Analysis
-
max time kernel
116s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:58
Static task
static1
Behavioral task
behavioral1
Sample
payment against your invoi.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
payment against your invoi.exe
Resource
win10v2004-20220414-en
General
-
Target
payment against your invoi.exe
-
Size
499KB
-
MD5
eadb9c9fbe400eeb9a6dfd465f116498
-
SHA1
32fc1cfedec2ec886bcd9562cdce99f2414af041
-
SHA256
7ef89eedb2b94ba182361208dc6fc31bd1dd3e378e0c5ba28a137996764a2de7
-
SHA512
dfc20697f28b9fab1fd33f22b6d5398f2ca5cc442bcce2db6e548d993eb8424d6bce34d883a29ddc5b78d69b4d5b2600a6fdc9c3d097b8cb50d07a064cee3eb2
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.trip24now.com - Port:
587 - Username:
services@trip24now.com - Password:
Services@123#
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2332-138-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
payment against your invoi.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion payment against your invoi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion payment against your invoi.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
payment against your invoi.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation payment against your invoi.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
payment against your invoi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment against your invoi.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment against your invoi.exe Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment against your invoi.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
payment against your invoi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 payment against your invoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum payment against your invoi.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment against your invoi.exedescription pid process target process PID 5108 set thread context of 2332 5108 payment against your invoi.exe payment against your invoi.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
payment against your invoi.exepayment against your invoi.exepid process 5108 payment against your invoi.exe 2332 payment against your invoi.exe 2332 payment against your invoi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment against your invoi.exepayment against your invoi.exedescription pid process Token: SeDebugPrivilege 5108 payment against your invoi.exe Token: SeDebugPrivilege 2332 payment against your invoi.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
payment against your invoi.exepid process 2332 payment against your invoi.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
payment against your invoi.exedescription pid process target process PID 5108 wrote to memory of 4580 5108 payment against your invoi.exe schtasks.exe PID 5108 wrote to memory of 4580 5108 payment against your invoi.exe schtasks.exe PID 5108 wrote to memory of 4580 5108 payment against your invoi.exe schtasks.exe PID 5108 wrote to memory of 2332 5108 payment against your invoi.exe payment against your invoi.exe PID 5108 wrote to memory of 2332 5108 payment against your invoi.exe payment against your invoi.exe PID 5108 wrote to memory of 2332 5108 payment against your invoi.exe payment against your invoi.exe PID 5108 wrote to memory of 2332 5108 payment against your invoi.exe payment against your invoi.exe PID 5108 wrote to memory of 2332 5108 payment against your invoi.exe payment against your invoi.exe PID 5108 wrote to memory of 2332 5108 payment against your invoi.exe payment against your invoi.exe PID 5108 wrote to memory of 2332 5108 payment against your invoi.exe payment against your invoi.exe PID 5108 wrote to memory of 2332 5108 payment against your invoi.exe payment against your invoi.exe -
outlook_office_path 1 IoCs
Processes:
payment against your invoi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment against your invoi.exe -
outlook_win_path 1 IoCs
Processes:
payment against your invoi.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 payment against your invoi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment against your invoi.exe"C:\Users\Admin\AppData\Local\Temp\payment against your invoi.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OxqIQfPx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB788.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\payment against your invoi.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment against your invoi.exe.logFilesize
599B
MD5a56b1681d95f33a909d6f34c33f706fb
SHA1e996e63f53e9041910f84a4246085c7e76d8ea37
SHA2567d87bc567d369a8c708b33966c428845d44ce433d2a6445ca4ccf6449482b3a7
SHA512f0d7998ccb520c7229f95ed26a714b07e6a87c16d097546751f7a0f61678b0abb3fbfcc0caa8eba66fa19c09ad659f89475f0f071f3b249bd1bee07a7cd665a2
-
C:\Users\Admin\AppData\Local\Temp\tmpB788.tmpFilesize
1KB
MD5e95beb85a59c704f42f0bf7e23888a33
SHA195491f50563800cc0cc419b06c2a6f7720cac0af
SHA256c60532a45e689b255949d9c735729ac0d2c8babaa63c91ab20aa9e27f68cdb46
SHA5121556f9a2960ad8e3f348614dc5be8bac05f757dbaad5a909174b4c1c6b22028f3b4bef5e5a7e5267f38c913c5c33cf1d3e85e3c57faa42f0123996aa58d8aa1d
-
memory/2332-137-0x0000000000000000-mapping.dmp
-
memory/2332-138-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/2332-140-0x00000000069B0000-0x0000000006A00000-memory.dmpFilesize
320KB
-
memory/2332-141-0x0000000006CB0000-0x0000000006CBA000-memory.dmpFilesize
40KB
-
memory/4580-135-0x0000000000000000-mapping.dmp
-
memory/5108-130-0x0000000000710000-0x0000000000794000-memory.dmpFilesize
528KB
-
memory/5108-131-0x00000000056D0000-0x0000000005C74000-memory.dmpFilesize
5.6MB
-
memory/5108-132-0x00000000051C0000-0x0000000005252000-memory.dmpFilesize
584KB
-
memory/5108-133-0x0000000005260000-0x00000000052FC000-memory.dmpFilesize
624KB
-
memory/5108-134-0x00000000077D0000-0x0000000007836000-memory.dmpFilesize
408KB