Analysis
-
max time kernel
151s -
max time network
116s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 06:09
Static task
static1
Behavioral task
behavioral1
Sample
Revised Proforma Invoice_New order.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Revised Proforma Invoice_New order.exe
Resource
win10-en-20210920
General
-
Target
Revised Proforma Invoice_New order.exe
-
Size
622KB
-
MD5
3a391e960ff363979a5ac9dc3a95c636
-
SHA1
8930a2e630f133dfb78e87e06b4f9ecd882a84e1
-
SHA256
8842d55ed240f4ed04d12d227dfd1c65bc20b72bf79fc5e40daf61d9f3f86d47
-
SHA512
9ad6f160cef7ba108a88ee963aa224c1766bfb183e7934a88b5a7019788b6874009a4a921f8b853329be940d08de74e3ddb0170e69b60152fbd950a5889a5926
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
s1.20mb.nl - Port:
587 - Username:
whitesend@billionv.com - Password:
fgd436-=/eVNM!!@#)mmnb
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/636-189-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/636-190-0x000000000043764E-mapping.dmp family_agenttesla behavioral2/memory/636-196-0x0000000005050000-0x000000000554E000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Revised Proforma Invoice_New order.exedescription pid process target process PID 3512 set thread context of 636 3512 Revised Proforma Invoice_New order.exe Revised Proforma Invoice_New order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exeRevised Proforma Invoice_New order.exeRevised Proforma Invoice_New order.exepid process 2228 powershell.exe 2228 powershell.exe 2228 powershell.exe 3992 powershell.exe 3992 powershell.exe 3992 powershell.exe 4564 powershell.exe 4564 powershell.exe 4564 powershell.exe 3512 Revised Proforma Invoice_New order.exe 3512 Revised Proforma Invoice_New order.exe 636 Revised Proforma Invoice_New order.exe 636 Revised Proforma Invoice_New order.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Revised Proforma Invoice_New order.exepowershell.exepowershell.exepowershell.exeRevised Proforma Invoice_New order.exedescription pid process Token: SeDebugPrivilege 3512 Revised Proforma Invoice_New order.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 3992 powershell.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 636 Revised Proforma Invoice_New order.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Revised Proforma Invoice_New order.exedescription pid process target process PID 3512 wrote to memory of 2228 3512 Revised Proforma Invoice_New order.exe powershell.exe PID 3512 wrote to memory of 2228 3512 Revised Proforma Invoice_New order.exe powershell.exe PID 3512 wrote to memory of 2228 3512 Revised Proforma Invoice_New order.exe powershell.exe PID 3512 wrote to memory of 3992 3512 Revised Proforma Invoice_New order.exe powershell.exe PID 3512 wrote to memory of 3992 3512 Revised Proforma Invoice_New order.exe powershell.exe PID 3512 wrote to memory of 3992 3512 Revised Proforma Invoice_New order.exe powershell.exe PID 3512 wrote to memory of 4564 3512 Revised Proforma Invoice_New order.exe powershell.exe PID 3512 wrote to memory of 4564 3512 Revised Proforma Invoice_New order.exe powershell.exe PID 3512 wrote to memory of 4564 3512 Revised Proforma Invoice_New order.exe powershell.exe PID 3512 wrote to memory of 636 3512 Revised Proforma Invoice_New order.exe Revised Proforma Invoice_New order.exe PID 3512 wrote to memory of 636 3512 Revised Proforma Invoice_New order.exe Revised Proforma Invoice_New order.exe PID 3512 wrote to memory of 636 3512 Revised Proforma Invoice_New order.exe Revised Proforma Invoice_New order.exe PID 3512 wrote to memory of 636 3512 Revised Proforma Invoice_New order.exe Revised Proforma Invoice_New order.exe PID 3512 wrote to memory of 636 3512 Revised Proforma Invoice_New order.exe Revised Proforma Invoice_New order.exe PID 3512 wrote to memory of 636 3512 Revised Proforma Invoice_New order.exe Revised Proforma Invoice_New order.exe PID 3512 wrote to memory of 636 3512 Revised Proforma Invoice_New order.exe Revised Proforma Invoice_New order.exe PID 3512 wrote to memory of 636 3512 Revised Proforma Invoice_New order.exe Revised Proforma Invoice_New order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Revised Proforma Invoice_New order.exe"C:\Users\Admin\AppData\Local\Temp\Revised Proforma Invoice_New order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 52⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 52⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 52⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Revised Proforma Invoice_New order.exe"C:\Users\Admin\AppData\Local\Temp\Revised Proforma Invoice_New order.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Revised Proforma Invoice_New order.exe.logMD5
