Analysis
-
max time kernel
62s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 06:09
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
shipping documents.exe
Resource
win10v2004-20240508-en
General
-
Target
shipping documents.exe
-
Size
663KB
-
MD5
dd1c0c05fece823d0c57d0c507e9deb2
-
SHA1
cfad01e0218e8ccc2adf740edc8bc594a0b3cd20
-
SHA256
ba5b16c28def8e5d0ea0a09bf25b4d980fe89e3537f7034d775ccdf3bd9f5035
-
SHA512
cd186111b32a33e23a9af82e986415ab45a75176248c5b3c178330fee14824dae5ff9ee2a90c84cb1f481ea22fdc9462f80411e0ffaf5d9080d722c3e7244272
-
SSDEEP
12288:eFIsPALKLE97fl/JJ1B+7rdVYBbP7NYzDa2HQUphVonpX+Apg1k/oNRKFXlXDtkA:4IK+dlL1BSrdCB9YqhUKKVNRiNLznZ
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2732 powershell.exe 2228 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
shipping documents.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation shipping documents.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipping documents.exedescription pid process target process PID 992 set thread context of 3284 992 shipping documents.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
shipping documents.exepowershell.exepowershell.exeRegSvcs.exepid process 992 shipping documents.exe 992 shipping documents.exe 992 shipping documents.exe 992 shipping documents.exe 992 shipping documents.exe 992 shipping documents.exe 2732 powershell.exe 2228 powershell.exe 992 shipping documents.exe 992 shipping documents.exe 992 shipping documents.exe 3284 RegSvcs.exe 3284 RegSvcs.exe 2732 powershell.exe 2228 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipping documents.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 992 shipping documents.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 3284 RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
shipping documents.exedescription pid process target process PID 992 wrote to memory of 2732 992 shipping documents.exe powershell.exe PID 992 wrote to memory of 2732 992 shipping documents.exe powershell.exe PID 992 wrote to memory of 2732 992 shipping documents.exe powershell.exe PID 992 wrote to memory of 2228 992 shipping documents.exe powershell.exe PID 992 wrote to memory of 2228 992 shipping documents.exe powershell.exe PID 992 wrote to memory of 2228 992 shipping documents.exe powershell.exe PID 992 wrote to memory of 3752 992 shipping documents.exe schtasks.exe PID 992 wrote to memory of 3752 992 shipping documents.exe schtasks.exe PID 992 wrote to memory of 3752 992 shipping documents.exe schtasks.exe PID 992 wrote to memory of 2424 992 shipping documents.exe RegSvcs.exe PID 992 wrote to memory of 2424 992 shipping documents.exe RegSvcs.exe PID 992 wrote to memory of 2424 992 shipping documents.exe RegSvcs.exe PID 992 wrote to memory of 3284 992 shipping documents.exe RegSvcs.exe PID 992 wrote to memory of 3284 992 shipping documents.exe RegSvcs.exe PID 992 wrote to memory of 3284 992 shipping documents.exe RegSvcs.exe PID 992 wrote to memory of 3284 992 shipping documents.exe RegSvcs.exe PID 992 wrote to memory of 3284 992 shipping documents.exe RegSvcs.exe PID 992 wrote to memory of 3284 992 shipping documents.exe RegSvcs.exe PID 992 wrote to memory of 3284 992 shipping documents.exe RegSvcs.exe PID 992 wrote to memory of 3284 992 shipping documents.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AxawoKKXrVH.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AxawoKKXrVH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A7B.tmp"2⤵
- Creates scheduled task(s)
PID:3752 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2424
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD510d54f2be61d1f56cd9bb163646c9341
SHA1ec6f6b174516214337df7f683f63ebdace187c81
SHA25692ebb46f137b56b0f8412577a9047f828da14ab5f8529f5f46aa1be33ebdde16
SHA512674f27cd9e84e874dc68c87ebd0b05d1070aa608503ddcb149adf46e1777f51385aea2edcb0e33d639a1b2a74e33aad50a1bb9457c44b718904d3f99a07d4fa4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD50d9011d8a0d5b91a4a351f081feacd21
SHA125ef688a1cde623b5ad3f0a1db7346b818a9f245
SHA256c1d67849f6d9b3a0bd77af32a6c9e60244a6f4bc13234d6715c23c91159a39c0
SHA51260aa7a530c9172f80f342e9739a7872e30f1c55424d27c2fad0122e9d750ffe472ae0a03a47c4033a2468a36bea09f444707f43e7449755716350c66b639f9a6