Analysis
-
max time kernel
100s -
max time network
119s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-02-2021 07:13
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE-0899877.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
INVOICE-0899877.jar
Resource
win10v20201028
General
-
Target
INVOICE-0899877.jar
-
Size
1.0MB
-
MD5
69177a6a0ac1953b7fe870f44d0b08b5
-
SHA1
050090f180f571711def0706a23e32a715ec5be5
-
SHA256
381768716f30918b472bb41e9aca29d1b01643ec1892545453d104f03bc2a612
-
SHA512
b03921f0e1ad1df192b6c85663fdcb22700808829c02356ee9a82623267553b77b974f14bdf710b4fd523ccee97c0d31cae9fcf0989c85712f65e607e7a665dd
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.potagrup.com - Port:
587 - Username:
[email protected] - Password:
Pgrup@2021
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/528-22-0x0000000000400000-0x00000000004D3000-memory.dmp family_snakekeylogger behavioral1/memory/528-35-0x0000000000400000-0x00000000004D3000-memory.dmp family_snakekeylogger \Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exe family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exe family_snakekeylogger C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exe family_snakekeylogger -
AgentTesla Payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/528-22-0x0000000000400000-0x00000000004D3000-memory.dmp family_agenttesla behavioral1/memory/528-23-0x000000000040104C-mapping.dmp family_agenttesla \Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe family_agenttesla \Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe family_agenttesla \Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exe family_agenttesla behavioral1/memory/528-35-0x0000000000400000-0x00000000004D3000-memory.dmp family_agenttesla C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exe family_agenttesla C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe family_agenttesla \Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe family_agenttesla -
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/1544-10-0x00000000048F0000-0x00000000049F3000-memory.dmp beds_protector -
Executes dropped EXE 5 IoCs
Processes:
cb1M.execb1M.exe0RIGIN 2.0.exe0RIGIN 4.0.exePGRUP SNAKE2021.exepid process 1544 cb1M.exe 528 cb1M.exe 272 0RIGIN 2.0.exe 1064 0RIGIN 4.0.exe 476 PGRUP SNAKE2021.exe -
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe Powershell.exe -
Loads dropped DLL 6 IoCs
Processes:
cb1M.execb1M.exedw20.exepid process 1544 cb1M.exe 528 cb1M.exe 528 cb1M.exe 528 cb1M.exe 528 cb1M.exe 1908 dw20.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org 9 freegeoip.app 10 freegeoip.app -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cb1M.exedescription pid process target process PID 1544 set thread context of 528 1544 cb1M.exe cb1M.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Powershell.exePGRUP SNAKE2021.exe0RIGIN 4.0.exe0RIGIN 2.0.exepid process 1752 Powershell.exe 1752 Powershell.exe 476 PGRUP SNAKE2021.exe 1064 0RIGIN 4.0.exe 1064 0RIGIN 4.0.exe 272 0RIGIN 2.0.exe 272 0RIGIN 2.0.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Powershell.exePGRUP SNAKE2021.exe0RIGIN 4.0.exe0RIGIN 2.0.exedescription pid process Token: SeDebugPrivilege 1752 Powershell.exe Token: SeDebugPrivilege 476 PGRUP SNAKE2021.exe Token: SeDebugPrivilege 1064 0RIGIN 4.0.exe Token: SeDebugPrivilege 272 0RIGIN 2.0.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
java.execb1M.exepid process 1932 java.exe 528 cb1M.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
java.execb1M.execb1M.exe0RIGIN 2.0.exedescription pid process target process PID 1932 wrote to memory of 1544 1932 java.exe cb1M.exe PID 1932 wrote to memory of 1544 1932 java.exe cb1M.exe PID 1932 wrote to memory of 1544 1932 java.exe cb1M.exe PID 1932 wrote to memory of 1544 1932 java.exe cb1M.exe PID 1544 wrote to memory of 1752 1544 cb1M.exe Powershell.exe PID 1544 wrote to memory of 1752 1544 cb1M.exe Powershell.exe PID 1544 wrote to memory of 1752 1544 cb1M.exe Powershell.exe PID 1544 wrote to memory of 1752 1544 cb1M.exe Powershell.exe PID 1544 wrote to memory of 528 1544 cb1M.exe cb1M.exe PID 1544 wrote to memory of 528 1544 cb1M.exe cb1M.exe PID 1544 wrote to memory of 528 1544 cb1M.exe cb1M.exe PID 1544 wrote to memory of 528 1544 cb1M.exe cb1M.exe PID 1544 wrote to memory of 528 1544 cb1M.exe cb1M.exe PID 1544 wrote to memory of 528 1544 cb1M.exe cb1M.exe PID 1544 wrote to memory of 528 1544 cb1M.exe cb1M.exe PID 1544 wrote to memory of 528 1544 cb1M.exe cb1M.exe PID 528 wrote to memory of 272 528 cb1M.exe 0RIGIN 2.0.exe PID 528 wrote to memory of 272 528 cb1M.exe 0RIGIN 2.0.exe PID 528 wrote to memory of 272 528 cb1M.exe 0RIGIN 2.0.exe PID 528 wrote to memory of 272 528 cb1M.exe 0RIGIN 2.0.exe PID 528 wrote to memory of 1064 528 cb1M.exe 0RIGIN 4.0.exe PID 528 wrote to memory of 1064 528 cb1M.exe 0RIGIN 4.0.exe PID 528 wrote to memory of 1064 528 cb1M.exe 0RIGIN 4.0.exe PID 528 wrote to memory of 1064 528 cb1M.exe 0RIGIN 4.0.exe PID 528 wrote to memory of 476 528 cb1M.exe PGRUP SNAKE2021.exe PID 528 wrote to memory of 476 528 cb1M.exe PGRUP SNAKE2021.exe PID 528 wrote to memory of 476 528 cb1M.exe PGRUP SNAKE2021.exe PID 528 wrote to memory of 476 528 cb1M.exe PGRUP SNAKE2021.exe PID 272 wrote to memory of 1908 272 0RIGIN 2.0.exe dw20.exe PID 272 wrote to memory of 1908 272 0RIGIN 2.0.exe dw20.exe PID 272 wrote to memory of 1908 272 0RIGIN 2.0.exe dw20.exe PID 272 wrote to memory of 1908 272 0RIGIN 2.0.exe dw20.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\INVOICE-0899877.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\cb1M.exeC:\Users\Admin\cb1M.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\cb1M.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Users\Admin\cb1M.exe"C:\Users\Admin\cb1M.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe"C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe" 04⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5205⤵
- Loads dropped DLL
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exe"C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exe" 04⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exe"C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exe" 04⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:476
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exeMD5
83f896eba915c6fcd3fd1913a39b9915
SHA1b17a0b610fec952f3669aedc8e46a2400bdb1787
SHA25618c57360035b052fd617a5762fb35a9299f7428e6c331fd7b4c08f4d7ec8ecb9
SHA512f09a6c62fda5dedda7c8f0dda94bdcb7c6e0a2d2a511846907e1dc3db1a72269ca7163a1c90b2a94033817abcd4ccce11854c3a65e1799865df0f1cb76a60a74
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exeMD5
83f896eba915c6fcd3fd1913a39b9915
SHA1b17a0b610fec952f3669aedc8e46a2400bdb1787
SHA25618c57360035b052fd617a5762fb35a9299f7428e6c331fd7b4c08f4d7ec8ecb9
SHA512f09a6c62fda5dedda7c8f0dda94bdcb7c6e0a2d2a511846907e1dc3db1a72269ca7163a1c90b2a94033817abcd4ccce11854c3a65e1799865df0f1cb76a60a74
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exeMD5
bbc8f515c647cd3763f1586e15b5ead6
SHA18ade922f0dd917c53e5ca68e45cf5201d9a2a43b
SHA2569a4820e61cb98fce467a1510ad20e9f11af4c4e3c8745695f008d72599a47813
SHA512d4b56b5241725358ff1a0dd4efe26317b6b64e0c9f8184aeb84ed23bafc7a25821e9ff30f69442d112f88e636d5e4c7125a72211241ea1fc1281a4f0df5468aa
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exeMD5
bbc8f515c647cd3763f1586e15b5ead6
SHA18ade922f0dd917c53e5ca68e45cf5201d9a2a43b
SHA2569a4820e61cb98fce467a1510ad20e9f11af4c4e3c8745695f008d72599a47813
SHA512d4b56b5241725358ff1a0dd4efe26317b6b64e0c9f8184aeb84ed23bafc7a25821e9ff30f69442d112f88e636d5e4c7125a72211241ea1fc1281a4f0df5468aa
-
C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exeMD5
384c7a048993884b24056406e9226729
SHA1d5d87c41c862e3b74e9ba8eb0bb2147668815c44
SHA256eebf27101a97ad89df8e932c8003954b7e5ee6e9f4dca5e0880751d110946f35
SHA51282fa49fc72df3f163855d2df103172be974fa6fc9f78b9b4192d66732ac48b21622663bed85f043a3e6c998326f28c7c43fb6fd3be5a25c951faf03172b28857
-
C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exeMD5
384c7a048993884b24056406e9226729
SHA1d5d87c41c862e3b74e9ba8eb0bb2147668815c44
SHA256eebf27101a97ad89df8e932c8003954b7e5ee6e9f4dca5e0880751d110946f35
SHA51282fa49fc72df3f163855d2df103172be974fa6fc9f78b9b4192d66732ac48b21622663bed85f043a3e6c998326f28c7c43fb6fd3be5a25c951faf03172b28857
-
C:\Users\Admin\cb1M.exeMD5
97aa8299f3eae737008853b62609dc53
SHA133d2ad2819f64bd616f8a0a8964c582efdaeb25b
SHA2563cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac
SHA512630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391
-
C:\Users\Admin\cb1M.exeMD5
97aa8299f3eae737008853b62609dc53
SHA133d2ad2819f64bd616f8a0a8964c582efdaeb25b
SHA2563cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac
SHA512630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391
-
C:\Users\Admin\cb1M.exeMD5
97aa8299f3eae737008853b62609dc53
SHA133d2ad2819f64bd616f8a0a8964c582efdaeb25b
SHA2563cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac
SHA512630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391
-
\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exeMD5
83f896eba915c6fcd3fd1913a39b9915
SHA1b17a0b610fec952f3669aedc8e46a2400bdb1787
SHA25618c57360035b052fd617a5762fb35a9299f7428e6c331fd7b4c08f4d7ec8ecb9
SHA512f09a6c62fda5dedda7c8f0dda94bdcb7c6e0a2d2a511846907e1dc3db1a72269ca7163a1c90b2a94033817abcd4ccce11854c3a65e1799865df0f1cb76a60a74
-
\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exeMD5
83f896eba915c6fcd3fd1913a39b9915
SHA1b17a0b610fec952f3669aedc8e46a2400bdb1787
SHA25618c57360035b052fd617a5762fb35a9299f7428e6c331fd7b4c08f4d7ec8ecb9
SHA512f09a6c62fda5dedda7c8f0dda94bdcb7c6e0a2d2a511846907e1dc3db1a72269ca7163a1c90b2a94033817abcd4ccce11854c3a65e1799865df0f1cb76a60a74
-
\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exeMD5
83f896eba915c6fcd3fd1913a39b9915
SHA1b17a0b610fec952f3669aedc8e46a2400bdb1787
SHA25618c57360035b052fd617a5762fb35a9299f7428e6c331fd7b4c08f4d7ec8ecb9
SHA512f09a6c62fda5dedda7c8f0dda94bdcb7c6e0a2d2a511846907e1dc3db1a72269ca7163a1c90b2a94033817abcd4ccce11854c3a65e1799865df0f1cb76a60a74
-
\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exeMD5
bbc8f515c647cd3763f1586e15b5ead6
SHA18ade922f0dd917c53e5ca68e45cf5201d9a2a43b
SHA2569a4820e61cb98fce467a1510ad20e9f11af4c4e3c8745695f008d72599a47813
