invoice.exe

General
Target

invoice.exe

Filesize

1MB

Completed

27-07-2021 23:43

Score
10 /10
MD5

ffce81b27dd34935f5371161cc84891b

SHA1

a55136da4f4640bde0732f586b07e878be9d6c94

SHA256

d94d8b336a0abcfb47c21091d7e6ea47539cdb4a16c378ea3aa54ee28c15b7c9

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.marcer.com.tr

Port: 587

Username: muhasebe@marcer.com.tr

Password: mar1453

Signatures 14

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/580-67-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/580-68-0x000000000043760E-mapping.dmpfamily_agenttesla
    behavioral1/memory/580-69-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Drops file in Drivers directory
    invoice.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsinvoice.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    invoice.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe"invoice.exe
  • Suspicious use of SetThreadContext
    invoice.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1644 set thread context of 5801644invoice.exeinvoice.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    524schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    invoice.exeinvoice.exe

    Reported IOCs

    pidprocess
    1644invoice.exe
    580invoice.exe
    580invoice.exe
  • Suspicious use of AdjustPrivilegeToken
    invoice.exeinvoice.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1644invoice.exe
    Token: SeDebugPrivilege580invoice.exe
  • Suspicious use of SetWindowsHookEx
    invoice.exe

    Reported IOCs

    pidprocess
    580invoice.exe
  • Suspicious use of WriteProcessMemory
    invoice.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1644 wrote to memory of 5241644invoice.exeschtasks.exe
    PID 1644 wrote to memory of 5241644invoice.exeschtasks.exe
    PID 1644 wrote to memory of 5241644invoice.exeschtasks.exe
    PID 1644 wrote to memory of 5241644invoice.exeschtasks.exe
    PID 1644 wrote to memory of 5801644invoice.exeinvoice.exe
    PID 1644 wrote to memory of 5801644invoice.exeinvoice.exe
    PID 1644 wrote to memory of 5801644invoice.exeinvoice.exe
    PID 1644 wrote to memory of 5801644invoice.exeinvoice.exe
    PID 1644 wrote to memory of 5801644invoice.exeinvoice.exe
    PID 1644 wrote to memory of 5801644invoice.exeinvoice.exe
    PID 1644 wrote to memory of 5801644invoice.exeinvoice.exe
    PID 1644 wrote to memory of 5801644invoice.exeinvoice.exe
    PID 1644 wrote to memory of 5801644invoice.exeinvoice.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1644
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WjthBIdkPPkva" /XML "C:\Users\Admin\AppData\Local\Temp\tmp447F.tmp"
      Creates scheduled task(s)
      PID:524
    • C:\Users\Admin\AppData\Local\Temp\invoice.exe
      "{path}"
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:580
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\tmp447F.tmp

                  MD5

                  3abd69a7bff8704f57e19072d77cc155

                  SHA1

                  912d59479f9de47e71591648570b4577efb97690

                  SHA256

                  d99ede4897c6c23e0d3cd43070f0bba3dc207303b0c2fa74438697333fe9cb2f

                  SHA512

                  8e0135e54418b7c22d8bc4d12e5c80f03ca8fd69fabfac820d7f467e184c0dcce442ad2c79ee4ffb123d0b34978457561ee458035b527d09906da2a986c65289

                • memory/524-65-0x0000000000000000-mapping.dmp

                • memory/580-67-0x0000000000400000-0x000000000043C000-memory.dmp

                • memory/580-68-0x000000000043760E-mapping.dmp

                • memory/580-69-0x0000000000400000-0x000000000043C000-memory.dmp

                • memory/580-71-0x0000000004E50000-0x0000000004E51000-memory.dmp

                • memory/580-72-0x0000000004E51000-0x0000000004E52000-memory.dmp

                • memory/1644-59-0x0000000000910000-0x0000000000911000-memory.dmp

                • memory/1644-61-0x00000000073B0000-0x00000000073B1000-memory.dmp

                • memory/1644-62-0x00000000003B0000-0x00000000003B2000-memory.dmp

                • memory/1644-63-0x0000000007FA0000-0x0000000008054000-memory.dmp

                • memory/1644-64-0x0000000007690000-0x000000000770A000-memory.dmp