Analysis
-
max time kernel
17s -
max time network
116s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
01. MT JS JIANGYIN Ship Particulars.xlsx.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
01. MT JS JIANGYIN Ship Particulars.xlsx.exe
Resource
win10v2004-20241007-en
General
-
Target
01. MT JS JIANGYIN Ship Particulars.xlsx.exe
-
Size
1.1MB
-
MD5
d1b0f594c2162e517c30a3fd9a87085b
-
SHA1
249e2e865e1abb381dfbdf6a340db76fd0749591
-
SHA256
53a41d321309fbd29c4f6ae53618d02aae6d2f8b5707285d5be4f7f995e11485
-
SHA512
84554080601be34f64768d7ae52513571c4dd7bfb40d766dc30702b09804754771fccc94fd2463d63f43479727a72e70aa2c7a25eb1e4aea31022d550fd83ca3
-
SSDEEP
12288:Ytb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgao73rAFx83DGd7J2WLjJ:Ytb20pkaCqT5TBWgNQ7aoRTmos+E6A
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
01. MT JS JIANGYIN Ship Particulars.xlsx.exedescription pid Process procid_target PID 2536 set thread context of 1272 2536 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
01. MT JS JIANGYIN Ship Particulars.xlsx.exeRegSvcs.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01. MT JS JIANGYIN Ship Particulars.xlsx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid Process 1272 RegSvcs.exe 1272 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
01. MT JS JIANGYIN Ship Particulars.xlsx.exepid Process 2536 01. MT JS JIANGYIN Ship Particulars.xlsx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid Process Token: SeDebugPrivilege 1272 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
01. MT JS JIANGYIN Ship Particulars.xlsx.exedescription pid Process procid_target PID 2536 wrote to memory of 1272 2536 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 30 PID 2536 wrote to memory of 1272 2536 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 30 PID 2536 wrote to memory of 1272 2536 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 30 PID 2536 wrote to memory of 1272 2536 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 30 PID 2536 wrote to memory of 1272 2536 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 30 PID 2536 wrote to memory of 1272 2536 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 30 PID 2536 wrote to memory of 1272 2536 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 30 PID 2536 wrote to memory of 1272 2536 01. MT JS JIANGYIN Ship Particulars.xlsx.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\01. MT JS JIANGYIN Ship Particulars.xlsx.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
261KB
MD538f32ed0ac96cb9d6a3ee68ee2b6ece8
SHA1a4ff8874c060347eb17afa37e645babd57757784
SHA25608574f71828bb98f99c15327ed1b8085dcf95f32d448ce34b2e85c34d782d2f3
SHA512c9a1656e599e392d5da78ba87a5536ef9ccbde76a20a58497c2d3a8f2bb658f36c58add85288264537024e85b920ca8889f016a7b02874f62480bd06dc03c3a4