SHA512d4b56b5241725358ff1a0dd4efe26317b6b64e0c9f8184aeb84ed23bafc7a25821e9ff30f69442d112f88e636d5e4c7125a72211241ea1fc1281a4f0df5468aa
-
\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exeMD5
384c7a048993884b24056406e9226729
SHA1d5d87c41c862e3b74e9ba8eb0bb2147668815c44
SHA256eebf27101a97ad89df8e932c8003954b7e5ee6e9f4dca5e0880751d110946f35
SHA51282fa49fc72df3f163855d2df103172be974fa6fc9f78b9b4192d66732ac48b21622663bed85f043a3e6c998326f28c7c43fb6fd3be5a25c951faf03172b28857
-
\Users\Admin\cb1M.exeMD5
97aa8299f3eae737008853b62609dc53
SHA133d2ad2819f64bd616f8a0a8964c582efdaeb25b
SHA2563cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac
SHA512630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391
-
memory/272-37-0x0000000000CD0000-0x0000000000CD1000-memory.dmpFilesize
4KB
-
memory/272-30-0x0000000000000000-mapping.dmp
-
memory/476-47-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/476-52-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/476-45-0x0000000072A30000-0x000000007311E000-memory.dmpFilesize
6.9MB
-
memory/476-39-0x0000000000000000-mapping.dmp
-
memory/528-22-0x0000000000400000-0x00000000004D3000-memory.dmpFilesize
844KB
-
memory/528-23-0x000000000040104C-mapping.dmp
-
memory/528-35-0x0000000000400000-0x00000000004D3000-memory.dmpFilesize
844KB
-
memory/1064-42-0x0000000072A30000-0x000000007311E000-memory.dmpFilesize
6.9MB
-
memory/1064-76-0x0000000004921000-0x0000000004922000-memory.dmpFilesize
4KB
-
memory/1064-51-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/1064-46-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/1064-34-0x0000000000000000-mapping.dmp
-
memory/1188-57-0x000007FEF5BC0000-0x000007FEF5E3A000-memory.dmpFilesize
2.5MB
-
memory/1544-7-0x0000000072A30000-0x000000007311E000-memory.dmpFilesize
6.9MB
-
memory/1544-20-0x00000000003B0000-0x00000000003BF000-memory.dmpFilesize
60KB
-
memory/1544-16-0x0000000004AA0000-0x0000000004AA1000-memory.dmpFilesize
4KB
-
memory/1544-4-0x0000000000000000-mapping.dmp
-
memory/1544-10-0x00000000048F0000-0x00000000049F3000-memory.dmpFilesize
1.0MB
-
memory/1544-8-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/1752-18-0x00000000048C2000-0x00000000048C3000-memory.dmpFilesize
4KB
-
memory/1752-61-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1752-14-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/1752-15-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/1752-19-0x0000000002010000-0x0000000002011000-memory.dmpFilesize
4KB
-
memory/1752-50-0x0000000002710000-0x0000000002711000-memory.dmpFilesize
4KB
-
memory/1752-17-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/1752-11-0x0000000000000000-mapping.dmp
-
memory/1752-55-0x0000000005620000-0x0000000005621000-memory.dmpFilesize
4KB
-
memory/1752-13-0x0000000072A30000-0x000000007311E000-memory.dmpFilesize
6.9MB
-
memory/1752-62-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/1752-63-0x0000000006210000-0x0000000006211000-memory.dmpFilesize
4KB
-
memory/1752-12-0x00000000750C1000-0x00000000750C3000-memory.dmpFilesize
8KB
-
memory/1752-70-0x00000000061B0000-0x00000000061B1000-memory.dmpFilesize
4KB
-
memory/1908-71-0x0000000000000000-mapping.dmp
-
memory/1908-72-0x0000000001F40000-0x0000000001F51000-memory.dmpFilesize
68KB
-
memory/1908-75-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/1932-3-0x0000000002120000-0x0000000002390000-memory.dmpFilesize
2.4MB
-
memory/1932-2-0x000007FEFB541000-0x000007FEFB543000-memory.dmpFilesize
8KB