Analysis
-
max time kernel
150s -
max time network
91s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-01-2021 06:23
Static task
static1
Behavioral task
behavioral1
Sample
REVISED PROFORMA INVOICE.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
REVISED PROFORMA INVOICE.exe
Resource
win10v20201028
General
-
Target
REVISED PROFORMA INVOICE.exe
-
Size
1.5MB
-
MD5
ea2c4b1f17a5113a551ec7779d30bc2e
-
SHA1
e89f81052d5f40fd759deb1f1fd3bc0a2a3c7c37
-
SHA256
92d887eebd56236c7b64d7c4df54d34b63910982eddf27769b942d524c39a4a3
-
SHA512
ebdcf6da3caa104a095f36d59579743ad6c771dd2cda9eba4e6d23c7d00026e8c065919535dd1bb24000d5cbe6d9fe9b5159ac867fbff29bd2c5d4fb795eb81e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.goldenamoonresorts.com - Port:
587 - Username:
[email protected] - Password:
golden@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1120-8-0x00000000004610FE-mapping.dmp family_agenttesla behavioral1/memory/1120-7-0x0000000000400000-0x0000000000466000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
REVISED PROFORMA INVOICE.exedescription pid process target process PID 792 set thread context of 1120 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
REVISED PROFORMA INVOICE.exeREVISED PROFORMA INVOICE.exepid process 792 REVISED PROFORMA INVOICE.exe 792 REVISED PROFORMA INVOICE.exe 792 REVISED PROFORMA INVOICE.exe 1120 REVISED PROFORMA INVOICE.exe 1120 REVISED PROFORMA INVOICE.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
REVISED PROFORMA INVOICE.exeREVISED PROFORMA INVOICE.exedescription pid process Token: SeDebugPrivilege 792 REVISED PROFORMA INVOICE.exe Token: SeDebugPrivilege 1120 REVISED PROFORMA INVOICE.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
REVISED PROFORMA INVOICE.exedescription pid process target process PID 792 wrote to memory of 900 792 REVISED PROFORMA INVOICE.exe schtasks.exe PID 792 wrote to memory of 900 792 REVISED PROFORMA INVOICE.exe schtasks.exe PID 792 wrote to memory of 900 792 REVISED PROFORMA INVOICE.exe schtasks.exe PID 792 wrote to memory of 900 792 REVISED PROFORMA INVOICE.exe schtasks.exe PID 792 wrote to memory of 588 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 588 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 588 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 588 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 1120 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 1120 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 1120 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 1120 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 1120 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 1120 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 1120 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 1120 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe PID 792 wrote to memory of 1120 792 REVISED PROFORMA INVOICE.exe REVISED PROFORMA INVOICE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REVISED PROFORMA INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\REVISED PROFORMA INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lUXcvyz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2A0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\REVISED PROFORMA INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\REVISED PROFORMA INVOICE.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\REVISED PROFORMA INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\REVISED PROFORMA INVOICE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2A0.tmpMD5
f8a982e9115701fd65ab518b4e67475b
SHA1847d8e1f1eba6df33485132a7ec8fbe60110dc38
SHA256132e3f8f1565172e098c8f1f87ae560597f433b9d103ce5c14e32fbe6b68d7d4
SHA51243f7f47449a955bc06e348802be8f40ecac8ccbc25750632a77a152b07bd530ba891e34588092112923039b6fa1b778677b3b5d3f687ad208efb4f4038041df1
-
memory/792-2-0x00000000765E1000-0x00000000765E3000-memory.dmpFilesize
8KB
-
memory/792-3-0x0000000002170000-0x0000000002171000-memory.dmpFilesize
4KB
-
memory/792-4-0x0000000002171000-0x0000000002172000-memory.dmpFilesize
4KB
-
memory/900-5-0x0000000000000000-mapping.dmp
-
memory/1120-8-0x00000000004610FE-mapping.dmp
-
memory/1120-7-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/1120-10-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/1120-11-0x00000000002E2000-0x00000000002E3000-memory.dmpFilesize
4KB