Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:44
Static task
static1
Behavioral task
behavioral1
Sample
Payment Swift #INV0189733-pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment Swift #INV0189733-pdf.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment Swift #INV0189733-pdf.exe
-
Size
674KB
-
MD5
041a15f94d91d76249e1f18726779af6
-
SHA1
a142fb148f008e8492b9068d419692884ae0167d
-
SHA256
b5092e8fd4d7a8b9649b376301ea125eb63d8a5a04360c87a8140200ff31c478
-
SHA512
7181a863c493df25c1bd874653ddc4ceb9e4ed036b8059326564ba7f1ec6f36951cde910507f5761b0d5a3448c0140ce6c30cb7720b01cfc481e9c3d4d7801e8
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.exgold-co.tk - Port:
587 - Username:
[email protected] - Password:
001commander
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3704-137-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payment Swift #INV0189733-pdf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Payment Swift #INV0189733-pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Swift #INV0189733-pdf.exedescription pid process target process PID 2684 set thread context of 3704 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Payment Swift #INV0189733-pdf.exePayment Swift #INV0189733-pdf.exepid process 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 2684 Payment Swift #INV0189733-pdf.exe 3704 Payment Swift #INV0189733-pdf.exe 3704 Payment Swift #INV0189733-pdf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Swift #INV0189733-pdf.exePayment Swift #INV0189733-pdf.exedescription pid process Token: SeDebugPrivilege 2684 Payment Swift #INV0189733-pdf.exe Token: SeDebugPrivilege 3704 Payment Swift #INV0189733-pdf.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Payment Swift #INV0189733-pdf.exedescription pid process target process PID 2684 wrote to memory of 3856 2684 Payment Swift #INV0189733-pdf.exe schtasks.exe PID 2684 wrote to memory of 3856 2684 Payment Swift #INV0189733-pdf.exe schtasks.exe PID 2684 wrote to memory of 3856 2684 Payment Swift #INV0189733-pdf.exe schtasks.exe PID 2684 wrote to memory of 1448 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 1448 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 1448 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 460 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 460 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 460 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 3948 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 3948 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 3948 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 3704 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 3704 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 3704 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 3704 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 3704 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 3704 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 3704 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe PID 2684 wrote to memory of 3704 2684 Payment Swift #INV0189733-pdf.exe Payment Swift #INV0189733-pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zBernDqBhwj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp29FE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Swift #INV0189733-pdf.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment Swift #INV0189733-pdf.exe.logFilesize
496B
MD57baa6583f69f63f7230df9bf98448356
SHA1fe9eb85b57192362da704a3c130377fe83862320
SHA256a632504621b4cac1d5ba5465c7ad9b30f3d036e9838682506782124a211bed4f
SHA5120e72541791281c0fdac1f5fc6beea0b9eb8766b2a386aecb92cb8a44e5b59b7114c79194393ddeff957ffe86021a311caed7ce2731b863d97ad441870efbc051
-
C:\Users\Admin\AppData\Local\Temp\tmp29FE.tmpFilesize
1KB
MD5e9428daedb206e4cfacb4dc483a7afbd
SHA118730fb880a574907584e1ecc20df8a4a41a7b04
SHA256d56149b9d0f59215075088b0336b653729258b4824b59b1446be507423d8c270
SHA512de8f539dc5a66638e433d17cab20c565764bd81316efd36766013c393d20f8d3274ef1589cc05cc34e1d40e069b81df9ba82a59f6c6958049e4ef70439ebed31
-
memory/460-134-0x0000000000000000-mapping.dmp
-
memory/1448-133-0x0000000000000000-mapping.dmp
-
memory/2684-130-0x0000000074930000-0x0000000074EE1000-memory.dmpFilesize
5.7MB
-
memory/3704-136-0x0000000000000000-mapping.dmp
-
memory/3704-137-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/3704-139-0x00000000749D0000-0x0000000074F81000-memory.dmpFilesize
5.7MB
-
memory/3856-131-0x0000000000000000-mapping.dmp
-
memory/3948-135-0x0000000000000000-mapping.dmp