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2444 SHIPPING DOCUMENTS.exe 2444 SHIPPING DOCUMENTS.exe 2512 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2444 SHIPPING DOCUMENTS.exe Token: SeDebugPrivilege 2512 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2820 wrote to memory of 2512 2820 SHIPPING DOCUMENTS.exe 28 PID 2820 wrote to memory of 2512 2820 SHIPPING DOCUMENTS.exe 28 PID 2820 wrote to memory of 2512 2820 SHIPPING DOCUMENTS.exe 28 PID 2820 wrote to memory of 2512 2820 SHIPPING DOCUMENTS.exe 28 PID 2820 wrote to memory of 2592 2820 SHIPPING DOCUMENTS.exe 30 PID 2820 wrote to memory of 2592 2820 SHIPPING DOCUMENTS.exe 30 PID 2820 wrote to memory of 2592 2820 SHIPPING DOCUMENTS.exe 30 PID 2820 wrote to memory of 2592 2820 SHIPPING DOCUMENTS.exe 30 PID 2820 wrote to memory of 2444 2820 SHIPPING DOCUMENTS.exe 32 PID 2820 wrote to memory of 2444 2820 SHIPPING DOCUMENTS.exe 32 PID 2820 wrote to memory of 2444 2820 SHIPPING DOCUMENTS.exe 32 PID 2820 wrote to memory of 2444 2820 SHIPPING DOCUMENTS.exe 32 PID 2820 wrote to memory of 2444 2820 SHIPPING DOCUMENTS.exe 32 PID 2820 wrote to memory of 2444 2820 SHIPPING DOCUMENTS.exe 32 PID 2820 wrote to memory of 2444 2820 SHIPPING DOCUMENTS.exe 32 PID 2820 wrote to memory of 2444 2820 SHIPPING DOCUMENTS.exe 32 PID 2820 wrote to memory of 2444 2820 SHIPPING DOCUMENTS.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kEDrUYYd.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kEDrUYYd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp"2⤵
- Creates scheduled task(s)
PID:2592
-
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cccf7b892faf1ac1ce91c9daeb238984
SHA120dfc0bdb11263e8c5519e3e9aa1c6a5ae89786b
SHA2564c39cfd6d67b84420f1dc80d8ee7837a3ca5509c2daa2009a0a60f55cff02689
SHA512b77de5b79fb9c9eaac28477aea9dcb21ac9844684cceef1bf2cb9a0330d4d83e0e1baba2984d7bb863b864049cfbe9b9d1050d1f893191e62049650d3e1cc8fb