Analysis
-
max time kernel
137s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
5X40ft Containers.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5X40ft Containers.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Invoice.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Invoice.exe
Resource
win10v2004-20220414-en
General
-
Target
Invoice.exe
-
Size
430KB
-
MD5
cd9794b192b65afe8eb044f5da433695
-
SHA1
ce0c3552c8da19531b70150f6e406528c45549de
-
SHA256
ef96df6ea910efa18ab195dcdc724bb1f405d520862da83da33ce31a7f405c47
-
SHA512
e246255c1fc3149b1d0312df95721a455b1e084bf79ca561bffffba6b3d286adad21604b6d497c71ebadfdc8e25e14c4e84f2ba28f4fbe817fe011e7ebea0ab9
Malware Config
Extracted
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
coronavirus2020
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
coronavirus2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/316-134-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Invoice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Invoice.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice.exedescription pid process target process PID 3196 set thread context of 316 3196 Invoice.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Invoice.exeMSBuild.exepid process 3196 Invoice.exe 316 MSBuild.exe 316 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Invoice.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3196 Invoice.exe Token: SeDebugPrivilege 316 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 316 MSBuild.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Invoice.exedescription pid process target process PID 3196 wrote to memory of 4456 3196 Invoice.exe schtasks.exe PID 3196 wrote to memory of 4456 3196 Invoice.exe schtasks.exe PID 3196 wrote to memory of 4456 3196 Invoice.exe schtasks.exe PID 3196 wrote to memory of 316 3196 Invoice.exe MSBuild.exe PID 3196 wrote to memory of 316 3196 Invoice.exe MSBuild.exe PID 3196 wrote to memory of 316 3196 Invoice.exe MSBuild.exe PID 3196 wrote to memory of 316 3196 Invoice.exe MSBuild.exe PID 3196 wrote to memory of 316 3196 Invoice.exe MSBuild.exe PID 3196 wrote to memory of 316 3196 Invoice.exe MSBuild.exe PID 3196 wrote to memory of 316 3196 Invoice.exe MSBuild.exe PID 3196 wrote to memory of 316 3196 Invoice.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EDVVAnmyeTaAna" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC553.tmp"2⤵
- Creates scheduled task(s)
PID:4456 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:316
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC553.tmpFilesize
1KB
MD553b88a9d92d7e3e4c75759cb05f3504f
SHA18c0725ff645dc828580378c45cc2152a68a027c5
SHA256e91e3772f70b395c26ad65ea0a49c0d308344c31f1dfe047ebf8e184b65eb890
SHA5122836076d359ed730db6d1e02db0e46eafd32136a68de7a64bb6525675a5e0d51b6b73515c263bfd3b8709bf34aee50ae673cb246228b84aafd521fbac201e321
-
memory/316-133-0x0000000000000000-mapping.dmp
-
memory/316-134-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/316-135-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/3196-130-0x0000000075360000-0x0000000075911000-memory.dmpFilesize
5.7MB
-
memory/4456-131-0x0000000000000000-mapping.dmp