Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:23
Static task
static1
Behavioral task
behavioral1
Sample
TNT Invoice_pdf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
TNT Invoice_pdf.exe
Resource
win10v2004-20220812-en
General
-
Target
TNT Invoice_pdf.exe
-
Size
404KB
-
MD5
f80abe76555b4a785cc99f5c28b005c2
-
SHA1
85748a350dc49454ff17845fd8275d065bc73229
-
SHA256
1934d67c56986a33cc6a786899f4bca45886ef7ddcb1abcab4a8061e0abe1a5d
-
SHA512
f415e6df708bed4fd7dbc443c13f23381cf1bc256d8f82922cbcb653fe131f000cbb38a207c032961673d6f8aab796e0e83f46899c5067ddecc28ced9ccdc9ae
-
SSDEEP
6144:LBnb2khrC61MSvEufUEWS+jahhoaU0HEpah8yLAw2QA8ffkXF9Lq3IXxjnGi/He4:FnhSoU3jahhvTHCe8Ad2QA8iTqexH+/g
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5731015181:AAEnN7QEEeN_fBCr0YFv_H7lrNpKS_lkspI/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
xzkhybrawk.exexzkhybrawk.exepid process 1912 xzkhybrawk.exe 1728 xzkhybrawk.exe -
Loads dropped DLL 2 IoCs
Processes:
TNT Invoice_pdf.exexzkhybrawk.exepid process 1980 TNT Invoice_pdf.exe 1912 xzkhybrawk.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
xzkhybrawk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xzkhybrawk.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xzkhybrawk.exe Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xzkhybrawk.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
xzkhybrawk.exedescription pid process target process PID 1912 set thread context of 1728 1912 xzkhybrawk.exe xzkhybrawk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
xzkhybrawk.exepid process 1728 xzkhybrawk.exe 1728 xzkhybrawk.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
xzkhybrawk.exepid process 1912 xzkhybrawk.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
xzkhybrawk.exedescription pid process Token: SeDebugPrivilege 1728 xzkhybrawk.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
TNT Invoice_pdf.exexzkhybrawk.exedescription pid process target process PID 1980 wrote to memory of 1912 1980 TNT Invoice_pdf.exe xzkhybrawk.exe PID 1980 wrote to memory of 1912 1980 TNT Invoice_pdf.exe xzkhybrawk.exe PID 1980 wrote to memory of 1912 1980 TNT Invoice_pdf.exe xzkhybrawk.exe PID 1980 wrote to memory of 1912 1980 TNT Invoice_pdf.exe xzkhybrawk.exe PID 1912 wrote to memory of 1728 1912 xzkhybrawk.exe xzkhybrawk.exe PID 1912 wrote to memory of 1728 1912 xzkhybrawk.exe xzkhybrawk.exe PID 1912 wrote to memory of 1728 1912 xzkhybrawk.exe xzkhybrawk.exe PID 1912 wrote to memory of 1728 1912 xzkhybrawk.exe xzkhybrawk.exe PID 1912 wrote to memory of 1728 1912 xzkhybrawk.exe xzkhybrawk.exe -
outlook_office_path 1 IoCs
Processes:
xzkhybrawk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xzkhybrawk.exe -
outlook_win_path 1 IoCs
Processes:
xzkhybrawk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 xzkhybrawk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Invoice_pdf.exe"C:\Users\Admin\AppData\Local\Temp\TNT Invoice_pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe"C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe" C:\Users\Admin\AppData\Local\Temp\huqqriwxdjn.y2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe"C:\Users\Admin\AppData\Local\Temp\xzkhybrawk.exe" C:\Users\Admin\AppData\Local\Temp\huqqriwxdjn.y3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288KB
MD506298aaabe372084a429add9f52054e1
SHA13f52f836ab3e5e76fdb6f4c19e972df228472b21
SHA256c5ba2eb05b69349322b2042f27aba5b07434c0d449a6bd615b0377e4eeb55ced
SHA5124399bbfe2cee91edac8b4b9b8fc3c9efe09dbe76634c7c2a104cec73ac126811170315c1aab6114bac6d04e98d67b83103251b9dffa3b8a84907e970e0587cfe
-
Filesize
5KB
MD5f975df753ad36f4aee598c366981762e
SHA14f7302948b9b176a3c05fa78c7a686e1b5b81385
SHA25681b0fcb44fc085b308e1d8524a8aef006d01167b7abfb6d21b0ae944dc720472
SHA512460b20ea12bd9a5de8c903ea80c434f6cbb45b1eb3dcb74cfac23f602aaba98c01fb124dc70763cdcf9ab95e576601159f6a75dad140a5cb52f1c0915f1659be
-
Filesize
332KB
MD52f3fd047aa9f8e88453b01257959a6da
SHA1fe779bb56fef1be106d893da223e8dd611469c6f
SHA25679d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b
SHA51242dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50
-
Filesize
332KB
MD52f3fd047aa9f8e88453b01257959a6da
SHA1fe779bb56fef1be106d893da223e8dd611469c6f
SHA25679d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b
SHA51242dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50
-
Filesize
332KB
MD52f3fd047aa9f8e88453b01257959a6da
SHA1fe779bb56fef1be106d893da223e8dd611469c6f
SHA25679d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b
SHA51242dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50
-
Filesize
332KB
MD52f3fd047aa9f8e88453b01257959a6da
SHA1fe779bb56fef1be106d893da223e8dd611469c6f
SHA25679d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b
SHA51242dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50
-
Filesize
332KB
MD52f3fd047aa9f8e88453b01257959a6da
SHA1fe779bb56fef1be106d893da223e8dd611469c6f
SHA25679d2ae77720ba8eac366b202d945697699832e8395201ff333c252a2ead1ff8b
SHA51242dedc926d80dbf49492b345f59e4bea7a662b02251a4dae76d3b0e01366824cfdb0fbc092e8c2c108ed4312a4a4947b796d147a4851b7e6f7f139e7e28f1a50