Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:31
General
-
Target
Invoice.exe
-
Size
430KB
-
MD5
cd9794b192b65afe8eb044f5da433695
-
SHA1
ce0c3552c8da19531b70150f6e406528c45549de
-
SHA256
ef96df6ea910efa18ab195dcdc724bb1f405d520862da83da33ce31a7f405c47
-
SHA512
e246255c1fc3149b1d0312df95721a455b1e084bf79ca561bffffba6b3d286adad21604b6d497c71ebadfdc8e25e14c4e84f2ba28f4fbe817fe011e7ebea0ab9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
coronavirus2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDVVAnmyeTaAna" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3BE9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3BE9.tmpFilesize
1KB
MD5a7a01e190d224cadb2a60e00fcbba050
SHA12f1cb2adc811e1caca46ad3f45b96bc2f8a2c77a
SHA25687c6c0a59286d26c684b3aab7a2af1b1160430c437059a784bd3789f0cb4a977
SHA512f7106c9ccc2e8e7fecc4cbb3e5868aafed32b32819985ec28e9b532144d3e515bb6dbe268b72f73f3192ab5d1eb296304f8aa8ef2ba03fd1e24ac56769e373c2
-
memory/532-54-0x0000000075701000-0x0000000075703000-memory.dmpFilesize
8KB
-
memory/532-55-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/936-56-0x0000000000000000-mapping.dmp
-
memory/2000-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-58-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-64-0x00000000004470FE-mapping.dmp
-
memory/2000-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-70-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB