Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 10:51

General

  • Target

    SHIPPING DOCUMENTS.exe

  • Size

    673KB

  • MD5

    947f933a1a4ef419ed23aaf93c837668

  • SHA1

    b9d752237aee95d3335a16522827b3d03921e8c9

  • SHA256

    21d546daca396508a4777d88c6b07a198fd84e0b368ffa19d2c7eaa961ec014d

  • SHA512

    66c0d58206ae3025f6bb0a943d1639e9623fecbffcbe21c95e1dd8eeeb0ec81f9efef2bbc0837ae798127fd75b91fcabe090f0fa84169fce7e6514b023d25fdf

  • SSDEEP

    12288:oaIfB/bX0GROFMrhVqK2BKrLc7Hz/dogK69ln45ydK3tBB:YJ/rpROFCvqhBKrLOTlsI2ydg

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
    "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kEDrUYYd.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2512
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kEDrUYYd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2592
    • C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe
      "C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2444

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp43A5.tmp

          Filesize

          1KB

          MD5

          cccf7b892faf1ac1ce91c9daeb238984

          SHA1

          20dfc0bdb11263e8c5519e3e9aa1c6a5ae89786b

          SHA256

          4c39cfd6d67b84420f1dc80d8ee7837a3ca5509c2daa2009a0a60f55cff02689

          SHA512

          b77de5b79fb9c9eaac28477aea9dcb21ac9844684cceef1bf2cb9a0330d4d83e0e1baba2984d7bb863b864049cfbe9b9d1050d1f893191e62049650d3e1cc8fb

        • memory/2444-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2444-24-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2444-16-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2444-18-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2444-20-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2444-14-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2444-23-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2444-26-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2820-2-0x0000000074B00000-0x00000000751EE000-memory.dmp

          Filesize

          6.9MB

        • memory/2820-6-0x0000000005010000-0x0000000005094000-memory.dmp

          Filesize

          528KB

        • memory/2820-1-0x0000000000E90000-0x0000000000F3E000-memory.dmp

          Filesize

          696KB

        • memory/2820-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

          Filesize

          4KB

        • memory/2820-5-0x0000000000620000-0x0000000000636000-memory.dmp

          Filesize

          88KB

        • memory/2820-4-0x00000000005D0000-0x00000000005E0000-memory.dmp

          Filesize

          64KB

        • memory/2820-3-0x00000000004D0000-0x00000000004EE000-memory.dmp

          Filesize

          120KB

        • memory/2820-27-0x0000000074B00000-0x00000000751EE000-memory.dmp

          Filesize

          6.9MB