Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE AND PARKING LIST.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
INVOICE AND PARKING LIST.exe
Resource
win10v2004-20220812-en
General
-
Target
INVOICE AND PARKING LIST.exe
-
Size
668KB
-
MD5
9efabcfe6bfbfa5dda90ad4dc5894040
-
SHA1
07c7cdac9aa0658d374331c4b35a9d0190eadbee
-
SHA256
05472a071f902b974d4ce0d2e605058580f86ab1ad7b6c201c6f9b38608c9b4d
-
SHA512
bae5eb2fb1dcb683ccab5b4c5f6857ffe300b1719378050e5aab1f97e0c748dbbb5abe91b32cbe8aea3615069f0903a376310ad68ad4ad60d80f1933100e0855
-
SSDEEP
12288:wFkzrbETClCHskFgFwIyXCDP0SLZigmxSuhnlYiAEt+Ccf8r2Yt93cr:Z76CIskFgqIyXyLOLHbAA+Ccfkg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
info@southernboilers.org - Password:
Sksmoke2018# - Email To:
obtxxxtf@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INVOICE AND PARKING LIST.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation INVOICE AND PARKING LIST.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
INVOICE AND PARKING LIST.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INVOICE AND PARKING LIST.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INVOICE AND PARKING LIST.exe Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INVOICE AND PARKING LIST.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 71 api.ipify.org 72 api.ipify.org -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{04E788A1-5DDB-4FBD-8541-4055CDAEDDC8}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1E0EF06A-E824-418A-9BA5-6C121CC4C2AF}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE AND PARKING LIST.exedescription pid process target process PID 1404 set thread context of 4476 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
INVOICE AND PARKING LIST.exeINVOICE AND PARKING LIST.exepid process 1404 INVOICE AND PARKING LIST.exe 1404 INVOICE AND PARKING LIST.exe 1404 INVOICE AND PARKING LIST.exe 1404 INVOICE AND PARKING LIST.exe 1404 INVOICE AND PARKING LIST.exe 4476 INVOICE AND PARKING LIST.exe 4476 INVOICE AND PARKING LIST.exe 4476 INVOICE AND PARKING LIST.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INVOICE AND PARKING LIST.exeINVOICE AND PARKING LIST.exedescription pid process Token: SeDebugPrivilege 1404 INVOICE AND PARKING LIST.exe Token: SeDebugPrivilege 4476 INVOICE AND PARKING LIST.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
INVOICE AND PARKING LIST.exedescription pid process target process PID 1404 wrote to memory of 2720 1404 INVOICE AND PARKING LIST.exe schtasks.exe PID 1404 wrote to memory of 2720 1404 INVOICE AND PARKING LIST.exe schtasks.exe PID 1404 wrote to memory of 2720 1404 INVOICE AND PARKING LIST.exe schtasks.exe PID 1404 wrote to memory of 3112 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 3112 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 3112 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 4240 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 4240 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 4240 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 4476 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 4476 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 4476 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 4476 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 4476 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 4476 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 4476 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe PID 1404 wrote to memory of 4476 1404 INVOICE AND PARKING LIST.exe INVOICE AND PARKING LIST.exe -
outlook_office_path 1 IoCs
Processes:
INVOICE AND PARKING LIST.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INVOICE AND PARKING LIST.exe -
outlook_win_path 1 IoCs
Processes:
INVOICE AND PARKING LIST.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INVOICE AND PARKING LIST.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE AND PARKING LIST.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE AND PARKING LIST.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pNSzlHrvsnPyrx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E26.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\INVOICE AND PARKING LIST.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\INVOICE AND PARKING LIST.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\INVOICE AND PARKING LIST.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE AND PARKING LIST.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
C:\Users\Admin\AppData\Local\Temp\tmp8E26.tmpFilesize
1KB
MD5b978a5eff984642673a88a43d1bed9a8
SHA16a40b2bade65b275231cfaaab642da0a48d11fe0
SHA2568053db6e39e619784179b4cac17dd764a36fc92f0ce3338b02f13b0599b9c76d
SHA512edb6ca1dad8d14824887c89075a4322197af553b73b07893052a5ca2f75f837b804173855542836b8321179c19a26ca232bac13e66a3ef5c5e153db9b34e4c96
-
memory/1404-135-0x0000000004F70000-0x000000000500C000-memory.dmpFilesize
624KB
-
memory/1404-132-0x0000000000430000-0x00000000004DE000-memory.dmpFilesize
696KB
-
memory/1404-136-0x0000000004E60000-0x0000000004E6A000-memory.dmpFilesize
40KB
-
memory/1404-134-0x0000000004ED0000-0x0000000004F62000-memory.dmpFilesize
584KB
-
memory/1404-133-0x0000000005480000-0x0000000005A24000-memory.dmpFilesize
5.6MB
-
memory/2720-137-0x0000000000000000-mapping.dmp
-
memory/3112-139-0x0000000000000000-mapping.dmp
-
memory/4240-140-0x0000000000000000-mapping.dmp
-
memory/4476-141-0x0000000000000000-mapping.dmp
-
memory/4476-142-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4476-144-0x0000000006250000-0x00000000062B6000-memory.dmpFilesize
408KB
-
memory/4476-145-0x0000000006DC0000-0x0000000006E10000-memory.dmpFilesize
320KB