Analysis
-
max time kernel
97s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:38
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE PDF.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INVOICE PDF.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
INVOICE PDF.exe
-
Size
453KB
-
MD5
8a4712f8fd715e41a2845a6fa53c6809
-
SHA1
acdb30b10d3a54c3e431ecfd08b0d8a1653ec776
-
SHA256
ae9ea028d892118f67f92b5ff6a3a06185e0328a15f844d2209218677154876f
-
SHA512
1f312e877c187082bdd4c5df981fc5df948c2090d4c67b43cb8b6a79541152b51a02b64967c5d0765850f8573821091f5a58cfa8d1d1c9c51db6a3350d9d11fd
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.dianaglobalmandiri.com - Port:
587 - Username:
info@dianaglobalmandiri.com - Password:
Batam2019
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3548-136-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CpSnJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CpSnJ\\CpSnJ.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE PDF.exedescription pid process target process PID 2884 set thread context of 3548 2884 INVOICE PDF.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1992 3548 WerFault.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 3548 RegSvcs.exe 3548 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3548 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
INVOICE PDF.exedescription pid process target process PID 2884 wrote to memory of 3548 2884 INVOICE PDF.exe RegSvcs.exe PID 2884 wrote to memory of 3548 2884 INVOICE PDF.exe RegSvcs.exe PID 2884 wrote to memory of 3548 2884 INVOICE PDF.exe RegSvcs.exe PID 2884 wrote to memory of 3548 2884 INVOICE PDF.exe RegSvcs.exe PID 2884 wrote to memory of 3548 2884 INVOICE PDF.exe RegSvcs.exe PID 2884 wrote to memory of 3548 2884 INVOICE PDF.exe RegSvcs.exe PID 2884 wrote to memory of 3548 2884 INVOICE PDF.exe RegSvcs.exe PID 2884 wrote to memory of 3548 2884 INVOICE PDF.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE PDF.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 15843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3548 -ip 35481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2884-130-0x0000000000500000-0x0000000000578000-memory.dmpFilesize
480KB
-
memory/2884-131-0x0000000005570000-0x0000000005B14000-memory.dmpFilesize
5.6MB
-
memory/2884-132-0x0000000004F00000-0x0000000004F92000-memory.dmpFilesize
584KB
-
memory/2884-133-0x00000000050C0000-0x00000000050CA000-memory.dmpFilesize
40KB
-
memory/2884-134-0x00000000078C0000-0x000000000795C000-memory.dmpFilesize
624KB
-
memory/3548-135-0x0000000000000000-mapping.dmp
-
memory/3548-136-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3548-137-0x0000000005F30000-0x0000000005F96000-memory.dmpFilesize
408KB
-
memory/3548-138-0x0000000006760000-0x00000000067B0000-memory.dmpFilesize
320KB