Analysis
-
max time kernel
147s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-05-2021 14:05
Static task
static1
Behavioral task
behavioral1
Sample
DUE INVOICES.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
DUE INVOICES.exe
Resource
win10v20210410
General
-
Target
DUE INVOICES.exe
-
Size
958KB
-
MD5
c3dd015c631875adfecc6c229b474cf4
-
SHA1
26835d1df6761a455b6645fd27dba5dc7ed506b3
-
SHA256
7299f2323910def53bb344e98441a66dba82b84b0d8ec89dbddf0ee6a936280a
-
SHA512
dab1e8d81bcbf7a79aa454711a02c8f6cc39ce7aa07031a7891f57aba9f4bdb5a8d215436ff912a615954ace3d43a5d81e8fd01c08694585c4bbbf80967ecb4c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sat0rius.com - Port:
587 - Username:
sahar.fuchs@sat0rius.com - Password:
Almaseera_delta_0000
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/960-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/960-69-0x000000000043759E-mapping.dmp family_agenttesla behavioral1/memory/960-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DUE INVOICES.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\newapp = "C:\\Users\\Admin\\AppData\\Roaming\\newapp\\newapp.exe" DUE INVOICES.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DUE INVOICES.exedescription pid process target process PID 1864 set thread context of 960 1864 DUE INVOICES.exe DUE INVOICES.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
DUE INVOICES.exeDUE INVOICES.exepid process 1864 DUE INVOICES.exe 1864 DUE INVOICES.exe 960 DUE INVOICES.exe 960 DUE INVOICES.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DUE INVOICES.exeDUE INVOICES.exedescription pid process Token: SeDebugPrivilege 1864 DUE INVOICES.exe Token: SeDebugPrivilege 960 DUE INVOICES.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
DUE INVOICES.exedescription pid process target process PID 1864 wrote to memory of 380 1864 DUE INVOICES.exe schtasks.exe PID 1864 wrote to memory of 380 1864 DUE INVOICES.exe schtasks.exe PID 1864 wrote to memory of 380 1864 DUE INVOICES.exe schtasks.exe PID 1864 wrote to memory of 380 1864 DUE INVOICES.exe schtasks.exe PID 1864 wrote to memory of 440 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 440 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 440 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 440 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 960 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 960 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 960 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 960 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 960 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 960 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 960 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 960 1864 DUE INVOICES.exe DUE INVOICES.exe PID 1864 wrote to memory of 960 1864 DUE INVOICES.exe DUE INVOICES.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe"C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OOzsNXDsbStEu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB700.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe"C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe"C:\Users\Admin\AppData\Local\Temp\DUE INVOICES.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB700.tmpMD5
218ce78e92d1c163a0b56e991fbee11a
SHA10d7bf4732da3aa86e33573632058f721d162deef
SHA256c3b730474737186238d52f4a5d10cfb89997bb0eae8975fa56091c1c2a5f09d4
SHA51268c593c36d56363f00e016b8335a493f68cf08c544599f1105b75accc6b303e5057e9837497c0a36f3d596aeeb700a439403792bdffb508aebbc9f1a3e709ab9
-
memory/380-66-0x0000000000000000-mapping.dmp
-
memory/960-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/960-69-0x000000000043759E-mapping.dmp
-
memory/960-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/960-72-0x0000000004980000-0x0000000004981000-memory.dmpFilesize
4KB
-
memory/1864-60-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/1864-62-0x0000000000600000-0x0000000000604000-memory.dmpFilesize
16KB
-
memory/1864-63-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/1864-64-0x0000000005140000-0x0000000005218000-memory.dmpFilesize
864KB
-
memory/1864-65-0x00000000053E0000-0x000000000547F000-memory.dmpFilesize
636KB