Analysis
-
max time kernel
89s -
max time network
8s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:59
Static task
static1
Behavioral task
behavioral1
Sample
proforma invoice.exe
Resource
win7v20201028
General
-
Target
proforma invoice.exe
-
Size
453KB
-
MD5
04dfee364770b42beae6cd931bdff099
-
SHA1
30d15b8fa934d84cf8652e1d80b60a263e02c29e
-
SHA256
012edf2acec37175b25f3f4be8044f10a0113ce517d6240e4ac1536c9c45cbe8
-
SHA512
aa3322534e3d483a45c9e3153cb45df6189628d69f9e26c2761fefb576ca9023dc0bfad6eeab3e02ecb06a740cee075f896ebff2351f216e80cef0497cfee714
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
m4rkusyoung@yandex.com - Password:
123@Ossymbo
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1584-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1584-8-0x0000000000446C7E-mapping.dmp family_agenttesla behavioral1/memory/1584-9-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1584-10-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1668-4-0x0000000004160000-0x00000000041AD000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
proforma invoice.exedescription pid process target process PID 1668 set thread context of 1584 1668 proforma invoice.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1584 RegSvcs.exe 1584 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1584 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1584 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
proforma invoice.exedescription pid process target process PID 1668 wrote to memory of 1336 1668 proforma invoice.exe schtasks.exe PID 1668 wrote to memory of 1336 1668 proforma invoice.exe schtasks.exe PID 1668 wrote to memory of 1336 1668 proforma invoice.exe schtasks.exe PID 1668 wrote to memory of 1336 1668 proforma invoice.exe schtasks.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe PID 1668 wrote to memory of 1584 1668 proforma invoice.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QoOHmrlf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp89D8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp89D8.tmpMD5
47e3ea00c9d8fab887806827bd2225f3
SHA1b9551786a4cfb6d707bb5d9e9fa324e316740645
SHA256add02fa0a4e5f7c48fc9b0e253517218a87d41613725b6ff769f87122ec4e594
SHA512a12d0e24a42dfa14f7fdae6205250516142bd1e58d36fb54ed48390e8bb4ad545d2ab78b1fae5714d312f439c975f79937608634cccbb70b20f087ddd38eaf6b
-
memory/1336-5-0x0000000000000000-mapping.dmp
-
memory/1584-7-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1584-8-0x0000000000446C7E-mapping.dmp
-
memory/1584-9-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1584-10-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1584-11-0x0000000073790000-0x0000000073E7E000-memory.dmpFilesize
6.9MB
-
memory/1668-0-0x00000000744C0000-0x0000000074BAE000-memory.dmpFilesize
6.9MB
-
memory/1668-1-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/1668-3-0x00000000002E0000-0x00000000002EF000-memory.dmpFilesize
60KB
-
memory/1668-4-0x0000000004160000-0x00000000041AD000-memory.dmpFilesize
308KB