Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 11:07
Static task
static1
Behavioral task
behavioral1
Sample
Revised Invoice.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Revised Invoice.exe
Resource
win10-en-20211014
General
-
Target
Revised Invoice.exe
-
Size
515KB
-
MD5
1ae2e78d2b430f6611846c820d19d627
-
SHA1
2034c7970065c117a663b7a009d5f0c555857234
-
SHA256
96ee59d995670b53d0049b7f763381428b19f87d919b83e1bcdebac90e9846d0
-
SHA512
d9d781b1a31a90900fa3ec99f084c46294e25dfc147f5361107b1dd64b656d9e2e1d5440d5864207479cf8fadf41c04b8a4df97a17f1837f924a3203143a1e8c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.davaobay.com.ph - Port:
587 - Username:
raeburngonzaga@davaobay.com.ph - Password:
p@ssw0rd
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1084-64-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1084-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1084-66-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1084-67-0x00000000004376CE-mapping.dmp family_agenttesla behavioral1/memory/1084-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
Revised Invoice.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Revised Invoice.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Revised Invoice.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Revised Invoice.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Revised Invoice.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Revised Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Revised Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Revised Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Revised Invoice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Revised Invoice.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\tKZVPq = "C:\\Users\\Admin\\AppData\\Roaming\\tKZVPq\\tKZVPq.exe" Revised Invoice.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Revised Invoice.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Revised Invoice.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Revised Invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Revised Invoice.exedescription pid process target process PID 520 set thread context of 1084 520 Revised Invoice.exe Revised Invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Revised Invoice.exeRevised Invoice.exepowershell.exepid process 520 Revised Invoice.exe 520 Revised Invoice.exe 1084 Revised Invoice.exe 1084 Revised Invoice.exe 1688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Revised Invoice.exeRevised Invoice.exepowershell.exedescription pid process Token: SeDebugPrivilege 520 Revised Invoice.exe Token: SeDebugPrivilege 1084 Revised Invoice.exe Token: SeDebugPrivilege 1688 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Revised Invoice.exedescription pid process target process PID 520 wrote to memory of 1688 520 Revised Invoice.exe powershell.exe PID 520 wrote to memory of 1688 520 Revised Invoice.exe powershell.exe PID 520 wrote to memory of 1688 520 Revised Invoice.exe powershell.exe PID 520 wrote to memory of 1688 520 Revised Invoice.exe powershell.exe PID 520 wrote to memory of 1052 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1052 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1052 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1052 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1084 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1084 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1084 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1084 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1084 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1084 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1084 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1084 520 Revised Invoice.exe Revised Invoice.exe PID 520 wrote to memory of 1084 520 Revised Invoice.exe Revised Invoice.exe -
outlook_office_path 1 IoCs
Processes:
Revised Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Revised Invoice.exe -
outlook_win_path 1 IoCs
Processes:
Revised Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Revised Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/520-54-0x0000000001070000-0x0000000001071000-memory.dmpFilesize
4KB
-
memory/520-56-0x0000000075661000-0x0000000075663000-memory.dmpFilesize
8KB
-
memory/520-57-0x0000000000410000-0x0000000000417000-memory.dmpFilesize
28KB
-
memory/520-58-0x0000000004DD0000-0x0000000004DD1000-memory.dmpFilesize
4KB
-
memory/520-59-0x0000000004850000-0x00000000048A8000-memory.dmpFilesize
352KB
-
memory/1084-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1084-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1084-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1084-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1084-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1084-67-0x00000000004376CE-mapping.dmp
-
memory/1084-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1084-70-0x0000000004BC0000-0x0000000004BC1000-memory.dmpFilesize
4KB
-
memory/1084-74-0x0000000004BC1000-0x0000000004BC2000-memory.dmpFilesize
4KB
-
memory/1688-60-0x0000000000000000-mapping.dmp
-
memory/1688-71-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/1688-72-0x0000000000341000-0x0000000000342000-memory.dmpFilesize
4KB
-
memory/1688-73-0x0000000000342000-0x0000000000344000-memory.dmpFilesize
8KB