Analysis
-
max time kernel
267s -
max time network
334s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE AND PARKING LIST.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
INVOICE AND PARKING LIST.exe
Resource
win10v2004-20220812-en
General
-
Target
INVOICE AND PARKING LIST.exe
-
Size
668KB
-
MD5
9efabcfe6bfbfa5dda90ad4dc5894040
-
SHA1
07c7cdac9aa0658d374331c4b35a9d0190eadbee
-
SHA256
05472a071f902b974d4ce0d2e605058580f86ab1ad7b6c201c6f9b38608c9b4d
-
SHA512
bae5eb2fb1dcb683ccab5b4c5f6857ffe300b1719378050e5aab1f97e0c748dbbb5abe91b32cbe8aea3615069f0903a376310ad68ad4ad60d80f1933100e0855
-
SSDEEP
12288:wFkzrbETClCHskFgFwIyXCDP0SLZigmxSuhnlYiAEt+Ccf8r2Yt93cr:Z76CIskFgqIyXyLOLHbAA+Ccfkg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
info@southernboilers.org - Password:
Sksmoke2018# - Email To:
obtxxxtf@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE AND PARKING LIST.exedescription pid process target process PID 892 set thread context of 1984 892 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
INVOICE AND PARKING LIST.exepid process 1984 INVOICE AND PARKING LIST.exe 1984 INVOICE AND PARKING LIST.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INVOICE AND PARKING LIST.exeINVOICE AND PARKING LIST.exedescription pid process Token: SeDebugPrivilege 892 INVOICE AND PARKING LIST.exe Token: SeDebugPrivilege 1984 INVOICE AND PARKING LIST.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
INVOICE AND PARKING LIST.exedescription pid process target process PID 892 wrote to memory of 576 892 INVOICE AND PARKING LIST.exe schtasks.exe PID 892 wrote to memory of 576 892 INVOICE AND PARKING LIST.exe schtasks.exe PID 892 wrote to memory of 576 892 INVOICE AND PARKING LIST.exe schtasks.exe PID 892 wrote to memory of 576 892 INVOICE AND PARKING LIST.exe schtasks.exe PID 892 wrote to memory of 1984 892 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 892 wrote to memory of 1984 892 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 892 wrote to memory of 1984 892 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 892 wrote to memory of 1984 892 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 892 wrote to memory of 1984 892 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 892 wrote to memory of 1984 892 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 892 wrote to memory of 1984 892 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 892 wrote to memory of 1984 892 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 892 wrote to memory of 1984 892 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE AND PARKING LIST.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE AND PARKING LIST.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNSzlHrvsnPyrx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3035.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\INVOICE AND PARKING LIST.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3035.tmpFilesize
1KB
MD54e6fed192f88fbbcd7676b8409adf517
SHA1fc846261801a4feb2bebd3257946d4767e7ab268
SHA256b98ead25cd5cb114e3603a9264e12c45f6a9774014aefec945b6e29a48da4fdd
SHA512743169b1c128c9dae816c3462c343dafebbf05b1b8a4b04f07b213d2e794b0bea49b87474c50387a6973c86a6e0c2400c9c2cca439c6c21c1619433cf1b68291
-
memory/576-59-0x0000000000000000-mapping.dmp
-
memory/892-57-0x0000000005440000-0x00000000054C2000-memory.dmpFilesize
520KB
-
memory/892-54-0x0000000000CE0000-0x0000000000D8E000-memory.dmpFilesize
696KB
-
memory/892-58-0x0000000000AD0000-0x0000000000B0C000-memory.dmpFilesize
240KB
-
memory/892-56-0x0000000000480000-0x0000000000492000-memory.dmpFilesize
72KB
-
memory/892-55-0x0000000075E01000-0x0000000075E03000-memory.dmpFilesize
8KB
-
memory/1984-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1984-62-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1984-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1984-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1984-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1984-67-0x0000000000437B8E-mapping.dmp
-
memory/1984-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1984-71-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB