Analysis Overview
SHA256
f96b6c703fe5b13fd985d91da265c58d3d5b2f81397ebe27527e59c208819d2e
Threat Level: Known bad
The file Shipping documents 000293994900.exe was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Agenttesla family
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 10:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 10:38
Reported
2024-10-31 10:41
Platform
win7-20240903-en
Max time kernel
145s
Max time network
136s
Command Line
Signatures
AgentTesla
Agenttesla family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2112 set thread context of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"
C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 84.38.133.42:80 | 84.38.133.42 | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:443 | api.ipify.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsyAF55.tmp\System.dll
| MD5 | 7399323923e3946fe9140132ac388132 |
| SHA1 | 728257d06c452449b1241769b459f091aabcffc5 |
| SHA256 | 5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3 |
| SHA512 | d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1 |
memory/2112-14-0x0000000077300000-0x00000000774A9000-memory.dmp
memory/2112-13-0x0000000077301000-0x0000000077402000-memory.dmp
memory/2172-15-0x0000000077300000-0x00000000774A9000-memory.dmp
memory/2172-16-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2172-18-0x0000000077300000-0x00000000774A9000-memory.dmp
memory/2172-19-0x0000000000490000-0x00000000004D2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 10:38
Reported
2024-10-31 10:41
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
136s
Command Line
Signatures
AgentTesla
Agenttesla family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4908 set thread context of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4908 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe |
| PID 4908 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe |
| PID 4908 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe |
| PID 4908 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe |
| PID 4908 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe | C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"
C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe
"C:\Users\Admin\AppData\Local\Temp\Shipping documents 000293994900.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| NL | 84.38.133.42:80 | 84.38.133.42 | tcp |
| US | 8.8.8.8:53 | 42.133.38.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftp.concaribe.com | udp |
| US | 192.185.13.234:21 | ftp.concaribe.com | tcp |
| US | 192.185.13.234:31139 | ftp.concaribe.com | tcp |
| US | 8.8.8.8:53 | 234.13.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsbA386.tmp\System.dll
| MD5 | 7399323923e3946fe9140132ac388132 |
| SHA1 | 728257d06c452449b1241769b459f091aabcffc5 |
| SHA256 | 5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3 |
| SHA512 | d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1 |
memory/4908-13-0x0000000076FC1000-0x00000000770E1000-memory.dmp
memory/4908-15-0x0000000010004000-0x0000000010005000-memory.dmp
memory/4908-14-0x0000000076FC1000-0x00000000770E1000-memory.dmp
memory/944-16-0x0000000077048000-0x0000000077049000-memory.dmp
memory/944-17-0x0000000077065000-0x0000000077066000-memory.dmp
memory/944-18-0x0000000000490000-0x00000000016E4000-memory.dmp
memory/944-19-0x0000000076FC1000-0x00000000770E1000-memory.dmp
memory/944-20-0x00000000721FE000-0x00000000721FF000-memory.dmp
memory/944-21-0x0000000000490000-0x00000000004D2000-memory.dmp
memory/944-22-0x0000000037990000-0x0000000037F34000-memory.dmp
memory/944-23-0x00000000357F0000-0x0000000035856000-memory.dmp
memory/944-24-0x00000000721F0000-0x00000000729A0000-memory.dmp
memory/944-26-0x0000000038900000-0x0000000038950000-memory.dmp
memory/944-27-0x0000000038970000-0x0000000038A0C000-memory.dmp
memory/944-28-0x0000000038BD0000-0x0000000038C62000-memory.dmp
memory/944-29-0x0000000038CB0000-0x0000000038CBA000-memory.dmp
memory/944-30-0x00000000721FE000-0x00000000721FF000-memory.dmp
memory/944-31-0x00000000721F0000-0x00000000729A0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-31 10:38
Reported
2024-10-31 10:42
Platform
win7-20241010-en
Max time kernel
12s
Max time network
19s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 228
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-31 10:38
Reported
2024-10-31 10:41
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3548 wrote to memory of 3496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3548 wrote to memory of 3496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3548 wrote to memory of 3496 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3496 -ip 3496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |