Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
revised invice.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
revised invice.exe
Resource
win10v20201028
General
-
Target
revised invice.exe
-
Size
549KB
-
MD5
fa4df694ec1e19c5ad3a142fb849a171
-
SHA1
6e8379dc7a5fb7b7f67a4f31817c38dea632b89a
-
SHA256
d0b87c89ca8f853d80565f7381435da6801641f2083e3011dcaefa278c402785
-
SHA512
1eac1101e159009dcf73e87cfe61470b6d81b4a068e0d4eb501d03e048cec9de10127ea1c053141efa2807e1db4db20fd9e6fce709bb5bccf435a350fca2a38f
Malware Config
Extracted
Protocol: smtp- Host:
theroyalsandskohrong.com - Port:
587 - Username:
marine@theroyalsandskohrong.com - Password:
Royal@2019
Extracted
agenttesla
Protocol: smtp- Host:
theroyalsandskohrong.com - Port:
587 - Username:
marine@theroyalsandskohrong.com - Password:
Royal@2019
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4064-5-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral2/memory/4064-6-0x000000000044CDEE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
revised invice.exedescription pid process target process PID 4684 set thread context of 4064 4684 revised invice.exe revised invice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
revised invice.exerevised invice.exepid process 4684 revised invice.exe 4684 revised invice.exe 4684 revised invice.exe 4684 revised invice.exe 4684 revised invice.exe 4064 revised invice.exe 4064 revised invice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
revised invice.exerevised invice.exedescription pid process Token: SeDebugPrivilege 4684 revised invice.exe Token: SeDebugPrivilege 4064 revised invice.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
revised invice.exepid process 4684 revised invice.exe 4684 revised invice.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
revised invice.exerevised invice.exedescription pid process target process PID 4684 wrote to memory of 3184 4684 revised invice.exe schtasks.exe PID 4684 wrote to memory of 3184 4684 revised invice.exe schtasks.exe PID 4684 wrote to memory of 3184 4684 revised invice.exe schtasks.exe PID 4684 wrote to memory of 2476 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 2476 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 2476 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 2128 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 2128 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 2128 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 4064 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 4064 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 4064 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 4064 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 4064 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 4064 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 4064 4684 revised invice.exe revised invice.exe PID 4684 wrote to memory of 4064 4684 revised invice.exe revised invice.exe PID 4064 wrote to memory of 1320 4064 revised invice.exe netsh.exe PID 4064 wrote to memory of 1320 4064 revised invice.exe netsh.exe PID 4064 wrote to memory of 1320 4064 revised invice.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\revised invice.exe"C:\Users\Admin\AppData\Local\Temp\revised invice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RVYivzbHtgCce" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8785.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\revised invice.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\revised invice.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\revised invice.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\revised invice.exe.logMD5
2ce1b56364fa233e3c3b24c1094c08ef
SHA16bd332829aebe567d7b2cb1fd9a82dfe1791052f
SHA256dcf175d01a6de724456eebafad26562a1c6c59bb61ed4a40675e80b7dbc5680e
SHA5125abf87138689fdc6f8f79c130c3511c863bac1fb0acc60525bc660c532276e3e0037134a9653e0b4f9a77142236cc18144e90bb40ace7271d6eb57fcf438bfe9
-
C:\Users\Admin\AppData\Local\Temp\tmp8785.tmpMD5
02a2193780b7f991094c5893d8290e4f
SHA1b1b678f673949ec75f53f523d4c95babff7c0a67
SHA256ce23520f0813a824eea3fb3383d092c259f48f9ff59a5fffb6b3663e10a21f5c
SHA5126c9e246f81614e97ab1d4ec0df7d41d2f136af15606eedbab0906951420433538b01621c283f08c62b5eb34d00416d4fb1cec26b7c59a2432170c899248fe8fb
-
memory/1320-9-0x0000000000000000-mapping.dmp
-
memory/3184-3-0x0000000000000000-mapping.dmp
-
memory/4064-5-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4064-6-0x000000000044CDEE-mapping.dmp