Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 13:53
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents.png.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
shipping documents.png.exe
Resource
win10v2004-20240508-en
General
-
Target
shipping documents.png.exe
-
Size
981KB
-
MD5
bb21b9bc8eb02f11dfa61dd0b1fd3e23
-
SHA1
4389be9b203db228114c15216511150525849e8c
-
SHA256
bf252b8ef4fb77ea9b7a7369d779f7bcb5160bb2af7d40859978b78d873400b4
-
SHA512
84ae7dbdec0f7925141b50b34f8f174f49a3713b398cc6318910921427ad1ae73b14d0673794785009c07e8bbf6a6f201d794ed539e6cea3eaa6d9bcdee4a380
-
SSDEEP
12288:2LXTxqqEvq2zRbjGPswaUW1vfNaO5uTpaO9eXVKrPtK6p/qr+aUmvCFMQsbzZHcU:2LBkpjGP/avkOIFaO0IpK6N7nm6uBX
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.shaktiinstrumentations.in - Port:
587 - Username:
[email protected] - Password:
Shakti54231!@#$%#@! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2660 powershell.exe 2440 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipping documents.png.exedescription pid Process procid_target PID 2872 set thread context of 2820 2872 shipping documents.png.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
shipping documents.png.exeRegSvcs.exepowershell.exepowershell.exepid Process 2872 shipping documents.png.exe 2872 shipping documents.png.exe 2872 shipping documents.png.exe 2872 shipping documents.png.exe 2872 shipping documents.png.exe 2872 shipping documents.png.exe 2872 shipping documents.png.exe 2820 RegSvcs.exe 2820 RegSvcs.exe 2440 powershell.exe 2660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipping documents.png.exeRegSvcs.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2872 shipping documents.png.exe Token: SeDebugPrivilege 2820 RegSvcs.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
shipping documents.png.exedescription pid Process procid_target PID 2872 wrote to memory of 2660 2872 shipping documents.png.exe 28 PID 2872 wrote to memory of 2660 2872 shipping documents.png.exe 28 PID 2872 wrote to memory of 2660 2872 shipping documents.png.exe 28 PID 2872 wrote to memory of 2660 2872 shipping documents.png.exe 28 PID 2872 wrote to memory of 2440 2872 shipping documents.png.exe 30 PID 2872 wrote to memory of 2440 2872 shipping documents.png.exe 30 PID 2872 wrote to memory of 2440 2872 shipping documents.png.exe 30 PID 2872 wrote to memory of 2440 2872 shipping documents.png.exe 30 PID 2872 wrote to memory of 2588 2872 shipping documents.png.exe 31 PID 2872 wrote to memory of 2588 2872 shipping documents.png.exe 31 PID 2872 wrote to memory of 2588 2872 shipping documents.png.exe 31 PID 2872 wrote to memory of 2588 2872 shipping documents.png.exe 31 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34 PID 2872 wrote to memory of 2820 2872 shipping documents.png.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping documents.png.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents.png.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping documents.png.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HOdckjqilPep.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOdckjqilPep" /XML "C:\Users\Admin\AppData\Local\Temp\tmp79E1.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2588
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD528325eb4ff3fe2666fe58dc6c952d960
SHA11de71b823adb69c55dab72833c520ecd24d1b0a8
SHA2561b9e8c3712b2108059663fdc58a273d73952f983130bc401d681be87cc0ef4f5
SHA512b64bfa41b538e5f174b2033434e7dd3c37709008bc4586dd5aa3301cdd9d590a382ecaff6f53bbc1dbcda129791f88e1b52ec9d74062026143766c4a7c6e16b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a76b944541e14dce58a2894102f651da
SHA1939240d71ef94c8746e063a861c31af7c34007cb
SHA256369e481e81aec9590c026e19ba78fb68c5e8a5a9a7078e91f22b701fb5f5e98c
SHA512486576e6e946dbd6b4ea31bfb926c48993f32f8a4bcd104b7dd2f2703c2408250c5e23df7d5ae9036eabe4739fd1966cb7d5cdf52d407430821e1136e627d5bd