Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 01:56
Static task
static1
Behavioral task
behavioral1
Sample
Shipping documents.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Shipping documents.exe
Resource
win10v2004-20240508-en
General
-
Target
Shipping documents.exe
-
Size
684KB
-
MD5
594c88f0815435836775f4af6fd465d4
-
SHA1
303d2f4a1b8ce101e9957c299ca57a4621d3a016
-
SHA256
8fbf89ff9f1c63329f5251feed90590b8f3bd725e469b5afd25be717f3cb2ca9
-
SHA512
b93bb4606ed5dcc87eeb06df6bb9acc6dee994e6c6456e33ca0671cc25f6026e19cf72532294dbacd04ab063113125a8748cde94b46ec9cf66eeaf6d4657c7be
-
SSDEEP
12288:weATclGRjKCKooZVEhPkzIOiRv+NBTp/U2pQ3pRCXDuIJqyJMq40Bbf25kR:nackROioZCGsJOc2pYkX6OJP
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2456-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2456-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2456-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2456-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2456-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2456-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2456-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2456-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2456-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2456-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2456-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2456-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2456-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2456-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2456-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2456-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2456-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2456-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2456-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2456-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2456-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2456-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2456-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2456-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2456-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2456-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2456-31-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2456-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2456-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2456-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2596 powershell.exe 2676 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Shipping documents.exedescription pid Process procid_target PID 3000 set thread context of 2456 3000 Shipping documents.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
Shipping documents.exeRegSvcs.exepowershell.exepowershell.exepid Process 3000 Shipping documents.exe 3000 Shipping documents.exe 3000 Shipping documents.exe 3000 Shipping documents.exe 3000 Shipping documents.exe 3000 Shipping documents.exe 3000 Shipping documents.exe 2456 RegSvcs.exe 2456 RegSvcs.exe 2596 powershell.exe 2676 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Shipping documents.exeRegSvcs.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 3000 Shipping documents.exe Token: SeDebugPrivilege 2456 RegSvcs.exe Token: SeDebugPrivilege 2596 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Shipping documents.exedescription pid Process procid_target PID 3000 wrote to memory of 2676 3000 Shipping documents.exe 28 PID 3000 wrote to memory of 2676 3000 Shipping documents.exe 28 PID 3000 wrote to memory of 2676 3000 Shipping documents.exe 28 PID 3000 wrote to memory of 2676 3000 Shipping documents.exe 28 PID 3000 wrote to memory of 2596 3000 Shipping documents.exe 30 PID 3000 wrote to memory of 2596 3000 Shipping documents.exe 30 PID 3000 wrote to memory of 2596 3000 Shipping documents.exe 30 PID 3000 wrote to memory of 2596 3000 Shipping documents.exe 30 PID 3000 wrote to memory of 2756 3000 Shipping documents.exe 32 PID 3000 wrote to memory of 2756 3000 Shipping documents.exe 32 PID 3000 wrote to memory of 2756 3000 Shipping documents.exe 32 PID 3000 wrote to memory of 2756 3000 Shipping documents.exe 32 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34 PID 3000 wrote to memory of 2456 3000 Shipping documents.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Shipping documents.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYctFdAIXtTSr.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYctFdAIXtTSr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6690.tmp"2⤵
- Creates scheduled task(s)
PID:2756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d4d52aad04408fe50a535dce8199dda6
SHA16572100a1c7695146f1452b69ea6e69576ffa70e
SHA25616cd19619be373c5becb52e3742b8da476e29bb770f6ef5e55a772c98fb22eeb
SHA512488b7e9eaa4c1d4f6d97ab57f8001f4821a8265a6e55db654544a3e401d28be3bea84d9b1aab44b70ccabf0d1fd38707df13483bccc2468bf1eb9a27575ea669
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ABOR2UZ50GH99PLP0H96.temp
Filesize7KB
MD5c0ccf5e02e811b898943999cf0329191
SHA1ba72b9e888d5ba2d25f318be105963ebfb7092ff
SHA256ce7f03b3c247af02c6c5a2743fdbedc5c6457c8588c12967d39c10dd89fb522b
SHA512aa67d56ec073f9239f62e754abb9f383251a3f4c1655db866c21bfcad3246158997c2b896dca90f64e8552661eba15a4273f8f563260fcdec7a66d1d2c06bffd