Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 01:46
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
shipping documents.exe
Resource
win10v2004-20240426-en
General
-
Target
shipping documents.exe
-
Size
721KB
-
MD5
11bdbb99b474b15e0b04e488061e9256
-
SHA1
db8bcdd61414f1388f455e8b4ce6ae5554ca38f3
-
SHA256
05b60524cb82eb522b46db014a5ec190e35d9fd433e7624232b53f142b3ed1a1
-
SHA512
558f471c17b3b701e059514002155a4f4d71dbe9159ebc5326f158a7fda241ae6445139899af5db663bd0ee2fcd5c952f7b248a2486be354b32d155ca503ed5f
-
SSDEEP
12288:zPO4mPK3Rx2Mewaliv+ilMkLbjfm2HV5gos04pG7PaD3H4lN3179DoDq74nXetkR:i4m02MewWivqkLbjfmQV4077yjH4f3Vu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2736-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2736-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2736-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2736-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2736-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2736-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2736-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2736-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2736-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2736-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2736-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2736-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2736-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2736-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2736-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2736-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2736-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2736-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2736-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2736-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2736-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2736-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2736-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2736-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2736-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2736-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2736-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2736-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2736-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2736-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2460 powershell.exe 2472 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipping documents.exedescription pid Process procid_target PID 1968 set thread context of 2736 1968 shipping documents.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
shipping documents.exeRegSvcs.exepowershell.exepowershell.exepid Process 1968 shipping documents.exe 1968 shipping documents.exe 1968 shipping documents.exe 1968 shipping documents.exe 1968 shipping documents.exe 1968 shipping documents.exe 1968 shipping documents.exe 2736 RegSvcs.exe 2736 RegSvcs.exe 2460 powershell.exe 2472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipping documents.exeRegSvcs.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 1968 shipping documents.exe Token: SeDebugPrivilege 2736 RegSvcs.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeDebugPrivilege 2472 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
shipping documents.exedescription pid Process procid_target PID 1968 wrote to memory of 2460 1968 shipping documents.exe 30 PID 1968 wrote to memory of 2460 1968 shipping documents.exe 30 PID 1968 wrote to memory of 2460 1968 shipping documents.exe 30 PID 1968 wrote to memory of 2460 1968 shipping documents.exe 30 PID 1968 wrote to memory of 2472 1968 shipping documents.exe 32 PID 1968 wrote to memory of 2472 1968 shipping documents.exe 32 PID 1968 wrote to memory of 2472 1968 shipping documents.exe 32 PID 1968 wrote to memory of 2472 1968 shipping documents.exe 32 PID 1968 wrote to memory of 2972 1968 shipping documents.exe 34 PID 1968 wrote to memory of 2972 1968 shipping documents.exe 34 PID 1968 wrote to memory of 2972 1968 shipping documents.exe 34 PID 1968 wrote to memory of 2972 1968 shipping documents.exe 34 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36 PID 1968 wrote to memory of 2736 1968 shipping documents.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mUsYIbZfsGwZQG.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mUsYIbZfsGwZQG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFF74.tmp"2⤵
- Creates scheduled task(s)
PID:2972
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a04a1fa40c56b9cf4205108d990ebb45
SHA1d0c63ad5f9d620b393110e0b304a6f6a9612b4ba
SHA2566aeb74319492a7560fcf5266278591bad5d002ebb6fe0f7e4d2be410cc00d3d8
SHA51273f33149732821d8df19a590866034ff053e370f07ac6d097ef169a50d16f7679af7363608dd3d8dc97adfe0814bae3966bd541f5406ac59b2495ce5be9a21db
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M9R7D1UZNZ63FLRDTW2W.temp
Filesize7KB
MD5856912ba94239cc4c6e98aefb768617e
SHA158f2398190468a0b3fe569cf559011d02f85fd38
SHA25624e92e896b4c97822ab0c751747dffc6cbf21a293c93420097aa8a1f6d21bfc0
SHA512af8fc63d790d40411115ae90133c79dbcdd22af1d4cf365967fb55aefc67c33653aab36dc7669f4e1eea9b71de249ccf8e2988772b1140dd478cd4befc4e18e5