Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 13:59
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents.png.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
shipping documents.png.exe
Resource
win10v2004-20240508-en
General
-
Target
shipping documents.png.exe
-
Size
981KB
-
MD5
bb21b9bc8eb02f11dfa61dd0b1fd3e23
-
SHA1
4389be9b203db228114c15216511150525849e8c
-
SHA256
bf252b8ef4fb77ea9b7a7369d779f7bcb5160bb2af7d40859978b78d873400b4
-
SHA512
84ae7dbdec0f7925141b50b34f8f174f49a3713b398cc6318910921427ad1ae73b14d0673794785009c07e8bbf6a6f201d794ed539e6cea3eaa6d9bcdee4a380
-
SSDEEP
12288:2LXTxqqEvq2zRbjGPswaUW1vfNaO5uTpaO9eXVKrPtK6p/qr+aUmvCFMQsbzZHcU:2LBkpjGP/avkOIFaO0IpK6N7nm6uBX
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.shaktiinstrumentations.in - Port:
587 - Username:
[email protected] - Password:
Shakti54231!@#$%#@! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2700 powershell.exe 2568 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipping documents.png.exedescription pid Process procid_target PID 1936 set thread context of 2500 1936 shipping documents.png.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
shipping documents.png.exepowershell.exepowershell.exeRegSvcs.exepid Process 1936 shipping documents.png.exe 1936 shipping documents.png.exe 1936 shipping documents.png.exe 1936 shipping documents.png.exe 1936 shipping documents.png.exe 1936 shipping documents.png.exe 2568 powershell.exe 2700 powershell.exe 1936 shipping documents.png.exe 2500 RegSvcs.exe 2500 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipping documents.png.exepowershell.exepowershell.exeRegSvcs.exedescription pid Process Token: SeDebugPrivilege 1936 shipping documents.png.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2500 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
shipping documents.png.exedescription pid Process procid_target PID 1936 wrote to memory of 2568 1936 shipping documents.png.exe 28 PID 1936 wrote to memory of 2568 1936 shipping documents.png.exe 28 PID 1936 wrote to memory of 2568 1936 shipping documents.png.exe 28 PID 1936 wrote to memory of 2568 1936 shipping documents.png.exe 28 PID 1936 wrote to memory of 2700 1936 shipping documents.png.exe 30 PID 1936 wrote to memory of 2700 1936 shipping documents.png.exe 30 PID 1936 wrote to memory of 2700 1936 shipping documents.png.exe 30 PID 1936 wrote to memory of 2700 1936 shipping documents.png.exe 30 PID 1936 wrote to memory of 2564 1936 shipping documents.png.exe 32 PID 1936 wrote to memory of 2564 1936 shipping documents.png.exe 32 PID 1936 wrote to memory of 2564 1936 shipping documents.png.exe 32 PID 1936 wrote to memory of 2564 1936 shipping documents.png.exe 32 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34 PID 1936 wrote to memory of 2500 1936 shipping documents.png.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipping documents.png.exe"C:\Users\Admin\AppData\Local\Temp\shipping documents.png.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipping documents.png.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HOdckjqilPep.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOdckjqilPep" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E36.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51466bd8a1eaf84e104b4ff1f850f0f05
SHA1fdd0de13bc6285500c84d405b7942283eaf6524f
SHA256fb0ab0defc0275e0db3614d9cb7a7d33a2adb7dfc2df9260c4c0bd09ac0a3d50
SHA5129b5bafa5131781d9b880e118437d63857a49c086180dd43b2ae226f8da53d3115c42d56052db3cf5765860610aece971a4fc66f4f9fb965294dd8d49d0d3e8ce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD548c5f3b9d1623361879f2cf050dec525
SHA1a713eb4f1061f63aabc971cde2f00cdabf516273
SHA2568b3255689185281f25235e760687a93bc1a69a88c8e316ad3fe779e197ccb5cc
SHA51269080f18fb344629de4d945f447a3a47b3e8ffc1bd98207bbe490b8f7b86b7ccc519a496849baacf8d63fb98d866270bdddd6a8b90fbe2917fd9ae98a34c7099