Analysis
-
max time kernel
125s -
max time network
60s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
11-05-2021 08:23
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE34_56730015.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
INVOICE34_56730015.exe
Resource
win10v20210410
General
-
Target
INVOICE34_56730015.exe
-
Size
801KB
-
MD5
ad623a158d7f37f547dee2ba01646c0d
-
SHA1
3d55829677ffb85e1be6feded9bec255163fe250
-
SHA256
3e144aa347f286c75f9ffe827f6239652065f468794bf567e47d87e29c3ea53b
-
SHA512
756d907400810a392d43a7a87a44a7331383463f6a0b6b4608f83542736436d9665b5e3d6e2fffebd532aa43680d339baa344d60d7274dd26ef2f3f64f4dba9c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dadabhoy.edu.pk - Port:
587 - Username:
ghulam.sarwar@dadabhoy.edu.pk - Password:
Dadabhoy.456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1384-66-0x000000000043754E-mapping.dmp family_agenttesla behavioral1/memory/1384-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE34_56730015.exedescription pid process target process PID 1088 set thread context of 1384 1088 INVOICE34_56730015.exe INVOICE34_56730015.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
INVOICE34_56730015.exeINVOICE34_56730015.exepid process 1088 INVOICE34_56730015.exe 1384 INVOICE34_56730015.exe 1384 INVOICE34_56730015.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INVOICE34_56730015.exeINVOICE34_56730015.exedescription pid process Token: SeDebugPrivilege 1088 INVOICE34_56730015.exe Token: SeDebugPrivilege 1384 INVOICE34_56730015.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
INVOICE34_56730015.exeINVOICE34_56730015.exedescription pid process target process PID 1088 wrote to memory of 976 1088 INVOICE34_56730015.exe schtasks.exe PID 1088 wrote to memory of 976 1088 INVOICE34_56730015.exe schtasks.exe PID 1088 wrote to memory of 976 1088 INVOICE34_56730015.exe schtasks.exe PID 1088 wrote to memory of 976 1088 INVOICE34_56730015.exe schtasks.exe PID 1088 wrote to memory of 1384 1088 INVOICE34_56730015.exe INVOICE34_56730015.exe PID 1088 wrote to memory of 1384 1088 INVOICE34_56730015.exe INVOICE34_56730015.exe PID 1088 wrote to memory of 1384 1088 INVOICE34_56730015.exe INVOICE34_56730015.exe PID 1088 wrote to memory of 1384 1088 INVOICE34_56730015.exe INVOICE34_56730015.exe PID 1088 wrote to memory of 1384 1088 INVOICE34_56730015.exe INVOICE34_56730015.exe PID 1088 wrote to memory of 1384 1088 INVOICE34_56730015.exe INVOICE34_56730015.exe PID 1088 wrote to memory of 1384 1088 INVOICE34_56730015.exe INVOICE34_56730015.exe PID 1088 wrote to memory of 1384 1088 INVOICE34_56730015.exe INVOICE34_56730015.exe PID 1088 wrote to memory of 1384 1088 INVOICE34_56730015.exe INVOICE34_56730015.exe PID 1384 wrote to memory of 1736 1384 INVOICE34_56730015.exe dw20.exe PID 1384 wrote to memory of 1736 1384 INVOICE34_56730015.exe dw20.exe PID 1384 wrote to memory of 1736 1384 INVOICE34_56730015.exe dw20.exe PID 1384 wrote to memory of 1736 1384 INVOICE34_56730015.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE34_56730015.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE34_56730015.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aYuZDqTXEzFrc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D9C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\INVOICE34_56730015.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE34_56730015.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 5203⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3D9C.tmpMD5
1df55c94d58a52009bce6d68af7d3805
SHA1b413d5f1495347ac924a462daed0e7bdc870ecd4
SHA2562e1d5ab0a53635e48352bd9d8b11e5443b34560f6d0efcdf74a141b814328ec3
SHA5127f0c4dca06b7de53d3f49ea1866dc1a8d7a1079667f13c042fc2a6db8023f6d609992b666c87494b452c74ae14b720fd36590e19861b59d865ca74a343e828f2
-
memory/976-63-0x0000000000000000-mapping.dmp
-
memory/1088-60-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1088-61-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB
-
memory/1088-62-0x00000000001E1000-0x00000000001E2000-memory.dmpFilesize
4KB
-
memory/1384-66-0x000000000043754E-mapping.dmp
-
memory/1384-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1384-68-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/1736-69-0x0000000000000000-mapping.dmp
-
memory/1736-71-0x0000000001DA0000-0x0000000001DA1000-memory.dmpFilesize
4KB