Analysis

  • max time kernel
    118s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    15/05/2024, 10:52

General

  • Target

    Shipping Advice.exe

  • Size

    712KB

  • MD5

    07f168687fe94b5cd767dcb6e8c87bdc

  • SHA1

    0e3e8648f2e5b113c613cfe61350588979c57fc3

  • SHA256

    1f6c12dfc035979c1c7513a0b40437ec9a646f6bad5e668b3b23ea96e62a4d6b

  • SHA512

    c05548ec634ed6180281d6fba9ca6c62fd6e0d46d521b5fa76ad6e84592ca6c95bd4d423a54355d8b03a278d0507038c9d294e90fbf4a9fe1b6b5ebe6dd6ef85

  • SSDEEP

    12288:aXReLAfP7wDnN7J4LnLrijVUCEIMt9/7c3SXsohBIzq61CdoT4VGRe:C537wDBJ8LUGIEB7ISXsD0ncR

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipping Advice.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipping Advice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pNrqVsGQvNZVP.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3028
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNrqVsGQvNZVP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4386.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2168
    • C:\Users\Admin\AppData\Local\Temp\Shipping Advice.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipping Advice.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2628

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp4386.tmp

          Filesize

          1KB

          MD5

          c833745016019d8d70e4ea6255af8261

          SHA1

          8d6465141f7231024d01321ccd2bdcb0b8220ffd

          SHA256

          54f8e6fdd68643e7f0a9feabf3cb6c94871334764a6ede1ad03149a0566cc236

          SHA512

          e8d850c0a1dbad9c334b990b299fa87f09c84d54882086cef34b5af582284e762e3e7d3328d0c23bd16f46d9a4cb7bcf92886f4be3a4f1cb965f87c8c8f81a5d

        • memory/1712-27-0x0000000074980000-0x000000007506E000-memory.dmp

          Filesize

          6.9MB

        • memory/1712-1-0x00000000013A0000-0x0000000001458000-memory.dmp

          Filesize

          736KB

        • memory/1712-2-0x0000000074980000-0x000000007506E000-memory.dmp

          Filesize

          6.9MB

        • memory/1712-3-0x0000000000500000-0x000000000051E000-memory.dmp

          Filesize

          120KB

        • memory/1712-4-0x0000000000580000-0x0000000000590000-memory.dmp

          Filesize

          64KB

        • memory/1712-5-0x0000000000640000-0x0000000000656000-memory.dmp

          Filesize

          88KB

        • memory/1712-6-0x00000000053A0000-0x0000000005424000-memory.dmp

          Filesize

          528KB

        • memory/1712-0-0x000000007498E000-0x000000007498F000-memory.dmp

          Filesize

          4KB

        • memory/2628-24-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2628-23-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2628-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2628-20-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2628-18-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2628-14-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2628-16-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

        • memory/2628-26-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB