Analysis
-
max time kernel
185s -
max time network
202s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 03:12
Static task
static1
Behavioral task
behavioral1
Sample
INV.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
INV.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
PACKING LISTS.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
PACKING LISTS.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
PICS.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
PICS.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral7
Sample
QUOTATION.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
QUOTATION.exe
Resource
win10v2004-en-20220112
General
-
Target
PACKING LISTS.exe
-
Size
309KB
-
MD5
25e396015a9db6326384b2091bcc9fad
-
SHA1
e7b083cb514c5d6625b6babfffe7429537aeca4f
-
SHA256
15b7e016d58fd18d0f7eb8f578ba217b9aaac7367c0eddd7a545f9d98d49e288
-
SHA512
23d1b45f1324c5206a1a05f11046d56bbeefa996953d0697c06f3ceb6f59a9d67b150e2742661b828d2c1218153f45cd8a6bbf3f59b0b8309d2ad03734119b05
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
MARYolanmauluogwo@ever
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/2392-144-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Drops startup file 2 IoCs
Processes:
Powershell.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0rig20 = "C:\\Users\\Admin\\AppData\\Roaming\\0rig20\\0rig20.exe" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PACKING LISTS.exedescription pid process target process PID 1232 set thread context of 2392 1232 PACKING LISTS.exe RegAsm.exe -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Powershell.exeRegAsm.exepid process 5008 Powershell.exe 5008 Powershell.exe 2392 RegAsm.exe 2392 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
Powershell.exeRegAsm.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 5008 Powershell.exe Token: SeDebugPrivilege 2392 RegAsm.exe Token: SeShutdownPrivilege 5104 svchost.exe Token: SeCreatePagefilePrivilege 5104 svchost.exe Token: SeShutdownPrivilege 5104 svchost.exe Token: SeCreatePagefilePrivilege 5104 svchost.exe Token: SeShutdownPrivilege 5104 svchost.exe Token: SeCreatePagefilePrivilege 5104 svchost.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe Token: SeBackupPrivilege 1912 TiWorker.exe Token: SeRestorePrivilege 1912 TiWorker.exe Token: SeSecurityPrivilege 1912 TiWorker.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
PACKING LISTS.exedescription pid process target process PID 1232 wrote to memory of 5008 1232 PACKING LISTS.exe Powershell.exe PID 1232 wrote to memory of 5008 1232 PACKING LISTS.exe Powershell.exe PID 1232 wrote to memory of 5008 1232 PACKING LISTS.exe Powershell.exe PID 1232 wrote to memory of 2392 1232 PACKING LISTS.exe RegAsm.exe PID 1232 wrote to memory of 2392 1232 PACKING LISTS.exe RegAsm.exe PID 1232 wrote to memory of 2392 1232 PACKING LISTS.exe RegAsm.exe PID 1232 wrote to memory of 2392 1232 PACKING LISTS.exe RegAsm.exe PID 1232 wrote to memory of 2392 1232 PACKING LISTS.exe RegAsm.exe PID 1232 wrote to memory of 2392 1232 PACKING LISTS.exe RegAsm.exe PID 1232 wrote to memory of 2392 1232 PACKING LISTS.exe RegAsm.exe PID 1232 wrote to memory of 2392 1232 PACKING LISTS.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PACKING LISTS.exe"C:\Users\Admin\AppData\Local\Temp\PACKING LISTS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\PACKING LISTS.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1232-151-0x00000000057B0000-0x00000000057BA000-memory.dmpFilesize
40KB
-
memory/1232-130-0x00000000008D0000-0x0000000000924000-memory.dmpFilesize
336KB
-
memory/1232-132-0x0000000005810000-0x0000000005DB4000-memory.dmpFilesize
5.6MB
-
memory/1232-133-0x00000000053C0000-0x0000000005452000-memory.dmpFilesize
584KB
-
memory/1232-134-0x0000000005460000-0x00000000054FC000-memory.dmpFilesize
624KB
-
memory/1232-160-0x0000000002C00000-0x0000000002C40000-memory.dmpFilesize
256KB
-
memory/1232-131-0x0000000074DB0000-0x0000000075560000-memory.dmpFilesize
7.7MB
-
memory/1232-140-0x0000000002C00000-0x0000000002C40000-memory.dmpFilesize
256KB
-
memory/1736-159-0x00000235B5110000-0x00000235B5114000-memory.dmpFilesize
16KB
-
memory/1736-152-0x00000235B2190000-0x00000235B21A0000-memory.dmpFilesize
64KB
-
memory/2392-147-0x0000000004F00000-0x00000000054A4000-memory.dmpFilesize
5.6MB
-
memory/2392-146-0x0000000074DB0000-0x0000000075560000-memory.dmpFilesize
7.7MB
-
memory/2392-144-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/5008-142-0x0000000000F80000-0x0000000000F91000-memory.dmpFilesize
68KB
-
memory/5008-143-0x0000000000F80000-0x0000000000F91000-memory.dmpFilesize
68KB
-
memory/5008-145-0x00000000061B0000-0x00000000061CE000-memory.dmpFilesize
120KB
-
memory/5008-141-0x0000000074DB0000-0x0000000075560000-memory.dmpFilesize
7.7MB
-
memory/5008-139-0x0000000005AF0000-0x0000000005B56000-memory.dmpFilesize
408KB
-
memory/5008-148-0x0000000007380000-0x0000000007416000-memory.dmpFilesize
600KB
-
memory/5008-149-0x0000000006590000-0x00000000065AA000-memory.dmpFilesize
104KB
-
memory/5008-150-0x0000000006650000-0x0000000006672000-memory.dmpFilesize
136KB
-
memory/5008-138-0x0000000005A80000-0x0000000005AE6000-memory.dmpFilesize
408KB
-
memory/5008-137-0x0000000005190000-0x00000000051B2000-memory.dmpFilesize
136KB
-
memory/5008-136-0x00000000052A0000-0x00000000058C8000-memory.dmpFilesize
6.2MB
-
memory/5008-135-0x0000000002820000-0x0000000002856000-memory.dmpFilesize
216KB
-
memory/5104-173-0x0000022504340000-0x0000022504344000-memory.dmpFilesize
16KB