Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06-02-2022 21:42
General
-
Target
TT-INVI000000000.exe
-
Size
914KB
-
MD5
a9fe1629c98954b6af37d55141373d25
-
SHA1
0a230168bac70aac3b43523fcd4bc4b14ed53e47
-
SHA256
811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
-
SHA512
6b079542a4b7ca6183e7cca4a50e666a47dc237571ce07fe54501169f21f209949dc72dfd8855668ec508f0563e4b1c8e7ebf8c08db854ccf7e3a010c2709099
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Neshta Payload 18 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
AgentTesla Payload 14 IoCs
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\TT-INVI000000000.exe"C:\Users\Admin\AppData\Local\Temp\TT-INVI000000000.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Users\Admin\AppData\Local\Temp\TT-INVI000000000.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\REM 157 GD2.exe"C:\Users\Admin\AppData\Local\Temp\REM 157 GD2.exe" 03⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 2.0.exe"C:\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 2.0.exe" 03⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 4.0.exe"C:\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 4.0.exe" 03⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\MIGUEL~2.EXE" 04⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\MIGUEL~2.EXEC:\Users\Admin\AppData\Local\Temp\3582-490\MIGUEL~2.EXE 05⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\ALLUSE~1\{9A861~1\ose.exeMD5
58b58875a50a0d8b5e7be7d6ac685164
SHA11e0b89c1b2585c76e758e9141b846ed4477b0662
SHA2562a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b
-
C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exeMD5
6570f18406183e572b1f8d4cea13bc66
SHA1838e8537f613a33d9828defeb4cb1af2f8ed5f2b
SHA2560466a343fc8ec05657758df972183869b74dd15936f9ac18663462128c88be64
SHA5120b6807b721ec3934de420498014be32d1cb66d2d6ccb57f86b996d4423a7fa9d719f864317ffe1d48ca7c2bc5a72cb7b93f32fa03d09f144b1dba8006e0ebdf4
-
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXEMD5
3a928dbfdd154534651434bc1c574259
SHA18619df5eaaa8ceab6418136789d2f172ce0d2a83
SHA25600ca35c94353f0c583bc4423a7623631673400a1c3c6678cf565fa202769f148
SHA512ce942aca8a23de012b8adfda84a630c1e8fc2431ace86e953aa2a8966d7e89d7631b7aed8a0810387c1d4413a1ea1b519167c57287071b05e09c5dec1efae826
-
C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXEMD5
b19c2fa49e278935e6a3087fdd0da46e
SHA104a5de16b6840a8fe68753028bd2ff20381ed720
SHA256c70151fc7fb7d461ba596455bfc7e79e199a3c0ac766c5d67f9347b39e20b7b9
SHA5120399a45ee6a87d5899020d4106bc6ff521285b34c61afcd4929b6274166f7585c01749a1ee1814e82c90a5d8deb1dfa28bde6b105029f74d33f7a3e848d0dc39
-
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXEMD5
f6636e7fd493f59a5511f08894bba153
SHA13618061817fdf1155acc0c99b7639b30e3b6936c
SHA25661720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33
SHA512bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1
-
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXEMD5
3e8de969e12cd5e6292489a12a9834b6
SHA1285b89585a09ead4affa32ecaaa842bc51d53ad5
SHA2567a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf
SHA512b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e
-
C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXEMD5
a49eb5f2ad98fffade88c1d337854f89
SHA12cc197bcf3625751f7e714ac1caf8e554d0be3b1
SHA25699da2b7f53a43e0bc01bb52715a37fa87c7f328b4dfac747d7a152ea22e88449
SHA5124649049a63ce1dfafb632a5b396181bf7fce6364a548660483722329eea13ec0f7df7d7a5c3104e97a1c0f201597fd27d6a1435942a1c1573db2706733aae593
-
C:\Users\Admin\AppData\Local\Temp\3582-490\MIGUEL~2.EXEMD5
85c67ec77297bc1e88f22c8a8d74f629
SHA17ee8601b2ac7663233f081152fe7d95303d2b74d
SHA25602352705bc4171afc7ec604595c31c98d30bb26c7ef15ac9307c6816528f1010
SHA512ffd9d90b2217d3c4f18393fbd62c1c82131070387f009456711d7a814ca007e65dd6d443cbde47a68dd73c33192613c0b4cdf7622c38093fd971ed2245454d0a
-
C:\Users\Admin\AppData\Local\Temp\3582-490\MIGUEL~2.EXEMD5
85c67ec77297bc1e88f22c8a8d74f629
SHA17ee8601b2ac7663233f081152fe7d95303d2b74d
SHA25602352705bc4171afc7ec604595c31c98d30bb26c7ef15ac9307c6816528f1010
SHA512ffd9d90b2217d3c4f18393fbd62c1c82131070387f009456711d7a814ca007e65dd6d443cbde47a68dd73c33192613c0b4cdf7622c38093fd971ed2245454d0a
-
C:\Users\Admin\AppData\Local\Temp\3582-490\miguel.chiliguano n SS 2.0.exeMD5
eb976501b6afc40f9394d66306feec1e
SHA132bd0614403304047cff861d24f0f83dbc184b4d
SHA256cfce875a938a48152a5d755cdbc268208dfab716549a05f7577b9d50f857e106
SHA51213b2e18b170b47d66aa87df41fdf8fe9e007eac156da5002382ee1cc1c7b96e93f7b9ae986b24faf58d82c9013c230ddc289eb98a41142c5c920407d00101a2e
-
C:\Users\Admin\AppData\Local\Temp\REM 157 GD2.exeMD5
f3c3957fe863f0c1ed24f95da708effa
SHA1632c982416fae0ac6b7c765111fc845ea9a4332d
SHA256fcae844517a704e1636de212ce4d80ca4fd1a191c00ed6465071c65608b05389
SHA51251af35eb41a8ef8f510588245ac2b4dbdbd130c3f3d36c69f1c93bd2f85914b3c8b7f65dbb999f7a5ef0249fb84b4e17f06e1ce85976cff13b0573227e066d1f
-
C:\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 2.0.exeMD5
f30e089c0c6c3d17cb64ea77e6681f1f
SHA11bf6dfbb8d5a08898c7e050a40bf1f4eb80f649e
SHA25672b8462c26df2fc595c1fbb76b870cfb4b32bf2b8ae713f5cee2d4f71c3ad73d
SHA51218b6651ce444ef10804e4449dcd91bf5d481cf9f4f1bb78576f560427762155a153947a5e54639f8e1100ea43941bca8e9fa380ee0fb719e91b7a0cec6f0b009
-
C:\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 2.0.exeMD5
f30e089c0c6c3d17cb64ea77e6681f1f
SHA11bf6dfbb8d5a08898c7e050a40bf1f4eb80f649e
SHA25672b8462c26df2fc595c1fbb76b870cfb4b32bf2b8ae713f5cee2d4f71c3ad73d
SHA51218b6651ce444ef10804e4449dcd91bf5d481cf9f4f1bb78576f560427762155a153947a5e54639f8e1100ea43941bca8e9fa380ee0fb719e91b7a0cec6f0b009
-
C:\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 4.0.exeMD5
c9b9633a40009c7f4e4fa4e0f845c460
SHA179f12b3722bf35fa4b93b461d1ead3c748acf668
SHA25648f4a92a741cde1b1ec27e346dd272fd374c15a579c9b56f742191504c8c26ea
SHA512ac1d08f469ecc2604f99d0ea14f91e2f6f30e1ffe913ef58a7e75d81c4221e5a65146638d12e5d79e0f69e7eb5ad1f76ec809caa986535770bbc133a31a61eb8
-
C:\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 4.0.exeMD5
c9b9633a40009c7f4e4fa4e0f845c460
SHA179f12b3722bf35fa4b93b461d1ead3c748acf668
SHA25648f4a92a741cde1b1ec27e346dd272fd374c15a579c9b56f742191504c8c26ea
SHA512ac1d08f469ecc2604f99d0ea14f91e2f6f30e1ffe913ef58a7e75d81c4221e5a65146638d12e5d79e0f69e7eb5ad1f76ec809caa986535770bbc133a31a61eb8
-
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmpMD5
717aa70fcbcb884dffef51940a6961eb
SHA140780f2d0fcbd415a5b55828a98020d3c6ab72dd
SHA25630e2ae64074cab3121dfbdf13cff02f3eae634c971592c2103f4d2b47e280a83
