Analysis
-
max time kernel
118s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15/05/2024, 10:52
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Advice.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Shipping Advice.exe
Resource
win10v2004-20240508-en
General
-
Target
Shipping Advice.exe
-
Size
712KB
-
MD5
07f168687fe94b5cd767dcb6e8c87bdc
-
SHA1
0e3e8648f2e5b113c613cfe61350588979c57fc3
-
SHA256
1f6c12dfc035979c1c7513a0b40437ec9a646f6bad5e668b3b23ea96e62a4d6b
-
SHA512
c05548ec634ed6180281d6fba9ca6c62fd6e0d46d521b5fa76ad6e84592ca6c95bd4d423a54355d8b03a278d0507038c9d294e90fbf4a9fe1b6b5ebe6dd6ef85
-
SSDEEP
12288:aXReLAfP7wDnN7J4LnLrijVUCEIMt9/7c3SXsohBIzq61CdoT4VGRe:C537wDBJ8LUGIEB7ISXsD0ncR
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.qvise.com - Port:
587 - Username:
[email protected] - Password:
Qvise@45450# - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3028 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\NcnBt = "C:\\Users\\Admin\\AppData\\Roaming\\NcnBt\\NcnBt.exe" Shipping Advice.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 13 ip-api.com 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1712 set thread context of 2628 1712 Shipping Advice.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2168 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2628 Shipping Advice.exe 2628 Shipping Advice.exe 3028 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2628 Shipping Advice.exe Token: SeDebugPrivilege 3028 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1712 wrote to memory of 3028 1712 Shipping Advice.exe 28 PID 1712 wrote to memory of 3028 1712 Shipping Advice.exe 28 PID 1712 wrote to memory of 3028 1712 Shipping Advice.exe 28 PID 1712 wrote to memory of 3028 1712 Shipping Advice.exe 28 PID 1712 wrote to memory of 2168 1712 Shipping Advice.exe 30 PID 1712 wrote to memory of 2168 1712 Shipping Advice.exe 30 PID 1712 wrote to memory of 2168 1712 Shipping Advice.exe 30 PID 1712 wrote to memory of 2168 1712 Shipping Advice.exe 30 PID 1712 wrote to memory of 2628 1712 Shipping Advice.exe 32 PID 1712 wrote to memory of 2628 1712 Shipping Advice.exe 32 PID 1712 wrote to memory of 2628 1712 Shipping Advice.exe 32 PID 1712 wrote to memory of 2628 1712 Shipping Advice.exe 32 PID 1712 wrote to memory of 2628 1712 Shipping Advice.exe 32 PID 1712 wrote to memory of 2628 1712 Shipping Advice.exe 32 PID 1712 wrote to memory of 2628 1712 Shipping Advice.exe 32 PID 1712 wrote to memory of 2628 1712 Shipping Advice.exe 32 PID 1712 wrote to memory of 2628 1712 Shipping Advice.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Advice.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Advice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pNrqVsGQvNZVP.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNrqVsGQvNZVP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4386.tmp"2⤵
- Creates scheduled task(s)
PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\Shipping Advice.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Advice.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c833745016019d8d70e4ea6255af8261
SHA18d6465141f7231024d01321ccd2bdcb0b8220ffd
SHA25654f8e6fdd68643e7f0a9feabf3cb6c94871334764a6ede1ad03149a0566cc236
SHA512e8d850c0a1dbad9c334b990b299fa87f09c84d54882086cef34b5af582284e762e3e7d3328d0c23bd16f46d9a4cb7bcf92886f4be3a4f1cb965f87c8c8f81a5d