Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 06:45
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
shipping documents.exe
Resource
win10v2004-20240508-en
General
-
Target
shipping documents.exe
-
Size
731KB
-
MD5
487581e26f44dc342b13f83a424a7d0b
-
SHA1
f63e3fdfa598322bd2ededb12a2c272182824990
-
SHA256
553e372ef331a9891f8cada32625bd6491cbd427f1a2a6ad62cd1472ec3f23a0
-
SHA512
9e903d9be418a8d024b566bf06d28a300bf15f3fa042a4a8ebe7b8e186a8cb50ad19e5a892e5137dccc05fac4b7eabf6236592b6efcea045d68ad1988c03a99a
-
SSDEEP
12288:UPU2iNPyCK2xrOo2BakSVelkYawUlrc/6t2SLck6en6Oj0KlhKAgLEwkR:L15yC5ESVkRallVGzgfkAX
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2604 powershell.exe 3004 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipping documents.exedescription pid process target process PID 1632 set thread context of 2528 1632 shipping documents.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
shipping documents.exepowershell.exepowershell.exeRegSvcs.exepid process 1632 shipping documents.exe 1632 shipping documents.exe 1632 shipping documents.exe 1632 shipping documents.exe 1632 shipping documents.exe 1632 shipping documents.exe 2604 powershell.exe 3004 powershell.exe 1632 shipping documents.exe 2528 RegSvcs.exe 2528 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipping documents.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1632 shipping documents.exe Token: SeDebugPrivilege 2604 powershell.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 2528 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
shipping documents.exedescription pid process target process PID 1632 wrote to memory of 2604 1632 shipping documents.exe powershell.exe PID 1632 wrote to memory of 2604 1632 shipping documents.exe powershell.exe PID 1632 wrote to memory of 2604 1632 shipping documents.exe powershell.exe PID 1632 wrote to memory of 2604 1632 shipping documents.exe powershell.exe PID 1632 wrote to memory of 3004 1632 shipping documents.exe powershell.exe PID 1632 wrote to memory of 3004 1632 shipping documents.exe powershell.exe PID 1632 wrote to memory of 3004 1632 shipping documents.exe powershell.exe PID 1632 wrote to memory of 3004 1632 shipping documents.exe powershell.exe PID 1632 wrote to memory of 2612 1632 shipping documents.exe schtasks.exe PID 1632 wrote to memory of 2612 1632 shipping documents.exe schtasks.exe PID 1632 wrote to memory of 2612 1632 shipping documents.exe schtasks.exe PID 1632 wrote to memory of 2612 1632 shipping documents.exe schtasks.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe PID 1632 wrote to memory of 2528 1632 shipping documents.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping documents.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qvgpVBR.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qvgpVBR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6133.tmp"2⤵
- Creates scheduled task(s)
PID:2612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD568e8afeaa83981e10209aa4354e7ef6e
SHA1365ba709858f291d197d26930d43137c3c03f6a5
SHA2562cd513beb4110925043224fb02d4b5abda764dbdd938e36293782ce49fe2b196
SHA5123d58d6a600362adc996722f4e990bb341ac3e76eb7c4b4958baab5f9d92946d5127b518f6d30ba9ad5b1016c0c35d70f5102f742a6eeeb89f51b66decbf65375
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MWVG2LIP4H00YU3T454A.temp
Filesize7KB
MD5c9dd4a2342566128abe6b35bb2ce034d
SHA1892e53cfdb866ac38f3768a8609092d0f8d9b89f
SHA256b4b60a78306d143f02fb88e4768733a00ffe485e855951296ff79c5f99a406e3
SHA512a821a684119f7d970c43c47dc388477eb8ef15666c2b6e983e7b1694837e140381571838bbd2917f0fbdbbed36903a427f5ccfe60e1454e59ee90e8191dd5d1f