Analysis
-
max time kernel
185s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:10
Static task
static1
Behavioral task
behavioral1
Sample
INV.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
INV.exe
Resource
win10v2004-20220414-en
General
-
Target
INV.exe
-
Size
853KB
-
MD5
38670fbeb0f4e40e3f76149027ebe5fa
-
SHA1
80d1f1a7b469676b66b0c98bcaec5410470b0e99
-
SHA256
c8613cbe02f1e23ab87fcce103efa89cc8da78705c42ca373fa45f3d213b9f5a
-
SHA512
c6f30a191e6a2fe83e7ded892cbecb8d4ed1d4c778b8e3d5f083a311aad4c40f951016c8576e4454e8a7f52fd70e75a0b43629e034c9334508740cee6fd889bc
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ezesundayngma
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ezesundayngma
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/828-138-0x0000000000960000-0x00000000009BA000-memory.dmp family_agenttesla behavioral2/memory/828-137-0x0000000000960000-0x00000000009BA000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Data.vbs notepad.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
INV.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV.exedescription pid process target process PID 664 set thread context of 828 664 INV.exe INV.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
INV.exeINV.exepid process 664 INV.exe 664 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe 4352 INV.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
INV.exepid process 664 INV.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
INV.exedescription pid process Token: SeDebugPrivilege 828 INV.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
INV.exedescription pid process target process PID 664 wrote to memory of 1596 664 INV.exe notepad.exe PID 664 wrote to memory of 1596 664 INV.exe notepad.exe PID 664 wrote to memory of 1596 664 INV.exe notepad.exe PID 664 wrote to memory of 1596 664 INV.exe notepad.exe PID 664 wrote to memory of 1596 664 INV.exe notepad.exe PID 664 wrote to memory of 828 664 INV.exe INV.exe PID 664 wrote to memory of 828 664 INV.exe INV.exe PID 664 wrote to memory of 828 664 INV.exe INV.exe PID 664 wrote to memory of 4352 664 INV.exe INV.exe PID 664 wrote to memory of 4352 664 INV.exe INV.exe PID 664 wrote to memory of 4352 664 INV.exe INV.exe -
outlook_office_path 1 IoCs
Processes:
INV.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV.exe -
outlook_win_path 1 IoCs
Processes:
INV.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV.exe"C:\Users\Admin\AppData\Local\Temp\INV.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\INV.exe"C:\Users\Admin\AppData\Local\Temp\INV.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:828 -
C:\Users\Admin\AppData\Local\Temp\INV.exe"C:\Users\Admin\AppData\Local\Temp\INV.exe" 2 828 2405839532⤵
- Suspicious behavior: EnumeratesProcesses
PID:4352
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/664-131-0x00000000022C0000-0x00000000022CF000-memory.dmpFilesize
60KB
-
memory/828-133-0x0000000000000000-mapping.dmp
-
memory/828-138-0x0000000000960000-0x00000000009BA000-memory.dmpFilesize
360KB
-
memory/828-137-0x0000000000960000-0x00000000009BA000-memory.dmpFilesize
360KB
-
memory/828-139-0x0000000073E50000-0x0000000074401000-memory.dmpFilesize
5.7MB
-
memory/1596-132-0x0000000000000000-mapping.dmp
-
memory/4352-134-0x0000000000000000-mapping.dmp