SHA512a4c177f3643f64de4272f2e8a197bf18819d5fe17b25243e5c02e13efa8165879dfc48c9fba650ce00bc8061657948ae3e3472fb4c9a5fa1696048ec435380be
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comMD5
36fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\MIGUEL~2.EXEMD5
85c67ec77297bc1e88f22c8a8d74f629
SHA17ee8601b2ac7663233f081152fe7d95303d2b74d
SHA25602352705bc4171afc7ec604595c31c98d30bb26c7ef15ac9307c6816528f1010
SHA512ffd9d90b2217d3c4f18393fbd62c1c82131070387f009456711d7a814ca007e65dd6d443cbde47a68dd73c33192613c0b4cdf7622c38093fd971ed2245454d0a
-
\Users\Admin\AppData\Local\Temp\REM 157 GD2.exeMD5
f3c3957fe863f0c1ed24f95da708effa
SHA1632c982416fae0ac6b7c765111fc845ea9a4332d
SHA256fcae844517a704e1636de212ce4d80ca4fd1a191c00ed6465071c65608b05389
SHA51251af35eb41a8ef8f510588245ac2b4dbdbd130c3f3d36c69f1c93bd2f85914b3c8b7f65dbb999f7a5ef0249fb84b4e17f06e1ce85976cff13b0573227e066d1f
-
\Users\Admin\AppData\Local\Temp\REM 157 GD2.exeMD5
f3c3957fe863f0c1ed24f95da708effa
SHA1632c982416fae0ac6b7c765111fc845ea9a4332d
SHA256fcae844517a704e1636de212ce4d80ca4fd1a191c00ed6465071c65608b05389
SHA51251af35eb41a8ef8f510588245ac2b4dbdbd130c3f3d36c69f1c93bd2f85914b3c8b7f65dbb999f7a5ef0249fb84b4e17f06e1ce85976cff13b0573227e066d1f
-
\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 2.0.exeMD5
f30e089c0c6c3d17cb64ea77e6681f1f
SHA11bf6dfbb8d5a08898c7e050a40bf1f4eb80f649e
SHA25672b8462c26df2fc595c1fbb76b870cfb4b32bf2b8ae713f5cee2d4f71c3ad73d
SHA51218b6651ce444ef10804e4449dcd91bf5d481cf9f4f1bb78576f560427762155a153947a5e54639f8e1100ea43941bca8e9fa380ee0fb719e91b7a0cec6f0b009
-
\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 2.0.exeMD5
f30e089c0c6c3d17cb64ea77e6681f1f
SHA11bf6dfbb8d5a08898c7e050a40bf1f4eb80f649e
SHA25672b8462c26df2fc595c1fbb76b870cfb4b32bf2b8ae713f5cee2d4f71c3ad73d
SHA51218b6651ce444ef10804e4449dcd91bf5d481cf9f4f1bb78576f560427762155a153947a5e54639f8e1100ea43941bca8e9fa380ee0fb719e91b7a0cec6f0b009
-
\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 4.0.exeMD5
c9b9633a40009c7f4e4fa4e0f845c460
SHA179f12b3722bf35fa4b93b461d1ead3c748acf668
SHA25648f4a92a741cde1b1ec27e346dd272fd374c15a579c9b56f742191504c8c26ea
SHA512ac1d08f469ecc2604f99d0ea14f91e2f6f30e1ffe913ef58a7e75d81c4221e5a65146638d12e5d79e0f69e7eb5ad1f76ec809caa986535770bbc133a31a61eb8
-
\Users\Admin\AppData\Local\Temp\miguel.chiliguano n SS 4.0.exeMD5
c9b9633a40009c7f4e4fa4e0f845c460
SHA179f12b3722bf35fa4b93b461d1ead3c748acf668
SHA25648f4a92a741cde1b1ec27e346dd272fd374c15a579c9b56f742191504c8c26ea
SHA512ac1d08f469ecc2604f99d0ea14f91e2f6f30e1ffe913ef58a7e75d81c4221e5a65146638d12e5d79e0f69e7eb5ad1f76ec809caa986535770bbc133a31a61eb8
-
\Users\Admin\AppData\Local\Temp\nslBCBA.tmp\zc698qb97cas.dllMD5
ee9e479d846ac0d5611a4e644bf0e431
SHA1387c6a016ca6a76ac6bbf3c191f759f9cef1712b
SHA2568616302695239b4df09628bc81dfa366522443b74d9d9d69bd5b2f4c1d5b99ec
SHA512335917c12f4a2d4c08de2f99684e5f12c22b2a40262fc08e9565051d19e788034fcfe5ffafa7628bef513434ea4135afb575d66cb2dade24251452e055fd5f20
-
memory/1000-83-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/1000-82-0x0000000000320000-0x000000000035C000-memory.dmpFilesize
240KB
-
memory/1000-93-0x0000000004941000-0x0000000004942000-memory.dmpFilesize
4KB
-
memory/1772-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmpFilesize
8KB
-
memory/1988-59-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB