Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 11:30

General

  • Target

    DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe

  • Size

    1.1MB

  • MD5

    9ff202976d5f42678ac91b33c24098a5

  • SHA1

    ee11ec657b8b40dc109afcfccea961454bc5d348

  • SHA256

    b74b2f6493fc4b4c58b134f919a464adfc5f923a0804a9cf3d4f592713d65ec8

  • SHA512

    49e0f1e1979e40fe05004b8fff78122e3a8f06f9321b7f64d7c63b355b407639ef8f0142b2cb6cc6c9bd476072864f7d785840ad4eafb75904d82ab29d8f8993

  • SSDEEP

    24576:9AHnh+eWsN3skA4RV1Hom2KXMmHaqNF5fUISHDbbP5:ch+ZkldoPK8YaqPtyDJ

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Users\Admin\AppData\Local\directory\name.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2548
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2876
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 320
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lards

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \Users\Admin\AppData\Local\directory\name.exe

    Filesize

    1.1MB

    MD5

    9ff202976d5f42678ac91b33c24098a5

    SHA1

    ee11ec657b8b40dc109afcfccea961454bc5d348

    SHA256

    b74b2f6493fc4b4c58b134f919a464adfc5f923a0804a9cf3d4f592713d65ec8

    SHA512

    49e0f1e1979e40fe05004b8fff78122e3a8f06f9321b7f64d7c63b355b407639ef8f0142b2cb6cc6c9bd476072864f7d785840ad4eafb75904d82ab29d8f8993

  • memory/2876-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2876-32-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2876-34-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

  • memory/2876-35-0x000000007480E000-0x000000007480F000-memory.dmp

    Filesize

    4KB

  • memory/2876-41-0x0000000074800000-0x0000000074EEE000-memory.dmp

    Filesize

    6.9MB

  • memory/2876-42-0x000000007480E000-0x000000007480F000-memory.dmp

    Filesize

    4KB

  • memory/2876-43-0x0000000074800000-0x0000000074EEE000-memory.dmp

    Filesize

    6.9MB

  • memory/2980-10-0x0000000000130000-0x0000000000134000-memory.dmp

    Filesize

    16KB