Analysis
-
max time kernel
104s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
INV001.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
INV001.exe
Resource
win10v2004-20220414-en
General
-
Target
INV001.exe
-
Size
433KB
-
MD5
8653227bbe999935f8e9b088ceb39edc
-
SHA1
e210a370fd4fcdb72c097c17edef4b5afd726542
-
SHA256
d09cbb481136d7766db12c79dc6c82fee1eb89056d4e7b8bc989a7a5d38467af
-
SHA512
bbbbf945176804261628162dd13aa46e010e7ed1c6c46318743c4bbd912ae36ac660e2734d6a03384ff268a4bf12dbf67d1089eefb3e379793685bde90f256b2
Malware Config
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
!9aT1sz8?9SqN
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
!9aT1sz8?9SqN
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4616-139-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INV001.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation INV001.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
INV001.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV001.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV001.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV001.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV001.exedescription pid process target process PID 396 set thread context of 4616 396 INV001.exe INV001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
INV001.exeINV001.exepid process 396 INV001.exe 396 INV001.exe 396 INV001.exe 396 INV001.exe 396 INV001.exe 396 INV001.exe 396 INV001.exe 4616 INV001.exe 4616 INV001.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INV001.exeINV001.exedescription pid process Token: SeDebugPrivilege 396 INV001.exe Token: SeDebugPrivilege 4616 INV001.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
INV001.exepid process 4616 INV001.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
INV001.exeINV001.exedescription pid process target process PID 396 wrote to memory of 3412 396 INV001.exe schtasks.exe PID 396 wrote to memory of 3412 396 INV001.exe schtasks.exe PID 396 wrote to memory of 3412 396 INV001.exe schtasks.exe PID 396 wrote to memory of 4556 396 INV001.exe INV001.exe PID 396 wrote to memory of 4556 396 INV001.exe INV001.exe PID 396 wrote to memory of 4556 396 INV001.exe INV001.exe PID 396 wrote to memory of 4532 396 INV001.exe INV001.exe PID 396 wrote to memory of 4532 396 INV001.exe INV001.exe PID 396 wrote to memory of 4532 396 INV001.exe INV001.exe PID 396 wrote to memory of 4616 396 INV001.exe INV001.exe PID 396 wrote to memory of 4616 396 INV001.exe INV001.exe PID 396 wrote to memory of 4616 396 INV001.exe INV001.exe PID 396 wrote to memory of 4616 396 INV001.exe INV001.exe PID 396 wrote to memory of 4616 396 INV001.exe INV001.exe PID 396 wrote to memory of 4616 396 INV001.exe INV001.exe PID 396 wrote to memory of 4616 396 INV001.exe INV001.exe PID 396 wrote to memory of 4616 396 INV001.exe INV001.exe PID 4616 wrote to memory of 1964 4616 INV001.exe netsh.exe PID 4616 wrote to memory of 1964 4616 INV001.exe netsh.exe PID 4616 wrote to memory of 1964 4616 INV001.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
INV001.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV001.exe -
outlook_win_path 1 IoCs
Processes:
INV001.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV001.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV001.exe"C:\Users\Admin\AppData\Local\Temp\INV001.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GmJplnEAhO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF32.tmp"2⤵
- Creates scheduled task(s)
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\INV001.exe"C:\Users\Admin\AppData\Local\Temp\INV001.exe"2⤵PID:4556
-
C:\Users\Admin\AppData\Local\Temp\INV001.exe"C:\Users\Admin\AppData\Local\Temp\INV001.exe"2⤵PID:4532
-
C:\Users\Admin\AppData\Local\Temp\INV001.exe"C:\Users\Admin\AppData\Local\Temp\INV001.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4616 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:1964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INV001.exe.logFilesize
507B
MD58cf94b5356be60247d331660005941ec
SHA1fdedb361f40f22cb6a086c808fc0056d4e421131
SHA25652a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0
SHA512b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651
-
C:\Users\Admin\AppData\Local\Temp\tmpF32.tmpFilesize
1KB
MD5ccf2d235874e644ab125c1d981c453bd
SHA1bb74232de29b4985ffc4993be4615acfdd946ac2
SHA2566e5168344fe0f845fbd48df8bb71bbcb2ac235ee1d009396baf7f77d3744313a
SHA51237f5ce9f9d86de9f3451392fecb37238f5c507e29cb1d6b2b07eb2386c9c571ad3be2a245a0506279308b04beb8e5a8617ec0f239d721a3109fa60547fe6fb50
-
memory/396-131-0x0000000005D40000-0x00000000062E4000-memory.dmpFilesize
5.6MB
-
memory/396-132-0x0000000005930000-0x00000000059C2000-memory.dmpFilesize
584KB
-
memory/396-133-0x0000000005A70000-0x0000000005B0C000-memory.dmpFilesize
624KB
-
memory/396-130-0x0000000000B70000-0x0000000000BE2000-memory.dmpFilesize
456KB
-
memory/1964-143-0x0000000000000000-mapping.dmp
-
memory/3412-134-0x0000000000000000-mapping.dmp
-
memory/4532-137-0x0000000000000000-mapping.dmp
-
memory/4556-136-0x0000000000000000-mapping.dmp
-
memory/4616-139-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4616-141-0x0000000005E70000-0x0000000005ED6000-memory.dmpFilesize
408KB
-
memory/4616-142-0x0000000006A70000-0x0000000006AC0000-memory.dmpFilesize
320KB
-
memory/4616-138-0x0000000000000000-mapping.dmp
-
memory/4616-144-0x0000000006820000-0x000000000682A000-memory.dmpFilesize
40KB