invoice.exe

General
Target

invoice.exe

Filesize

1MB

Completed

27-07-2021 23:42

Score
10 /10
MD5

ffce81b27dd34935f5371161cc84891b

SHA1

a55136da4f4640bde0732f586b07e878be9d6c94

SHA256

d94d8b336a0abcfb47c21091d7e6ea47539cdb4a16c378ea3aa54ee28c15b7c9

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.marcer.com.tr

Port: 587

Username: muhasebe@marcer.com.tr

Password: mar1453

Signatures 14

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3156-126-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/3156-127-0x000000000043760E-mapping.dmpfamily_agenttesla
    behavioral2/memory/3156-133-0x0000000005420000-0x000000000591E000-memory.dmpfamily_agenttesla
  • Drops file in Drivers directory
    invoice.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsinvoice.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    invoice.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe"invoice.exe
  • Suspicious use of SetThreadContext
    invoice.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 904 set thread context of 3156904invoice.exeinvoice.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    2312schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    invoice.exeinvoice.exe

    Reported IOCs

    pidprocess
    904invoice.exe
    3156invoice.exe
    3156invoice.exe
  • Suspicious use of AdjustPrivilegeToken
    invoice.exeinvoice.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege904invoice.exe
    Token: SeDebugPrivilege3156invoice.exe
  • Suspicious use of SetWindowsHookEx
    invoice.exe

    Reported IOCs

    pidprocess
    3156invoice.exe
  • Suspicious use of WriteProcessMemory
    invoice.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 904 wrote to memory of 2312904invoice.exeschtasks.exe
    PID 904 wrote to memory of 2312904invoice.exeschtasks.exe
    PID 904 wrote to memory of 2312904invoice.exeschtasks.exe
    PID 904 wrote to memory of 3156904invoice.exeinvoice.exe
    PID 904 wrote to memory of 3156904invoice.exeinvoice.exe
    PID 904 wrote to memory of 3156904invoice.exeinvoice.exe
    PID 904 wrote to memory of 3156904invoice.exeinvoice.exe
    PID 904 wrote to memory of 3156904invoice.exeinvoice.exe
    PID 904 wrote to memory of 3156904invoice.exeinvoice.exe
    PID 904 wrote to memory of 3156904invoice.exeinvoice.exe
    PID 904 wrote to memory of 3156904invoice.exeinvoice.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\invoice.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WjthBIdkPPkva" /XML "C:\Users\Admin\AppData\Local\Temp\tmp34CC.tmp"
      Creates scheduled task(s)
      PID:2312
    • C:\Users\Admin\AppData\Local\Temp\invoice.exe
      "{path}"
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3156
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoice.exe.log

                  MD5

                  0c2899d7c6746f42d5bbe088c777f94c

                  SHA1

                  622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

                  SHA256

                  5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

                  SHA512

                  ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

                • C:\Users\Admin\AppData\Local\Temp\tmp34CC.tmp

                  MD5

                  66ebdb5c0b060a5d64e661db38a1c79d

                  SHA1

                  3097acc5e200ac93ee019b2e1e0ff5653a1589e0

                  SHA256

                  1ae1cb537eb344e9c22a06c64b6e87452f690ce6ca7544768709b0a66914deb4

                  SHA512

                  4dc595a90813ea930025f84960b8b9c2e5bbecbf1c19886c21f72f1b8281f4a8476caf1eced8299f8fa7ad44863fa2ac1cd3642a071ea1868a0e0c1adeccbf38

                • memory/904-116-0x0000000007860000-0x0000000007861000-memory.dmp

                • memory/904-117-0x0000000007400000-0x0000000007401000-memory.dmp

                • memory/904-119-0x0000000007370000-0x0000000007371000-memory.dmp

                • memory/904-120-0x0000000009840000-0x0000000009841000-memory.dmp

                • memory/904-121-0x0000000002760000-0x0000000002762000-memory.dmp

                • memory/904-122-0x0000000009110000-0x00000000091C4000-memory.dmp

                • memory/904-123-0x000000000D070000-0x000000000D0EA000-memory.dmp

                • memory/904-118-0x0000000007360000-0x000000000785E000-memory.dmp

                • memory/904-114-0x0000000000560000-0x0000000000561000-memory.dmp

                • memory/2312-124-0x0000000000000000-mapping.dmp

                • memory/3156-126-0x0000000000400000-0x000000000043C000-memory.dmp

                • memory/3156-127-0x000000000043760E-mapping.dmp

                • memory/3156-133-0x0000000005420000-0x000000000591E000-memory.dmp

                • memory/3156-134-0x00000000054A0000-0x00000000054A1000-memory.dmp

                • memory/3156-135-0x0000000006110000-0x0000000006111000-memory.dmp