Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 11:30
Static task
static1
Behavioral task
behavioral1
Sample
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Resource
win10v2004-20240508-en
General
-
Target
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
-
Size
1.1MB
-
MD5
9ff202976d5f42678ac91b33c24098a5
-
SHA1
ee11ec657b8b40dc109afcfccea961454bc5d348
-
SHA256
b74b2f6493fc4b4c58b134f919a464adfc5f923a0804a9cf3d4f592713d65ec8
-
SHA512
49e0f1e1979e40fe05004b8fff78122e3a8f06f9321b7f64d7c63b355b407639ef8f0142b2cb6cc6c9bd476072864f7d785840ad4eafb75904d82ab29d8f8993
-
SSDEEP
24576:9AHnh+eWsN3skA4RV1Hom2KXMmHaqNF5fUISHDbbP5:ch+ZkldoPK8YaqPtyDJ
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.laboratoriosvilla.com.mx - Port:
587 - Username:
[email protected] - Password:
WZ,2pliw#L)D - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 1 IoCs
Processes:
name.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
Processes:
name.exepid Process 2548 name.exe -
Loads dropped DLL 6 IoCs
Processes:
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exeWerFault.exepid Process 2980 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe 2864 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\KaGeys = "C:\\Users\\Admin\\AppData\\Roaming\\KaGeys\\KaGeys.exe" RegSvcs.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 6 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0008000000016d69-12.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
name.exedescription pid Process procid_target PID 2548 set thread context of 2876 2548 name.exe 29 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2864 2548 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid Process 2876 RegSvcs.exe 2876 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
name.exepid Process 2548 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid Process Token: SeDebugPrivilege 2876 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exename.exepid Process 2980 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe 2980 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe 2548 name.exe 2548 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exename.exepid Process 2980 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe 2980 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe 2548 name.exe 2548 name.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exename.exedescription pid Process procid_target PID 2980 wrote to memory of 2548 2980 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe 28 PID 2980 wrote to memory of 2548 2980 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe 28 PID 2980 wrote to memory of 2548 2980 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe 28 PID 2980 wrote to memory of 2548 2980 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe 28 PID 2548 wrote to memory of 2876 2548 name.exe 29 PID 2548 wrote to memory of 2876 2548 name.exe 29 PID 2548 wrote to memory of 2876 2548 name.exe 29 PID 2548 wrote to memory of 2876 2548 name.exe 29 PID 2548 wrote to memory of 2876 2548 name.exe 29 PID 2548 wrote to memory of 2876 2548 name.exe 29 PID 2548 wrote to memory of 2876 2548 name.exe 29 PID 2548 wrote to memory of 2876 2548 name.exe 29 PID 2548 wrote to memory of 2864 2548 name.exe 30 PID 2548 wrote to memory of 2864 2548 name.exe 30 PID 2548 wrote to memory of 2864 2548 name.exe 30 PID 2548 wrote to memory of 2864 2548 name.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 3203⤵
- Loads dropped DLL
- Program crash
PID:2864
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.1MB
MD59ff202976d5f42678ac91b33c24098a5
SHA1ee11ec657b8b40dc109afcfccea961454bc5d348
SHA256b74b2f6493fc4b4c58b134f919a464adfc5f923a0804a9cf3d4f592713d65ec8
SHA51249e0f1e1979e40fe05004b8fff78122e3a8f06f9321b7f64d7c63b355b407639ef8f0142b2cb6cc6c9bd476072864f7d785840ad4eafb75904d82ab29d8f8993