Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 10:03
Static task
static1
Behavioral task
behavioral1
Sample
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
Resource
win10v2004-20240508-en
General
-
Target
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe
-
Size
1.1MB
-
MD5
c519e1871f1521e167b56bad94b41114
-
SHA1
bd504a951e281eb76b37de31613de084bcddeeeb
-
SHA256
c89dbc33b2bed22fe68911bf6e23eb613cebc22f868290d4576822e26092798f
-
SHA512
648ca2be6af1d37408b85764e504234942c657fa0d6c2791c08fcce35186ebf1e3b76e433701fed73f6bc5586d76d1584c49542e7e79bce17f13fc713dabf79e
-
SSDEEP
24576:yAHnh+eWsN3skA4RV1Hom2KXMmHaUCmRC4Jer37G5:1h+ZkldoPK8YaU1A3g
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.laboratoriosvilla.com.mx - Port:
587 - Username:
[email protected] - Password:
WZ,2pliw#L)D - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KaGeys = "C:\\Users\\Admin\\AppData\\Roaming\\KaGeys\\KaGeys.exe" RegSvcs.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.ipify.org 14 api.ipify.org 15 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exedescription pid process target process PID 4780 set thread context of 4880 4780 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 232 4780 WerFault.exe DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 4880 RegSvcs.exe 4880 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exepid process 4780 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4880 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exepid process 4780 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe 4780 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exepid process 4780 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe 4780 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exedescription pid process target process PID 4780 wrote to memory of 4880 4780 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe RegSvcs.exe PID 4780 wrote to memory of 4880 4780 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe RegSvcs.exe PID 4780 wrote to memory of 4880 4780 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe RegSvcs.exe PID 4780 wrote to memory of 4880 4780 DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 6762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4780 -ip 47801⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4780-10-0x0000000000F60000-0x0000000000F64000-memory.dmpFilesize
16KB
-
memory/4880-11-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4880-12-0x000000007411E000-0x000000007411F000-memory.dmpFilesize
4KB
-
memory/4880-13-0x0000000006040000-0x00000000065E4000-memory.dmpFilesize
5.6MB
-
memory/4880-14-0x0000000005A90000-0x0000000005AF6000-memory.dmpFilesize
408KB
-
memory/4880-15-0x0000000074110000-0x00000000748C0000-memory.dmpFilesize
7.7MB
-
memory/4880-17-0x0000000007090000-0x00000000070E0000-memory.dmpFilesize
320KB
-
memory/4880-18-0x0000000007180000-0x0000000007212000-memory.dmpFilesize
584KB
-
memory/4880-19-0x0000000007110000-0x000000000711A000-memory.dmpFilesize
40KB
-
memory/4880-20-0x000000007411E000-0x000000007411F000-memory.dmpFilesize
4KB
-
memory/4880-21-0x0000000074110000-0x00000000748C0000-memory.dmpFilesize
7.7MB