Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 07:23

General

  • Target

    TNT Invoice_pdf.exe

  • Size

    404KB

  • MD5

    f80abe76555b4a785cc99f5c28b005c2

  • SHA1

    85748a350dc49454ff17845fd8275d065bc73229

  • SHA256

    1934d67c56986a33cc6a786899f4bca45886ef7ddcb1abcab4a8061e0abe1a5d

  • SHA512

    f415e6df708bed4fd7dbc443c13f23381cf1bc256d8f82922cbcb653fe131f000cbb38a207c032961673d6f8aab796e0e83f46899c5067ddecc28ced9ccdc9ae

  • SSDEEP

    6144:LBnb2khrC61MSvEufUEWS+jahhoaU0HEpah8yLAw2QA8ffkXF9Lq3IXxjnGi/He4:FnhSoU3jahhvTHCe8Ad2QA8iTqexH+/g

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5731015181:AAEnN7QEEeN_fBCr0YFv_H7lrNpKS_lkspI/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TNT Invoice_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\TNT Invoice_pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe
      "C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe" C:\Users\Admin\AppData\Local\Temp\huqqriwxdjn.y
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe
        "C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe" C:\Users\Admin\AppData\Local\Temp\huqqriwxdjn.y
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1728

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\fintvl.cso

    Filesize

    288KB

    MD5

    06298aaabe372084a429add9f52054e1

    SHA1

    3f52f836ab3e5e76fdb6f4c19e972df228472b21

    SHA256

    c5ba2eb05b69349322b2042f27aba5b07434c0d449a6bd615b0377e4eeb55ced

    SHA512

    4399bbfe2cee91edac8b4b9b8fc3c9efe09dbe76634c7c2a104cec73ac126811170315c1aab6114bac6d04e98d67b83103251b9dffa3b8a84907e970e0587cfe

  • C:\Users\Admin\AppData\Local\Temp\huqqriwxdjn.y

    Filesize

    5KB

    MD5

    f975df753ad36f4aee598c366981762e

    SHA1

    4f7302948b9b176a3c05fa78c7a686e1b5b81385

    SHA256

    81b0fcb44fc085b308e1d8524a8aef006d01167b7abfb6d21b0ae944dc720472

    SHA512

    460b20ea12bd9a5de8c903ea80c434f6cbb45b1eb3dcb74cfac23f602aaba98c01fb124dc70763cdcf9ab95e576601159f6a75dad140a5cb52f1c0915f1659be

  • C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe

    Filesize

    332KB

    MD5

    2f3fd047aa9f8e88453b01257959a6da

    SHA1

    fe779bb56fef1be106d893da223e8dd611469c6f

    SHA256

    79d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b

    SHA512

    42dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50

  • C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe

    Filesize

    332KB

    MD5

    2f3fd047aa9f8e88453b01257959a6da

    SHA1

    fe779bb56fef1be106d893da223e8dd611469c6f

    SHA256

    79d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b

    SHA512

    42dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50

  • C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe

    Filesize

    332KB

    MD5

    2f3fd047aa9f8e88453b01257959a6da

    SHA1

    fe779bb56fef1be106d893da223e8dd611469c6f

    SHA256

    79d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b

    SHA512

    42dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50

  • \Users\Admin\AppData\Local\Temp\xzkhybrawk.exe

    Filesize

    332KB

    MD5

    2f3fd047aa9f8e88453b01257959a6da

    SHA1

    fe779bb56fef1be106d893da223e8dd611469c6f

    SHA256

    79d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b

    SHA512

    42dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50

  • \Users\Admin\AppData\Local\Temp\xzkhybrawk.exe

    Filesize

    332KB

    MD5

    2f3fd047aa9f8e88453b01257959a6da

    SHA1

    fe779bb56fef1be106d893da223e8dd611469c6f

    SHA256

    79d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b

    SHA512

    42dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50

  • memory/1728-63-0x0000000000401896-mapping.dmp

  • memory/1728-66-0x0000000004480000-0x00000000044BA000-memory.dmp

    Filesize

    232KB

  • memory/1728-67-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

  • memory/1912-56-0x0000000000000000-mapping.dmp

  • memory/1980-54-0x0000000076031000-0x0000000076033000-memory.dmp

    Filesize

    8KB