Analysis
-
max time kernel
152s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE #24560908.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
INVOICE #24560908.exe
Resource
win10v2004-20221111-en
General
-
Target
INVOICE #24560908.exe
-
Size
783KB
-
MD5
effa64d665cc881b80faefb053896c75
-
SHA1
314ae8a3bfbbae37b92ab9c1d4e72a2f3ba77959
-
SHA256
9d6b6913c2b8b1084f4177076c9c2b759ce8a903bc7baf1b1c0ef3bf5635c361
-
SHA512
8edb0d1298146e744847cc4efafcce3da52859b3beef6d8e3ca15049188abab93f1fb7c097cae4515d2faca29662d57fb7c3dbb5a9be8c9fadd89bdb38c15fc7
-
SSDEEP
24576:QivLGVB70aw1s/U97WopiNc9/LkInstI:+VB70aw1u8piN0/LMt
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
info@southernboilers.org - Password:
Sksmoke2018# - Email To:
obtxxxtf@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE #24560908.exedescription pid process target process PID 1640 set thread context of 1492 1640 INVOICE #24560908.exe INVOICE #24560908.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
INVOICE #24560908.exeINVOICE #24560908.exepid process 1640 INVOICE #24560908.exe 1492 INVOICE #24560908.exe 1492 INVOICE #24560908.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INVOICE #24560908.exeINVOICE #24560908.exedescription pid process Token: SeDebugPrivilege 1640 INVOICE #24560908.exe Token: SeDebugPrivilege 1492 INVOICE #24560908.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
INVOICE #24560908.exedescription pid process target process PID 1640 wrote to memory of 1068 1640 INVOICE #24560908.exe schtasks.exe PID 1640 wrote to memory of 1068 1640 INVOICE #24560908.exe schtasks.exe PID 1640 wrote to memory of 1068 1640 INVOICE #24560908.exe schtasks.exe PID 1640 wrote to memory of 1068 1640 INVOICE #24560908.exe schtasks.exe PID 1640 wrote to memory of 1492 1640 INVOICE #24560908.exe INVOICE #24560908.exe PID 1640 wrote to memory of 1492 1640 INVOICE #24560908.exe INVOICE #24560908.exe PID 1640 wrote to memory of 1492 1640 INVOICE #24560908.exe INVOICE #24560908.exe PID 1640 wrote to memory of 1492 1640 INVOICE #24560908.exe INVOICE #24560908.exe PID 1640 wrote to memory of 1492 1640 INVOICE #24560908.exe INVOICE #24560908.exe PID 1640 wrote to memory of 1492 1640 INVOICE #24560908.exe INVOICE #24560908.exe PID 1640 wrote to memory of 1492 1640 INVOICE #24560908.exe INVOICE #24560908.exe PID 1640 wrote to memory of 1492 1640 INVOICE #24560908.exe INVOICE #24560908.exe PID 1640 wrote to memory of 1492 1640 INVOICE #24560908.exe INVOICE #24560908.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE #24560908.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE #24560908.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lzdouz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8547.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\INVOICE #24560908.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8547.tmpFilesize
1KB
MD56f0cdfbe18fc1d8e73dc87cdbbd8c69e
SHA17b725041fac6a098e364691d2fc02e565269b1af
SHA256a1e7d5a691b03e0e407d15d4ab21d148ba90eeb52bd41a565588a7c5b79a385e
SHA51290d116bad8b1acb8ab619fa3990f3a8314609ee639c662324d89dbd68663da2be33b6bec8e410da3ec1a6ede8c94672954a6b5fd266a1b62cafcfecc2850b0bd
-
memory/1068-59-0x0000000000000000-mapping.dmp
-
memory/1492-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1492-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1492-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1492-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1492-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1492-67-0x0000000000437B8E-mapping.dmp
-
memory/1492-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1492-71-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1640-57-0x00000000048C0000-0x0000000004944000-memory.dmpFilesize
528KB
-
memory/1640-58-0x0000000004E30000-0x0000000004E6C000-memory.dmpFilesize
240KB
-
memory/1640-56-0x0000000000220000-0x0000000000232000-memory.dmpFilesize
72KB
-
memory/1640-55-0x00000000757B1000-0x00000000757B3000-memory.dmpFilesize
8KB
-
memory/1640-54-0x0000000000880000-0x000000000094A000-memory.dmpFilesize
808KB