Analysis
-
max time kernel
138s -
max time network
15s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
19-04-2021 06:57
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Proforma Invoice.exe
Resource
win10v20210410
General
-
Target
Proforma Invoice.exe
-
Size
673KB
-
MD5
b1996ce7fe4ba0cfda8796343f8a5b0f
-
SHA1
0806e4664dc3cf5f1ff3fdac131dfff92e09b830
-
SHA256
75b5a3352b14a3d4a5dcbf496a997507edd6d5fdd641fdd37747f21ec6ae7efd
-
SHA512
33c846d73fc0e05d5bbff1cd1d7e243ea27305bb26e81e7115c9e9276440bbdbdb6761b355234e9d6900f9d7d9dc56ef185d58e44dfea8af9cf1cce6a54b4540
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bzuriyeh.com - Port:
587 - Username:
[email protected] - Password:
fk1475369MUM?
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1120-69-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1120-70-0x000000000043762E-mapping.dmp family_agenttesla behavioral1/memory/1120-71-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proforma Invoice.exedescription pid process target process PID 1652 set thread context of 1120 1652 Proforma Invoice.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Proforma Invoice.exeRegSvcs.exepid process 1652 Proforma Invoice.exe 1120 RegSvcs.exe 1120 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Proforma Invoice.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1652 Proforma Invoice.exe Token: SeDebugPrivilege 1120 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1120 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Proforma Invoice.exedescription pid process target process PID 1652 wrote to memory of 796 1652 Proforma Invoice.exe schtasks.exe PID 1652 wrote to memory of 796 1652 Proforma Invoice.exe schtasks.exe PID 1652 wrote to memory of 796 1652 Proforma Invoice.exe schtasks.exe PID 1652 wrote to memory of 796 1652 Proforma Invoice.exe schtasks.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe PID 1652 wrote to memory of 1120 1652 Proforma Invoice.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DyZrxifRm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A5.tmp"2⤵
- Creates scheduled task(s)
PID:796 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1120
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6A5.tmpMD5
1dd365867bf8111d3fd42d529e8ad407
SHA16efbdf887abe94ee9bf772b3b9bf12818f0c47da
SHA256932b25e22a8649530397e44181da1a7cdf9cedba8cf40765ec7321f67a731d58
SHA51272d53cfcf6ab454c40be7b63cb91388bed9889124b6f989b2d194fb83bda74de29e562806a35afdbf9ab97a1052297785ac7a17adde0d28860608577f49457e2
-
memory/796-67-0x0000000000000000-mapping.dmp
-
memory/1120-70-0x000000000043762E-mapping.dmp
-
memory/1120-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1120-71-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1120-73-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/1120-74-0x00000000049B1000-0x00000000049B2000-memory.dmpFilesize
4KB
-
memory/1652-64-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/1652-65-0x00000000058C0000-0x0000000005971000-memory.dmpFilesize
708KB
-
memory/1652-66-0x0000000005CA0000-0x0000000005D18000-memory.dmpFilesize
480KB
-
memory/1652-63-0x0000000000580000-0x0000000000585000-memory.dmpFilesize
20KB
-
memory/1652-62-0x00000000048B0000-0x00000000048B1000-memory.dmpFilesize
4KB
-
memory/1652-60-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB