Analysis
-
max time kernel
134s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
02-12-2021 06:43
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
INVOICE.exe
Resource
win10-en-20211104
General
-
Target
INVOICE.exe
-
Size
572KB
-
MD5
2c42e7848e2520f517c0eb3cff9a17fb
-
SHA1
fe03a9798d36770f1500b6f35b9a33eb6d391189
-
SHA256
b11f12b8f638596e52dc43332ae8ead3d29d47dcb90ba2fb13e7e08811b895c8
-
SHA512
99216c285a66d4c841936b484879f311b01df989744f81026bb2a93b350bcf373f3fff3257ed9f01a680cb6cf469d2d050d6caf4275eed726907c344c94988c5
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.focuzpartsmart.com - Port:
587 - Username:
[email protected] - Password:
Fpmabi@2016
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1760-66-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1760-67-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1760-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1760-69-0x000000000043771E-mapping.dmp family_agenttesla behavioral1/memory/1760-70-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
INVOICE.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts INVOICE.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
INVOICE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INVOICE.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INVOICE.exe Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INVOICE.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
INVOICE.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\tKZVPq = "C:\\Users\\Admin\\AppData\\Roaming\\tKZVPq\\tKZVPq.exe" INVOICE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE.exedescription pid process target process PID 960 set thread context of 1760 960 INVOICE.exe INVOICE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
INVOICE.exepid process 1760 INVOICE.exe 1760 INVOICE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
INVOICE.exedescription pid process Token: SeDebugPrivilege 1760 INVOICE.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
INVOICE.exedescription pid process target process PID 960 wrote to memory of 1932 960 INVOICE.exe schtasks.exe PID 960 wrote to memory of 1932 960 INVOICE.exe schtasks.exe PID 960 wrote to memory of 1932 960 INVOICE.exe schtasks.exe PID 960 wrote to memory of 1932 960 INVOICE.exe schtasks.exe PID 960 wrote to memory of 1760 960 INVOICE.exe INVOICE.exe PID 960 wrote to memory of 1760 960 INVOICE.exe INVOICE.exe PID 960 wrote to memory of 1760 960 INVOICE.exe INVOICE.exe PID 960 wrote to memory of 1760 960 INVOICE.exe INVOICE.exe PID 960 wrote to memory of 1760 960 INVOICE.exe INVOICE.exe PID 960 wrote to memory of 1760 960 INVOICE.exe INVOICE.exe PID 960 wrote to memory of 1760 960 INVOICE.exe INVOICE.exe PID 960 wrote to memory of 1760 960 INVOICE.exe INVOICE.exe PID 960 wrote to memory of 1760 960 INVOICE.exe INVOICE.exe -
outlook_office_path 1 IoCs
Processes:
INVOICE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INVOICE.exe -
outlook_win_path 1 IoCs
Processes:
INVOICE.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INVOICE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qzDZhUTmRB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp403B.tmp"2⤵
- Creates scheduled task(s)
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp403B.tmpMD5
0b14c3834f1b25d227d1c068b4d4d0ba
SHA1ce21ca5bc0be2a8d10f6c6a2e3a6321ce1d5bc41
SHA256212e82faecccc29cba31ca9cfe2caf259afab4860c3cbde9ff23dfa4b19803fb
SHA512676af82c6e1d031d63838af8b4feeb660c09de5aa6739e14ef88c486dc0e55196da87c33a979c390f8d2b5b6327d6f79251ddf518d9c93cba9fc2020b05b3639
-
memory/960-57-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/960-58-0x0000000004B30000-0x0000000004B31000-memory.dmpFilesize
4KB
-
memory/960-59-0x0000000000520000-0x0000000000525000-memory.dmpFilesize
20KB
-
memory/960-60-0x0000000005350000-0x00000000053D0000-memory.dmpFilesize
512KB
-
memory/960-61-0x0000000004590000-0x00000000045C8000-memory.dmpFilesize
224KB
-
memory/960-55-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/1760-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1760-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1760-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1760-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1760-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1760-69-0x000000000043771E-mapping.dmp
-
memory/1760-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1760-72-0x00000000048A0000-0x00000000048A1000-memory.dmpFilesize
4KB
-
memory/1760-73-0x00000000048A1000-0x00000000048A2000-memory.dmpFilesize
4KB
-
memory/1932-62-0x0000000000000000-mapping.dmp