Analysis
-
max time kernel
212s -
max time network
225s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:51
Static task
static1
Behavioral task
behavioral1
Sample
commission invoice.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
commission invoice.exe
Resource
win10v2004-20220414-en
General
-
Target
commission invoice.exe
-
Size
879KB
-
MD5
e770121ccf7b3cddde5d6548cb9efdfe
-
SHA1
6b4fd83d704d5d597bb6e03cdc44c42839519e89
-
SHA256
f7e7f9c0172ba900708b35378e311e9a29168621ed968082f3f980f81de19c54
-
SHA512
4db81351423107334c31a91bbd2707022df9f6bc5dfb262d471222f6c678d5d1a8b90abb8705af5acee80e53b59251c4d18389f06b69d881b01a39fb6376a30b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.greensudrhotel.com - Port:
587 - Username:
[email protected] - Password:
Greensudr2017
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1976-138-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
commission invoice.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion commission invoice.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion commission invoice.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
commission invoice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation commission invoice.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
commission invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 commission invoice.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 commission invoice.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 commission invoice.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
commission invoice.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum commission invoice.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 commission invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
commission invoice.exedescription pid process target process PID 3696 set thread context of 1976 3696 commission invoice.exe commission invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
commission invoice.execommission invoice.exepid process 3696 commission invoice.exe 3696 commission invoice.exe 3696 commission invoice.exe 3696 commission invoice.exe 3696 commission invoice.exe 3696 commission invoice.exe 3696 commission invoice.exe 1976 commission invoice.exe 1976 commission invoice.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
commission invoice.execommission invoice.exedescription pid process Token: SeDebugPrivilege 3696 commission invoice.exe Token: SeDebugPrivilege 1976 commission invoice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
commission invoice.exepid process 1976 commission invoice.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
commission invoice.exedescription pid process target process PID 3696 wrote to memory of 4680 3696 commission invoice.exe schtasks.exe PID 3696 wrote to memory of 4680 3696 commission invoice.exe schtasks.exe PID 3696 wrote to memory of 4680 3696 commission invoice.exe schtasks.exe PID 3696 wrote to memory of 1976 3696 commission invoice.exe commission invoice.exe PID 3696 wrote to memory of 1976 3696 commission invoice.exe commission invoice.exe PID 3696 wrote to memory of 1976 3696 commission invoice.exe commission invoice.exe PID 3696 wrote to memory of 1976 3696 commission invoice.exe commission invoice.exe PID 3696 wrote to memory of 1976 3696 commission invoice.exe commission invoice.exe PID 3696 wrote to memory of 1976 3696 commission invoice.exe commission invoice.exe PID 3696 wrote to memory of 1976 3696 commission invoice.exe commission invoice.exe PID 3696 wrote to memory of 1976 3696 commission invoice.exe commission invoice.exe -
outlook_office_path 1 IoCs
Processes:
commission invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 commission invoice.exe -
outlook_win_path 1 IoCs
Processes:
commission invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 commission invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\commission invoice.exe"C:\Users\Admin\AppData\Local\Temp\commission invoice.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ATjatAotT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp822B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\commission invoice.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\commission invoice.exe.logFilesize
599B
MD5327812399a13e05d78e14626d48bc050
SHA18584cf27b3eb6f345b53bac8ba392ba227f64e22
SHA2565e1d2615757ea2cc8a0b0f2c7ec0b9919f43d7fc01b53905510058cea1821224
SHA512dbd93336cf1f241a345027b8e111e02e2eb0156a348a377169c623df1b93e57bf5a4d416af3bae4c4739ffe9f9419b8a7a787167f7f04bcf1aeff27ca38108a9
-
C:\Users\Admin\AppData\Local\Temp\tmp822B.tmpFilesize
1KB
MD5187753f65592c31f5c95d63d62fc7117
SHA172796788e0b95f356e39e0ebc135014e25baf575
SHA256f83aab355e9183763e508903046641a76644effaae01ba7584ddf74b0149300f
SHA512eb01b6217f218558e2d22e246629ce0f3941c61fc90e23646d188f172d1f896dac8d3f1b8d7112d494cb328a6677650c0af9db93f7163ec069b6d2d20b7846c8
-
memory/1976-137-0x0000000000000000-mapping.dmp
-
memory/1976-138-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1976-140-0x0000000006E20000-0x0000000006E70000-memory.dmpFilesize
320KB
-
memory/1976-141-0x0000000001780000-0x000000000178A000-memory.dmpFilesize
40KB
-
memory/3696-130-0x0000000000360000-0x0000000000442000-memory.dmpFilesize
904KB
-
memory/3696-131-0x0000000005590000-0x0000000005B34000-memory.dmpFilesize
5.6MB
-
memory/3696-132-0x0000000005180000-0x0000000005212000-memory.dmpFilesize
584KB
-
memory/3696-133-0x00000000052C0000-0x000000000535C000-memory.dmpFilesize
624KB
-
memory/3696-134-0x000000000B890000-0x000000000B8F6000-memory.dmpFilesize
408KB
-
memory/4680-135-0x0000000000000000-mapping.dmp