Analysis
-
max time kernel
113s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
Payment Invoice.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment Invoice.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment Invoice.exe
-
Size
556KB
-
MD5
53ec9b92d822d12887d144d5e2066bef
-
SHA1
ef55bbcab42a3ef5ee0070adf2b1c176dfeea4d0
-
SHA256
1a32b479225283f435fe37ea7490bd319063d0cbf88ba6845821aa4eadbbdc91
-
SHA512
6685ca80b210e740bac3a0910c803b27dac2840a9b17c24dd0256b8afbce7cbb063b713e63f488179979e118434ca8ea49f542f414e1c402f71462897f705d7b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
mmm777
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1392-61-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1392-62-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1392-63-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1392-64-0x000000000044775E-mapping.dmp family_agenttesla behavioral1/memory/1392-66-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1392-68-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
Payment Invoice.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Payment Invoice.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payment Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Invoice.exedescription pid process target process PID 1928 set thread context of 1392 1928 Payment Invoice.exe Payment Invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment Invoice.exepid process 1392 Payment Invoice.exe 1392 Payment Invoice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment Invoice.exedescription pid process Token: SeDebugPrivilege 1392 Payment Invoice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Payment Invoice.exepid process 1392 Payment Invoice.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Payment Invoice.exedescription pid process target process PID 1928 wrote to memory of 1500 1928 Payment Invoice.exe schtasks.exe PID 1928 wrote to memory of 1500 1928 Payment Invoice.exe schtasks.exe PID 1928 wrote to memory of 1500 1928 Payment Invoice.exe schtasks.exe PID 1928 wrote to memory of 1500 1928 Payment Invoice.exe schtasks.exe PID 1928 wrote to memory of 1392 1928 Payment Invoice.exe Payment Invoice.exe PID 1928 wrote to memory of 1392 1928 Payment Invoice.exe Payment Invoice.exe PID 1928 wrote to memory of 1392 1928 Payment Invoice.exe Payment Invoice.exe PID 1928 wrote to memory of 1392 1928 Payment Invoice.exe Payment Invoice.exe PID 1928 wrote to memory of 1392 1928 Payment Invoice.exe Payment Invoice.exe PID 1928 wrote to memory of 1392 1928 Payment Invoice.exe Payment Invoice.exe PID 1928 wrote to memory of 1392 1928 Payment Invoice.exe Payment Invoice.exe PID 1928 wrote to memory of 1392 1928 Payment Invoice.exe Payment Invoice.exe PID 1928 wrote to memory of 1392 1928 Payment Invoice.exe Payment Invoice.exe -
outlook_office_path 1 IoCs
Processes:
Payment Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Invoice.exe -
outlook_win_path 1 IoCs
Processes:
Payment Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AThqfIDLqoF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9760.tmp"2⤵
- Creates scheduled task(s)
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9760.tmpFilesize
1KB
MD554d91b07afd42653bac3e75140ee3a8a
SHA17a3350a26def23633b93ff34497835b527d592c0
SHA256b956e4d2398345fee590d005b62057b6e137cbd15d9c4a35af1b76d223a6546d
SHA5120be2a7cc430319501b2570285954618ac7909435ee51f9a627e65cdfc00ac147358774cf3277d31e997f7f4aeec91ab1ecf8d4ab8bd0d7f4ecd599ee0c0f1475
-
memory/1392-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-58-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-64-0x000000000044775E-mapping.dmp
-
memory/1392-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1392-70-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/1500-56-0x0000000000000000-mapping.dmp
-
memory/1928-55-0x00000000745C0000-0x0000000074B6B000-memory.dmpFilesize
5.7MB
-
memory/1928-54-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB