Analysis
-
max time kernel
150s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 03:30
Static task
static1
Behavioral task
behavioral1
Sample
LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe
-
Size
411KB
-
MD5
cff3e5019bd36f4a7596fe229c9e6a2f
-
SHA1
b7d7e42f24cb3c3ef10497a64398a888790dcbb0
-
SHA256
9950693e7a2ed5a37008ea3a7c2a185132af4f3fedfbbba41fb03939dadb8044
-
SHA512
67e13ab5417c8751b956fd429b13fe11291d0263699c4e8f253b7ab4e266b4b2afb1411ed0907b69d84c549d03c7f5398ff885d864899d743d200f7a222b5031
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.hotel71.com.bd - Port:
587 - Username:
[email protected] - Password:
9+^va&phP1v9
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4384-136-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exedescription pid process target process PID 4156 set thread context of 4384 4156 LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3700 4384 WerFault.exe RegSvcs.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 4384 RegSvcs.exe 4384 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4384 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exeRegSvcs.exedescription pid process target process PID 4156 wrote to memory of 4384 4156 LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe RegSvcs.exe PID 4156 wrote to memory of 4384 4156 LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe RegSvcs.exe PID 4156 wrote to memory of 4384 4156 LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe RegSvcs.exe PID 4156 wrote to memory of 4384 4156 LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe RegSvcs.exe PID 4156 wrote to memory of 4384 4156 LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe RegSvcs.exe PID 4156 wrote to memory of 4384 4156 LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe RegSvcs.exe PID 4156 wrote to memory of 4384 4156 LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe RegSvcs.exe PID 4156 wrote to memory of 4384 4156 LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe RegSvcs.exe PID 4384 wrote to memory of 1640 4384 RegSvcs.exe REG.exe PID 4384 wrote to memory of 1640 4384 RegSvcs.exe REG.exe PID 4384 wrote to memory of 1640 4384 RegSvcs.exe REG.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\LEGAL ACTION ON YOUR COMPANY FOR LONG OVERDUE INVOICE.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:1640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 15603⤵
- Program crash
PID:3700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4384 -ip 43841⤵PID:1472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1640-138-0x0000000000000000-mapping.dmp
-
memory/4156-130-0x0000000000E00000-0x0000000000E6E000-memory.dmpFilesize
440KB
-
memory/4156-131-0x0000000005E20000-0x00000000063C4000-memory.dmpFilesize
5.6MB
-
memory/4156-132-0x0000000005870000-0x0000000005902000-memory.dmpFilesize
584KB
-
memory/4156-133-0x0000000005810000-0x000000000581A000-memory.dmpFilesize
40KB
-
memory/4156-134-0x0000000009310000-0x00000000093AC000-memory.dmpFilesize
624KB
-
memory/4384-135-0x0000000000000000-mapping.dmp
-
memory/4384-136-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4384-137-0x00000000066D0000-0x0000000006736000-memory.dmpFilesize
408KB
-
memory/4384-139-0x0000000006EE0000-0x0000000006F30000-memory.dmpFilesize
320KB