605f809fab8c19729d39d075f7ffdb53
SHA1c546f877c9bd53563174a90312a8337fdfc5fdd9
SHA2566904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556
SHA51282cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
66382a4ca6c4dcf75ce41417d44be93e
SHA18132cbef1c12f8a89a68a6153ade4286bf130812
SHA256a70acce0f4c6ab59b88ce79d84c38d4abffe19b72b033250499b17d788a2db56
SHA5122bf66f2850f4a65220085c55a5b3c8866453104d78fe516e5bd6e3e47df783062ce4ea10de580f2eb0274ac8c3ce71965201c49ef55a78f307731ccc8600aadc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
033add4b0e6ec3009beaffe1d7c942e6
SHA1fcde9fa7911da955958446c70414a1bea9668993
SHA256845f0886c832d3832011dabcc2d61d9272e83e8f857fc12c36c1bab859c6724b
SHA5129cd4e442bff54a125c4f6a34e7226c582c6e6e410895092380752fdbc6292c60204c27783422bd226a27a53b1d8e65a7ebe405bac10a0f9a4c3f7bf36c545b3f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
4dcb38eb43f897a885dc36df0851097d
SHA17eec621e5e57c7b83e72e23d67aee6602ffc4071
SHA256018c5c367b22fcf1a584b1107af8564f6e9cb50233351b86073a9b758556a263
SHA512c193af461c7539274e49d2d31ab44e1089e0ae04f1a68c756accc20fe375c10cbf951886443bebc85e14ee4201aebaf8eb870bffe1c80f28f9c837a9c2969034
-
memory/636-195-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/636-196-0x0000000005050000-0x000000000554E000-memory.dmpFilesize
5.0MB
-
memory/636-197-0x00000000051D0000-0x00000000051D1000-memory.dmpFilesize
4KB
-
memory/636-194-0x0000000005550000-0x0000000005551000-memory.dmpFilesize
4KB
-
memory/636-199-0x00000000063D0000-0x00000000063D1000-memory.dmpFilesize
4KB
-
memory/636-190-0x000000000043764E-mapping.dmp
-
memory/636-189-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/636-200-0x0000000005FD0000-0x0000000005FD1000-memory.dmpFilesize
4KB
-
memory/636-201-0x0000000005050000-0x000000000554E000-memory.dmpFilesize
5.0MB
-
memory/2228-128-0x0000000007F00000-0x0000000007F01000-memory.dmpFilesize
4KB
-
memory/2228-126-0x0000000007840000-0x0000000007841000-memory.dmpFilesize
4KB
-
memory/2228-137-0x0000000008AE0000-0x0000000008AE1000-memory.dmpFilesize
4KB
-
memory/2228-118-0x0000000000000000-mapping.dmp
-
memory/2228-131-0x0000000007DB0000-0x0000000007DB1000-memory.dmpFilesize
4KB
-
memory/2228-130-0x0000000000EA2000-0x0000000000EA3000-memory.dmpFilesize
4KB
-
memory/2228-153-0x0000000000EA3000-0x0000000000EA4000-memory.dmpFilesize
4KB
-
memory/2228-121-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/2228-122-0x0000000006E00000-0x0000000006E01000-memory.dmpFilesize
4KB
-
memory/2228-123-0x0000000006C20000-0x0000000006C21000-memory.dmpFilesize
4KB
-
memory/2228-124-0x0000000007430000-0x0000000007431000-memory.dmpFilesize
4KB
-
memory/2228-125-0x00000000075F0000-0x00000000075F1000-memory.dmpFilesize
4KB
-
memory/2228-136-0x0000000009460000-0x0000000009461000-memory.dmpFilesize
4KB
-
memory/2228-129-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/2228-127-0x00000000075D0000-0x00000000075D1000-memory.dmpFilesize
4KB
-
memory/3512-188-0x00000000031B0000-0x00000000031D4000-memory.dmpFilesize
144KB
-
memory/3512-115-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/3512-186-0x0000000005870000-0x00000000058B2000-memory.dmpFilesize
264KB
-
memory/3512-117-0x00000000031F0000-0x00000000031F1000-memory.dmpFilesize
4KB
-
memory/3992-168-0x0000000004CA3000-0x0000000004CA4000-memory.dmpFilesize
4KB
-
memory/3992-155-0x0000000004CA2000-0x0000000004CA3000-memory.dmpFilesize
4KB
-
memory/3992-154-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/3992-139-0x0000000000000000-mapping.dmp
-
memory/4564-187-0x00000000070A3000-0x00000000070A4000-memory.dmpFilesize
4KB
-
memory/4564-170-0x00000000070A2000-0x00000000070A3000-memory.dmpFilesize
4KB
-
memory/4564-169-0x00000000070A0000-0x00000000070A1000-memory.dmpFilesize
4KB
-
memory/4564-163-0x0000000000000000-mapping.dmp