Analysis
-
max time kernel
86s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:59
Static task
static1
Behavioral task
behavioral1
Sample
proforma invoice.exe
Resource
win7v20201028
General
-
Target
proforma invoice.exe
-
Size
453KB
-
MD5
04dfee364770b42beae6cd931bdff099
-
SHA1
30d15b8fa934d84cf8652e1d80b60a263e02c29e
-
SHA256
012edf2acec37175b25f3f4be8044f10a0113ce517d6240e4ac1536c9c45cbe8
-
SHA512
aa3322534e3d483a45c9e3153cb45df6189628d69f9e26c2761fefb576ca9023dc0bfad6eeab3e02ecb06a740cee075f896ebff2351f216e80cef0497cfee714
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
m4rkusyoung@yandex.com - Password:
123@Ossymbo
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/980-10-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/980-11-0x0000000000446C7E-mapping.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/1160-6-0x0000000005360000-0x00000000053AD000-memory.dmp rezer0 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
proforma invoice.exedescription pid process target process PID 1160 set thread context of 980 1160 proforma invoice.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
proforma invoice.exeRegSvcs.exepid process 1160 proforma invoice.exe 1160 proforma invoice.exe 1160 proforma invoice.exe 980 RegSvcs.exe 980 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
proforma invoice.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1160 proforma invoice.exe Token: SeDebugPrivilege 980 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 980 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
proforma invoice.exedescription pid process target process PID 1160 wrote to memory of 784 1160 proforma invoice.exe schtasks.exe PID 1160 wrote to memory of 784 1160 proforma invoice.exe schtasks.exe PID 1160 wrote to memory of 784 1160 proforma invoice.exe schtasks.exe PID 1160 wrote to memory of 3280 1160 proforma invoice.exe RegSvcs.exe PID 1160 wrote to memory of 3280 1160 proforma invoice.exe RegSvcs.exe PID 1160 wrote to memory of 3280 1160 proforma invoice.exe RegSvcs.exe PID 1160 wrote to memory of 980 1160 proforma invoice.exe RegSvcs.exe PID 1160 wrote to memory of 980 1160 proforma invoice.exe RegSvcs.exe PID 1160 wrote to memory of 980 1160 proforma invoice.exe RegSvcs.exe PID 1160 wrote to memory of 980 1160 proforma invoice.exe RegSvcs.exe PID 1160 wrote to memory of 980 1160 proforma invoice.exe RegSvcs.exe PID 1160 wrote to memory of 980 1160 proforma invoice.exe RegSvcs.exe PID 1160 wrote to memory of 980 1160 proforma invoice.exe RegSvcs.exe PID 1160 wrote to memory of 980 1160 proforma invoice.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"C:\Users\Admin\AppData\Local\Temp\proforma invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QoOHmrlf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA46.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEA46.tmpMD5
9423b5e4a7c54a032d7edf63f1008f39
SHA16d0e680e296db92023154111e10cbf8878a59ae8
SHA256f554919eac551046ea4ee4eb07a9e31232fbc6070645ea7dd8e06dd4a4f5f030
SHA51262d6e4053955399f457bded88d108974b4e80947e74bffdf539db1788cc1511399f0721cd3a8523c8d0ccb88eaaba107dd72db952b38eff518085cad84920bf6
-
memory/784-8-0x0000000000000000-mapping.dmp
-
memory/980-20-0x00000000064E0000-0x00000000064E1000-memory.dmpFilesize
4KB
-
memory/980-18-0x0000000006020000-0x0000000006021000-memory.dmpFilesize
4KB
-
memory/980-17-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB
-
memory/980-12-0x0000000073A80000-0x000000007416E000-memory.dmpFilesize
6.9MB
-
memory/980-11-0x0000000000446C7E-mapping.dmp
-
memory/980-10-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1160-4-0x0000000002480000-0x000000000248F000-memory.dmpFilesize
60KB
-
memory/1160-7-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/1160-6-0x0000000005360000-0x00000000053AD000-memory.dmpFilesize
308KB
-
memory/1160-5-0x0000000004F40000-0x0000000004F41000-memory.dmpFilesize
4KB
-
memory/1160-0-0x0000000073A80000-0x000000007416E000-memory.dmpFilesize
6.9MB
-
memory/1160-3-0x0000000004B80000-0x0000000004B81000-memory.dmpFilesize
4KB
-
memory/1160-1-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB