Analysis
-
max time kernel
131s -
max time network
59s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 23:40
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
invoice.exe
Resource
win10v20210408
General
-
Target
invoice.exe
-
Size
1.0MB
-
MD5
ffce81b27dd34935f5371161cc84891b
-
SHA1
a55136da4f4640bde0732f586b07e878be9d6c94
-
SHA256
d94d8b336a0abcfb47c21091d7e6ea47539cdb4a16c378ea3aa54ee28c15b7c9
-
SHA512
97e3c58cb513baa37b2e83c3704bbdca5886b51c0b780e12e84029683c3f9fab93966e68b0153aba2506dfe7dc3d04e275e5003e10f52a2b8f9d1b1b86244bbd
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.marcer.com.tr - Port:
587 - Username:
muhasebe@marcer.com.tr - Password:
mar1453
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/580-67-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/580-68-0x000000000043760E-mapping.dmp family_agenttesla behavioral1/memory/580-69-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
invoice.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts invoice.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
invoice.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice.exedescription pid process target process PID 1644 set thread context of 580 1644 invoice.exe invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
invoice.exeinvoice.exepid process 1644 invoice.exe 580 invoice.exe 580 invoice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
invoice.exeinvoice.exedescription pid process Token: SeDebugPrivilege 1644 invoice.exe Token: SeDebugPrivilege 580 invoice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
invoice.exepid process 580 invoice.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
invoice.exedescription pid process target process PID 1644 wrote to memory of 524 1644 invoice.exe schtasks.exe PID 1644 wrote to memory of 524 1644 invoice.exe schtasks.exe PID 1644 wrote to memory of 524 1644 invoice.exe schtasks.exe PID 1644 wrote to memory of 524 1644 invoice.exe schtasks.exe PID 1644 wrote to memory of 580 1644 invoice.exe invoice.exe PID 1644 wrote to memory of 580 1644 invoice.exe invoice.exe PID 1644 wrote to memory of 580 1644 invoice.exe invoice.exe PID 1644 wrote to memory of 580 1644 invoice.exe invoice.exe PID 1644 wrote to memory of 580 1644 invoice.exe invoice.exe PID 1644 wrote to memory of 580 1644 invoice.exe invoice.exe PID 1644 wrote to memory of 580 1644 invoice.exe invoice.exe PID 1644 wrote to memory of 580 1644 invoice.exe invoice.exe PID 1644 wrote to memory of 580 1644 invoice.exe invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WjthBIdkPPkva" /XML "C:\Users\Admin\AppData\Local\Temp\tmp447F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp447F.tmpMD5
3abd69a7bff8704f57e19072d77cc155
SHA1912d59479f9de47e71591648570b4577efb97690
SHA256d99ede4897c6c23e0d3cd43070f0bba3dc207303b0c2fa74438697333fe9cb2f
SHA5128e0135e54418b7c22d8bc4d12e5c80f03ca8fd69fabfac820d7f467e184c0dcce442ad2c79ee4ffb123d0b34978457561ee458035b527d09906da2a986c65289
-
memory/524-65-0x0000000000000000-mapping.dmp
-
memory/580-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/580-68-0x000000000043760E-mapping.dmp
-
memory/580-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/580-71-0x0000000004E50000-0x0000000004E51000-memory.dmpFilesize
4KB
-
memory/580-72-0x0000000004E51000-0x0000000004E52000-memory.dmpFilesize
4KB
-
memory/1644-59-0x0000000000910000-0x0000000000911000-memory.dmpFilesize
4KB
-
memory/1644-61-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/1644-62-0x00000000003B0000-0x00000000003B2000-memory.dmpFilesize
8KB
-
memory/1644-63-0x0000000007FA0000-0x0000000008054000-memory.dmpFilesize
720KB
-
memory/1644-64-0x0000000007690000-0x000000000770A000-memory.dmpFilesize
488KB