Analysis
-
max time kernel
91s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:46
Static task
static1
Behavioral task
behavioral1
Sample
Invoice 2078654.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Invoice 2078654.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
Invoice 4907856.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
Invoice 4907856.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
pictures.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
pictures.exe
Resource
win10v2004-20220414-en
General
-
Target
Invoice 4907856.exe
-
Size
598KB
-
MD5
cfe01269c178fea11b28130dd457c43e
-
SHA1
589c257ca5f0be53af4160bbd67c6a4dd01c8ae6
-
SHA256
40cf3214cd412e73955af3a64b3e61691ec44f3ee6bd8031ea37e69dce07b393
-
SHA512
7077c264debdbc5aa67e5d183eeaeb827360ecd886cce8bb24a7d93733bb33fad392dff3d2aa5a8854d9ecef70cde94510504e9eed7a5c8bb2d5145763374087
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
[email protected] - Password:
coronavirus2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/2792-137-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Invoice 4907856.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Invoice 4907856.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice 4907856.exedescription pid process target process PID 4412 set thread context of 2792 4412 Invoice 4907856.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2792 RegSvcs.exe 2792 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2792 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2792 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Invoice 4907856.exedescription pid process target process PID 4412 wrote to memory of 3976 4412 Invoice 4907856.exe schtasks.exe PID 4412 wrote to memory of 3976 4412 Invoice 4907856.exe schtasks.exe PID 4412 wrote to memory of 3976 4412 Invoice 4907856.exe schtasks.exe PID 4412 wrote to memory of 2792 4412 Invoice 4907856.exe RegSvcs.exe PID 4412 wrote to memory of 2792 4412 Invoice 4907856.exe RegSvcs.exe PID 4412 wrote to memory of 2792 4412 Invoice 4907856.exe RegSvcs.exe PID 4412 wrote to memory of 2792 4412 Invoice 4907856.exe RegSvcs.exe PID 4412 wrote to memory of 2792 4412 Invoice 4907856.exe RegSvcs.exe PID 4412 wrote to memory of 2792 4412 Invoice 4907856.exe RegSvcs.exe PID 4412 wrote to memory of 2792 4412 Invoice 4907856.exe RegSvcs.exe PID 4412 wrote to memory of 2792 4412 Invoice 4907856.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice 4907856.exe"C:\Users\Admin\AppData\Local\Temp\Invoice 4907856.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SvmSwTQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21B1.tmp"2⤵
- Creates scheduled task(s)
PID:3976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp21B1.tmpFilesize
1KB
MD5c05716ef8465ed2594e36b858ce06f29
SHA1a586ce31fd681cd0785f9b15bec6b4477e4eb26b
SHA2563613a7cebda741afcce18a71201c139b27ec901d99940e371805d829df44878b
SHA51229730daaad677e732885f461c87b6f5fa9f515bc4d2bdc0fae97a61df52ea147fa0d1436a2d041d57d6fcd3837b06c6d49e5313e5195f952793d11c8dca98fcc
-
memory/2792-136-0x0000000000000000-mapping.dmp
-
memory/2792-137-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2792-138-0x00000000062A0000-0x0000000006306000-memory.dmpFilesize
408KB
-
memory/2792-139-0x0000000006A20000-0x0000000006A70000-memory.dmpFilesize
320KB
-
memory/2792-140-0x0000000006B10000-0x0000000006B1A000-memory.dmpFilesize
40KB
-
memory/3976-134-0x0000000000000000-mapping.dmp
-
memory/4412-130-0x0000000000C50000-0x0000000000CEC000-memory.dmpFilesize
624KB
-
memory/4412-131-0x00000000055D0000-0x0000000005662000-memory.dmpFilesize
584KB
-
memory/4412-132-0x0000000005AA0000-0x0000000005B3C000-memory.dmpFilesize
624KB
-
memory/4412-133-0x00000000060F0000-0x0000000006694000-memory.dmpFilesize
5.6MB