Analysis
-
max time kernel
112s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 08:42
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE SHIPPING-PACKING LIST.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
INVOICE SHIPPING-PACKING LIST.exe
Resource
win10v2004-20221111-en
General
-
Target
INVOICE SHIPPING-PACKING LIST.exe
-
Size
492KB
-
MD5
6f793265d64232cda59fc43f2f7b120d
-
SHA1
7a5aebb953f37e9b2f4f7ba0c9c19c945a7d808b
-
SHA256
523827d0143781d5e1124ddcc75eaed873f190f255497217ef2f61a5714fedb8
-
SHA512
bbbacbc4695e7088564cf85974b3ddf5aa6e3bdbc3fea8f8538ec4fa79c8e8ffeb62b3e3b59831da8aefb3be9b9e8c71d8d4b1b33ad7fae307e3356612b7e24f
-
SSDEEP
12288:6XT5OxeW3QRu0ApGptvXqXuRfaFhgOo7zcyv:6XdOxeYGu0ApGpB+OvD
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
mtsotp.exemtsotp.exepid process 948 mtsotp.exe 268 mtsotp.exe -
Loads dropped DLL 2 IoCs
Processes:
INVOICE SHIPPING-PACKING LIST.exemtsotp.exepid process 1960 INVOICE SHIPPING-PACKING LIST.exe 948 mtsotp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
mtsotp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mtsotp.exe Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mtsotp.exe Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mtsotp.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
mtsotp.exedescription pid process target process PID 948 set thread context of 268 948 mtsotp.exe mtsotp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
mtsotp.exepid process 268 mtsotp.exe 268 mtsotp.exe 268 mtsotp.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
mtsotp.exepid process 948 mtsotp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
mtsotp.exedescription pid process Token: SeDebugPrivilege 268 mtsotp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
INVOICE SHIPPING-PACKING LIST.exemtsotp.exedescription pid process target process PID 1960 wrote to memory of 948 1960 INVOICE SHIPPING-PACKING LIST.exe mtsotp.exe PID 1960 wrote to memory of 948 1960 INVOICE SHIPPING-PACKING LIST.exe mtsotp.exe PID 1960 wrote to memory of 948 1960 INVOICE SHIPPING-PACKING LIST.exe mtsotp.exe PID 1960 wrote to memory of 948 1960 INVOICE SHIPPING-PACKING LIST.exe mtsotp.exe PID 948 wrote to memory of 268 948 mtsotp.exe mtsotp.exe PID 948 wrote to memory of 268 948 mtsotp.exe mtsotp.exe PID 948 wrote to memory of 268 948 mtsotp.exe mtsotp.exe PID 948 wrote to memory of 268 948 mtsotp.exe mtsotp.exe PID 948 wrote to memory of 268 948 mtsotp.exe mtsotp.exe -
outlook_office_path 1 IoCs
Processes:
mtsotp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mtsotp.exe -
outlook_win_path 1 IoCs
Processes:
mtsotp.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 mtsotp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE SHIPPING-PACKING LIST.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE SHIPPING-PACKING LIST.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtsotp.exe"C:\Users\Admin\AppData\Local\Temp\mtsotp.exe" C:\Users\Admin\AppData\Local\Temp\lwqfquz.nc2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtsotp.exe"C:\Users\Admin\AppData\Local\Temp\mtsotp.exe" C:\Users\Admin\AppData\Local\Temp\lwqfquz.nc3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bzpeuniie.pFilesize
295KB
MD5496f336ad96ed901757199597ed29a8d
SHA109e89adc879aeeca2ac5bb5086a40f9bc83554b4
SHA25607ed4dc2c1cd067c5dab0e8cc252a82b0c305eecce40f25052e06f128bed9ee0
SHA5125b1778b4c919bf4858e85f25cad2fcbaca727444ee1cefa79d2dc698e1a7cbf8fab8e35c2512744ed6f46104ab14879ae74a031fce242250d47164ce79c2b15a
-
C:\Users\Admin\AppData\Local\Temp\lwqfquz.ncFilesize
5KB
MD57eb0a236fb43d768410e5c3bb95611a6
SHA17f8a16b509031827c9a3be00b09c8ba123deb46f
SHA2567613f2f3548b9188683477673897e90ccde6555b20970d1bf960e93d36d0566d
SHA512d077c4db043e0eda5f6e2056a43ba936c1c4b237f472793d85804665a98029e0f162d100d2935d2eb3a902be8b3c2b71a00e8b4505f3f7b2ed8411ad05d66a17
-
C:\Users\Admin\AppData\Local\Temp\mtsotp.exeFilesize
332KB
MD5448629f713a637632bc9b73f52a1a742
SHA16f0edc468fc0f658c75c7177a01091350e0c3ccd
SHA256bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39
SHA512e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1
-
C:\Users\Admin\AppData\Local\Temp\mtsotp.exeFilesize
332KB
MD5448629f713a637632bc9b73f52a1a742
SHA16f0edc468fc0f658c75c7177a01091350e0c3ccd
SHA256bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39
SHA512e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1
-
C:\Users\Admin\AppData\Local\Temp\mtsotp.exeFilesize
332KB
MD5448629f713a637632bc9b73f52a1a742
SHA16f0edc468fc0f658c75c7177a01091350e0c3ccd
SHA256bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39
SHA512e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1
-
\Users\Admin\AppData\Local\Temp\mtsotp.exeFilesize
332KB
MD5448629f713a637632bc9b73f52a1a742
SHA16f0edc468fc0f658c75c7177a01091350e0c3ccd
SHA256bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39
SHA512e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1
-
\Users\Admin\AppData\Local\Temp\mtsotp.exeFilesize
332KB
MD5448629f713a637632bc9b73f52a1a742
SHA16f0edc468fc0f658c75c7177a01091350e0c3ccd
SHA256bd797011bcb6d0aa6b743badc1305634fe000e4ace72b812f4346d3994643d39
SHA512e941740338fce359fd87dd25eab3a55c335ad1dd358e9352420a695d202a6f541dbf7531f59de40d61cadba688df0916fcb5aade5b80d54b817e5138731886d1
-
memory/268-63-0x0000000000401896-mapping.dmp
-
memory/268-66-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/268-67-0x0000000004420000-0x000000000445C000-memory.dmpFilesize
240KB
-
memory/948-56-0x0000000000000000-mapping.dmp
-
memory/1960-54-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB