Analysis
-
max time kernel
103s -
max time network
53s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-06-2021 12:01
Static task
static1
Behavioral task
behavioral1
Sample
Invoice_document06242021.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Invoice_document06242021.exe
Resource
win10v20210408
General
-
Target
Invoice_document06242021.exe
-
Size
1.2MB
-
MD5
22038021ba9ff2f1b233ce4f4a1ab217
-
SHA1
a22086e8da15b3dd87e83573fc89da4dbd4d1fcd
-
SHA256
1ec3c886cd082c50a8f309de7277c015d49233865dc746a60cbc671df523367d
-
SHA512
aa93db72a9a896069ccb4295069b912f421264858cb42bbc58999be70999dc5283dbf4b69cbebd32d0426c76ac7be5a5a0c49c8095d031e4e85e542d73bd915f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
elshcap@vivaldi.net - Password:
uiU2mz9aspuHUM3
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/640-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/640-69-0x00000000004375CE-mapping.dmp family_agenttesla behavioral1/memory/640-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Invoice_document06242021.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\filename.exe = "C:\\Users\\Admin\\AppData\\Roaming\\filename.exe\\filename.exe.exe" Invoice_document06242021.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice_document06242021.exedescription pid process target process PID 368 set thread context of 640 368 Invoice_document06242021.exe Invoice_document06242021.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Invoice_document06242021.exeInvoice_document06242021.exepid process 368 Invoice_document06242021.exe 640 Invoice_document06242021.exe 640 Invoice_document06242021.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Invoice_document06242021.exeInvoice_document06242021.exedescription pid process Token: SeDebugPrivilege 368 Invoice_document06242021.exe Token: SeDebugPrivilege 640 Invoice_document06242021.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Invoice_document06242021.exedescription pid process target process PID 368 wrote to memory of 1632 368 Invoice_document06242021.exe schtasks.exe PID 368 wrote to memory of 1632 368 Invoice_document06242021.exe schtasks.exe PID 368 wrote to memory of 1632 368 Invoice_document06242021.exe schtasks.exe PID 368 wrote to memory of 1632 368 Invoice_document06242021.exe schtasks.exe PID 368 wrote to memory of 640 368 Invoice_document06242021.exe Invoice_document06242021.exe PID 368 wrote to memory of 640 368 Invoice_document06242021.exe Invoice_document06242021.exe PID 368 wrote to memory of 640 368 Invoice_document06242021.exe Invoice_document06242021.exe PID 368 wrote to memory of 640 368 Invoice_document06242021.exe Invoice_document06242021.exe PID 368 wrote to memory of 640 368 Invoice_document06242021.exe Invoice_document06242021.exe PID 368 wrote to memory of 640 368 Invoice_document06242021.exe Invoice_document06242021.exe PID 368 wrote to memory of 640 368 Invoice_document06242021.exe Invoice_document06242021.exe PID 368 wrote to memory of 640 368 Invoice_document06242021.exe Invoice_document06242021.exe PID 368 wrote to memory of 640 368 Invoice_document06242021.exe Invoice_document06242021.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice_document06242021.exe"C:\Users\Admin\AppData\Local\Temp\Invoice_document06242021.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xESkNZNT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp97AD.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Invoice_document06242021.exe"C:\Users\Admin\AppData\Local\Temp\Invoice_document06242021.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp97AD.tmpMD5
8b8884b40be0788d0eb6212e36f5ce67
SHA18cfedca2b8e3e798a53e2859fdb800f9c8e96eb7
SHA256b0a36886b054dfa0ad0bd80b6f4c8993892a944cd2fe1c6cf07c1c1e656d7ac3
SHA5126cb477c75d08f7a8ee4a499405ef73c52ac4e493a5221ec5d3c3c064fe3bec43bcbd47888d286f3de18945f37bf46f5887276059d691902698cf8245af35f8ef
-
memory/368-60-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB
-
memory/368-62-0x00000000002A0000-0x00000000002B0000-memory.dmpFilesize
64KB
-
memory/368-63-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/368-64-0x00000000054E0000-0x000000000555B000-memory.dmpFilesize
492KB
-
memory/368-65-0x0000000000B30000-0x0000000000B7C000-memory.dmpFilesize
304KB
-
memory/640-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/640-69-0x00000000004375CE-mapping.dmp
-
memory/640-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/640-72-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/1632-66-0x0000000000000000-mapping.dmp