Analysis
-
max time kernel
99s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:19
Static task
static1
Behavioral task
behavioral1
Sample
Payment Invoice.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment Invoice.exe
Resource
win10v2004-20220414-en
General
-
Target
Payment Invoice.exe
-
Size
556KB
-
MD5
53ec9b92d822d12887d144d5e2066bef
-
SHA1
ef55bbcab42a3ef5ee0070adf2b1c176dfeea4d0
-
SHA256
1a32b479225283f435fe37ea7490bd319063d0cbf88ba6845821aa4eadbbdc91
-
SHA512
6685ca80b210e740bac3a0910c803b27dac2840a9b17c24dd0256b8afbce7cbb063b713e63f488179979e118434ca8ea49f542f414e1c402f71462897f705d7b
Malware Config
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
mmm777
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
mmm777
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1524-134-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
Payment Invoice.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Payment Invoice.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Payment Invoice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Payment Invoice.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Payment Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Invoice.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Invoice.exedescription pid process target process PID 2156 set thread context of 1524 2156 Payment Invoice.exe Payment Invoice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment Invoice.exepid process 1524 Payment Invoice.exe 1524 Payment Invoice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment Invoice.exedescription pid process Token: SeDebugPrivilege 1524 Payment Invoice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Payment Invoice.exepid process 1524 Payment Invoice.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Payment Invoice.exedescription pid process target process PID 2156 wrote to memory of 204 2156 Payment Invoice.exe schtasks.exe PID 2156 wrote to memory of 204 2156 Payment Invoice.exe schtasks.exe PID 2156 wrote to memory of 204 2156 Payment Invoice.exe schtasks.exe PID 2156 wrote to memory of 1524 2156 Payment Invoice.exe Payment Invoice.exe PID 2156 wrote to memory of 1524 2156 Payment Invoice.exe Payment Invoice.exe PID 2156 wrote to memory of 1524 2156 Payment Invoice.exe Payment Invoice.exe PID 2156 wrote to memory of 1524 2156 Payment Invoice.exe Payment Invoice.exe PID 2156 wrote to memory of 1524 2156 Payment Invoice.exe Payment Invoice.exe PID 2156 wrote to memory of 1524 2156 Payment Invoice.exe Payment Invoice.exe PID 2156 wrote to memory of 1524 2156 Payment Invoice.exe Payment Invoice.exe PID 2156 wrote to memory of 1524 2156 Payment Invoice.exe Payment Invoice.exe -
outlook_office_path 1 IoCs
Processes:
Payment Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Invoice.exe -
outlook_win_path 1 IoCs
Processes:
Payment Invoice.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Payment Invoice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AThqfIDLqoF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5BCC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment Invoice.exe.logFilesize
766B
MD5f31cb48987bd5b34b620a1a0c38a12d6
SHA16de824d36e8111e0f99e48e25baa2014da4690c6
SHA256af2533379ee0e724f687064508666515b7427139577bab58a9eef677bb427819
SHA5127750ef75389ecb549f8da1615276ffedfc7e92f0956a344099360e39955419ca625241e4d86bae6864e585a98db28f7b7475ace75abda24e31d38da4fdea8996
-
C:\Users\Admin\AppData\Local\Temp\tmp5BCC.tmpFilesize
1KB
MD5375ef4bb89077184526e356c43800af5
SHA1f4df54b887f89a7b84d53bbf8630625bcfe4d4ee
SHA2565f99035dcd4d6c54871115839f979140d5d2054bb14b7e1e29ca0cf3c97bfc32
SHA51255569116dc2be388694ef61a7fee57a4d6b70c76a669e86127e7567ad51908b34ca81d65a9a8de5d3537a41063e727afa35b9dc1f32e7f8102329e89c670ff2d
-
memory/204-131-0x0000000000000000-mapping.dmp
-
memory/1524-133-0x0000000000000000-mapping.dmp
-
memory/1524-134-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1524-136-0x0000000074AF0000-0x00000000750A1000-memory.dmpFilesize
5.7MB
-
memory/2156-130-0x0000000074AF0000-0x00000000750A1000-memory.dmpFilesize
5.7MB