Analysis
-
max time kernel
124s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
19-04-2021 06:57
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Proforma Invoice.exe
Resource
win10v20210410
General
-
Target
Proforma Invoice.exe
-
Size
673KB
-
MD5
b1996ce7fe4ba0cfda8796343f8a5b0f
-
SHA1
0806e4664dc3cf5f1ff3fdac131dfff92e09b830
-
SHA256
75b5a3352b14a3d4a5dcbf496a997507edd6d5fdd641fdd37747f21ec6ae7efd
-
SHA512
33c846d73fc0e05d5bbff1cd1d7e243ea27305bb26e81e7115c9e9276440bbdbdb6761b355234e9d6900f9d7d9dc56ef185d58e44dfea8af9cf1cce6a54b4540
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bzuriyeh.com - Port:
587 - Username:
[email protected] - Password:
fk1475369MUM?
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2100-127-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2100-128-0x000000000043762E-mapping.dmp family_agenttesla behavioral2/memory/2100-133-0x0000000005230000-0x000000000572E000-memory.dmp family_agenttesla behavioral2/memory/2100-138-0x0000000005230000-0x000000000572E000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proforma Invoice.exedescription pid process target process PID 2208 set thread context of 2100 2208 Proforma Invoice.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Proforma Invoice.exeRegSvcs.exepid process 2208 Proforma Invoice.exe 2208 Proforma Invoice.exe 2208 Proforma Invoice.exe 2100 RegSvcs.exe 2100 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Proforma Invoice.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2208 Proforma Invoice.exe Token: SeDebugPrivilege 2100 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2100 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Proforma Invoice.exedescription pid process target process PID 2208 wrote to memory of 2720 2208 Proforma Invoice.exe schtasks.exe PID 2208 wrote to memory of 2720 2208 Proforma Invoice.exe schtasks.exe PID 2208 wrote to memory of 2720 2208 Proforma Invoice.exe schtasks.exe PID 2208 wrote to memory of 3516 2208 Proforma Invoice.exe RegSvcs.exe PID 2208 wrote to memory of 3516 2208 Proforma Invoice.exe RegSvcs.exe PID 2208 wrote to memory of 3516 2208 Proforma Invoice.exe RegSvcs.exe PID 2208 wrote to memory of 2100 2208 Proforma Invoice.exe RegSvcs.exe PID 2208 wrote to memory of 2100 2208 Proforma Invoice.exe RegSvcs.exe PID 2208 wrote to memory of 2100 2208 Proforma Invoice.exe RegSvcs.exe PID 2208 wrote to memory of 2100 2208 Proforma Invoice.exe RegSvcs.exe PID 2208 wrote to memory of 2100 2208 Proforma Invoice.exe RegSvcs.exe PID 2208 wrote to memory of 2100 2208 Proforma Invoice.exe RegSvcs.exe PID 2208 wrote to memory of 2100 2208 Proforma Invoice.exe RegSvcs.exe PID 2208 wrote to memory of 2100 2208 Proforma Invoice.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DyZrxifRm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp91E5.tmp"2⤵
- Creates scheduled task(s)
PID:2720 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵PID:3516
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp91E5.tmpMD5
28bd4d2db4af9a2694e831d9ca6fb117
SHA11486584f87d6e245e3aca5dcb2c36f545a444001
SHA256a477223d6dd3952c2a6b1f90d5f009e12e82165b9a48ab1df35080de63637282
SHA512b226460354fb9d51c61e1605792395d7b80b748ebcec089d430e770f8aa65083c7dda504fd888b3145c5e3022264b35c55ef84e6f0bded9152e946c1b2600f46
-
memory/2100-138-0x0000000005230000-0x000000000572E000-memory.dmpFilesize
5.0MB
-
memory/2100-135-0x0000000005EA0000-0x0000000005EA1000-memory.dmpFilesize
4KB
-
memory/2100-134-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/2100-133-0x0000000005230000-0x000000000572E000-memory.dmpFilesize
5.0MB
-
memory/2100-128-0x000000000043762E-mapping.dmp
-
memory/2100-127-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2208-119-0x0000000007CC0000-0x0000000007CC1000-memory.dmpFilesize
4KB
-
memory/2208-123-0x0000000007FC0000-0x0000000008071000-memory.dmpFilesize
708KB
-
memory/2208-124-0x000000000A560000-0x000000000A5D8000-memory.dmpFilesize
480KB
-
memory/2208-122-0x000000007EAC0000-0x000000007EAC1000-memory.dmpFilesize
4KB
-
memory/2208-120-0x0000000005A30000-0x0000000005F2E000-memory.dmpFilesize
5.0MB
-
memory/2208-121-0x0000000005F00000-0x0000000005F05000-memory.dmpFilesize
20KB
-
memory/2208-114-0x0000000000FA0000-0x0000000000FA1000-memory.dmpFilesize
4KB
-
memory/2208-118-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/2208-117-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/2208-116-0x0000000005F30000-0x0000000005F31000-memory.dmpFilesize
4KB
-
memory/2720-125-0x0000000000000000-mapping.dmp