Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 06:09
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
shipping documents.exe
Resource
win10v2004-20240508-en
General
-
Target
shipping documents.exe
-
Size
663KB
-
MD5
dd1c0c05fece823d0c57d0c507e9deb2
-
SHA1
cfad01e0218e8ccc2adf740edc8bc594a0b3cd20
-
SHA256
ba5b16c28def8e5d0ea0a09bf25b4d980fe89e3537f7034d775ccdf3bd9f5035
-
SHA512
cd186111b32a33e23a9af82e986415ab45a75176248c5b3c178330fee14824dae5ff9ee2a90c84cb1f481ea22fdc9462f80411e0ffaf5d9080d722c3e7244272
-
SSDEEP
12288:eFIsPALKLE97fl/JJ1B+7rdVYBbP7NYzDa2HQUphVonpX+Apg1k/oNRKFXlXDtkA:4IK+dlL1BSrdCB9YqhUKKVNRiNLznZ
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2940 powershell.exe 2588 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipping documents.exedescription pid process target process PID 3048 set thread context of 2604 3048 shipping documents.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
shipping documents.exeRegSvcs.exepowershell.exepowershell.exepid process 3048 shipping documents.exe 3048 shipping documents.exe 3048 shipping documents.exe 3048 shipping documents.exe 3048 shipping documents.exe 3048 shipping documents.exe 3048 shipping documents.exe 2604 RegSvcs.exe 2604 RegSvcs.exe 2588 powershell.exe 2940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipping documents.exeRegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3048 shipping documents.exe Token: SeDebugPrivilege 2604 RegSvcs.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeDebugPrivilege 2940 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
shipping documents.exedescription pid process target process PID 3048 wrote to memory of 2940 3048 shipping documents.exe powershell.exe PID 3048 wrote to memory of 2940 3048 shipping documents.exe powershell.exe PID 3048 wrote to memory of 2940 3048 shipping documents.exe powershell.exe PID 3048 wrote to memory of 2940 3048 shipping documents.exe powershell.exe PID 3048 wrote to memory of 2588 3048 shipping documents.exe powershell.exe PID 3048 wrote to memory of 2588 3048 shipping documents.exe powershell.exe PID 3048 wrote to memory of 2588 3048 shipping documents.exe powershell.exe PID 3048 wrote to memory of 2588 3048 shipping documents.exe powershell.exe PID 3048 wrote to memory of 2652 3048 shipping documents.exe schtasks.exe PID 3048 wrote to memory of 2652 3048 shipping documents.exe schtasks.exe PID 3048 wrote to memory of 2652 3048 shipping documents.exe schtasks.exe PID 3048 wrote to memory of 2652 3048 shipping documents.exe schtasks.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe PID 3048 wrote to memory of 2604 3048 shipping documents.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AxawoKKXrVH.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AxawoKKXrVH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A47.tmp"2⤵
- Creates scheduled task(s)
PID:2652 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5af7f234ce916e9bf1d5a9fb8f2748187
SHA160d6f55046b1f14621b5fbe966ebab516d25b098
SHA2564a2bc486c629b51a144afe354d287e65a1228a18dfa75515d7ecfd33f2bb4087
SHA5129a20392ea80ea70e95fdbd6ebf0b6ee2b7cb129122791c4c2ddc7b72657ce223e7f34c7fcaa4ff34ee624ea4b8b46f6b41a396bf3758a714b579edfe04a4b573
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD509e7331b3a67deb66785796eac94ed5f
SHA1739da38d86074e12243b1c1c6a253902161af364
SHA256f667ca998a0b10d63013f7b20a082401b5aeffcbdf2d7036e522bdda9fd9b945
SHA5123f9e450644f94be999db1d9516f6ad734f65a95b0fefa1a84accc6d5442c350b52386e93fa59ca6b50fa4df3276b319fe24550e355684bb9e3d4612a31e50ac8