Analysis
-
max time kernel
150s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
5X40ft Containers.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5X40ft Containers.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Invoice.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Invoice.exe
Resource
win10v2004-20220414-en
General
-
Target
Invoice.exe
-
Size
430KB
-
MD5
cd9794b192b65afe8eb044f5da433695
-
SHA1
ce0c3552c8da19531b70150f6e406528c45549de
-
SHA256
ef96df6ea910efa18ab195dcdc724bb1f405d520862da83da33ce31a7f405c47
-
SHA512
e246255c1fc3149b1d0312df95721a455b1e084bf79ca561bffffba6b3d286adad21604b6d497c71ebadfdc8e25e14c4e84f2ba28f4fbe817fe011e7ebea0ab9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
coronavirus2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral3/memory/2000-61-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral3/memory/2000-62-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral3/memory/2000-63-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral3/memory/2000-64-0x00000000004470FE-mapping.dmp family_agenttesla behavioral3/memory/2000-66-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral3/memory/2000-68-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice.exedescription pid process target process PID 532 set thread context of 2000 532 Invoice.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 2000 MSBuild.exe 2000 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2000 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 2000 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Invoice.exedescription pid process target process PID 532 wrote to memory of 936 532 Invoice.exe schtasks.exe PID 532 wrote to memory of 936 532 Invoice.exe schtasks.exe PID 532 wrote to memory of 936 532 Invoice.exe schtasks.exe PID 532 wrote to memory of 936 532 Invoice.exe schtasks.exe PID 532 wrote to memory of 2000 532 Invoice.exe MSBuild.exe PID 532 wrote to memory of 2000 532 Invoice.exe MSBuild.exe PID 532 wrote to memory of 2000 532 Invoice.exe MSBuild.exe PID 532 wrote to memory of 2000 532 Invoice.exe MSBuild.exe PID 532 wrote to memory of 2000 532 Invoice.exe MSBuild.exe PID 532 wrote to memory of 2000 532 Invoice.exe MSBuild.exe PID 532 wrote to memory of 2000 532 Invoice.exe MSBuild.exe PID 532 wrote to memory of 2000 532 Invoice.exe MSBuild.exe PID 532 wrote to memory of 2000 532 Invoice.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDVVAnmyeTaAna" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3BE9.tmp"2⤵
- Creates scheduled task(s)
PID:936 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3BE9.tmpFilesize
1KB
MD5a7a01e190d224cadb2a60e00fcbba050
SHA12f1cb2adc811e1caca46ad3f45b96bc2f8a2c77a
SHA25687c6c0a59286d26c684b3aab7a2af1b1160430c437059a784bd3789f0cb4a977
SHA512f7106c9ccc2e8e7fecc4cbb3e5868aafed32b32819985ec28e9b532144d3e515bb6dbe268b72f73f3192ab5d1eb296304f8aa8ef2ba03fd1e24ac56769e373c2
-
memory/532-54-0x0000000075701000-0x0000000075703000-memory.dmpFilesize
8KB
-
memory/532-55-0x0000000074300000-0x00000000748AB000-memory.dmpFilesize
5.7MB
-
memory/936-56-0x0000000000000000-mapping.dmp
-
memory/2000-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-58-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-64-0x00000000004470FE-mapping.dmp
-
memory/2000-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2000-70-0x0000000074290000-0x000000007483B000-memory.dmpFilesize
5.7MB