Analysis
-
max time kernel
43s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2023 13:44
Static task
static1
Behavioral task
behavioral1
Sample
DETAILS AND INVOICE .exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DETAILS AND INVOICE .exe
Resource
win10v2004-20230220-en
General
-
Target
DETAILS AND INVOICE .exe
-
Size
1.5MB
-
MD5
b68d2d763d668c02198d3e7b9790d643
-
SHA1
ac65465f888c83f1ad1697e111273b144d9d6635
-
SHA256
7be800543004524d306ac5da65ba76133ccec42616a06a75de21e8b958693993
-
SHA512
e77526c6af05773362201aff5194b91b304f0136c0a4e342e30576c78e5b539fb18817db6d1f6831eed7d44089dec4c3941f1086fc60c2b86bdde1fe952daa22
-
SSDEEP
24576:br/NMFJMwNTEVSNaDxIefc3Gz/WMbQ6SlAd4HkcUR6Ds5ogeXkC9i8DNnQCIjyx7:baxTf6wlA+PVkCs
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.newblessint.top - Port:
587 - Username:
[email protected] - Password:
K,j[5i~N4.iQ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DETAILS AND INVOICE .exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DETAILS AND INVOICE .exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DETAILS AND INVOICE .exe Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DETAILS AND INVOICE .exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DETAILS AND INVOICE .exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\Eogew = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fdeytv\\Eogew.exe\"" DETAILS AND INVOICE .exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DETAILS AND INVOICE .exedescription pid process target process PID 1252 set thread context of 548 1252 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 596 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeDETAILS AND INVOICE .exeDETAILS AND INVOICE .exedescription pid process Token: SeDebugPrivilege 596 powershell.exe Token: SeDebugPrivilege 1252 DETAILS AND INVOICE .exe Token: SeDebugPrivilege 548 DETAILS AND INVOICE .exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DETAILS AND INVOICE .exedescription pid process target process PID 1252 wrote to memory of 596 1252 DETAILS AND INVOICE .exe powershell.exe PID 1252 wrote to memory of 596 1252 DETAILS AND INVOICE .exe powershell.exe PID 1252 wrote to memory of 596 1252 DETAILS AND INVOICE .exe powershell.exe PID 1252 wrote to memory of 596 1252 DETAILS AND INVOICE .exe powershell.exe PID 1252 wrote to memory of 548 1252 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 1252 wrote to memory of 548 1252 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 1252 wrote to memory of 548 1252 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 1252 wrote to memory of 548 1252 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 1252 wrote to memory of 548 1252 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 1252 wrote to memory of 548 1252 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 1252 wrote to memory of 548 1252 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 1252 wrote to memory of 548 1252 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 1252 wrote to memory of 548 1252 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe -
outlook_office_path 1 IoCs
Processes:
DETAILS AND INVOICE .exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DETAILS AND INVOICE .exe -
outlook_win_path 1 IoCs
Processes:
DETAILS AND INVOICE .exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DETAILS AND INVOICE .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DETAILS AND INVOICE .exe"C:\Users\Admin\AppData\Local\Temp\DETAILS AND INVOICE .exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DETAILS AND INVOICE .exe"C:\Users\Admin\AppData\Local\Temp\DETAILS AND INVOICE .exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/548-67-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/548-77-0x0000000004D00000-0x0000000004D40000-memory.dmpFilesize
256KB
-
memory/548-76-0x0000000004D00000-0x0000000004D40000-memory.dmpFilesize
256KB
-
memory/548-75-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/548-73-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/548-71-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/548-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/548-69-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/548-68-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/548-66-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/596-64-0x00000000026E0000-0x0000000002720000-memory.dmpFilesize
256KB
-
memory/596-62-0x00000000026E0000-0x0000000002720000-memory.dmpFilesize
256KB
-
memory/596-61-0x00000000026E0000-0x0000000002720000-memory.dmpFilesize
256KB
-
memory/1252-54-0x0000000000D80000-0x0000000000F0C000-memory.dmpFilesize
1.5MB
-
memory/1252-63-0x00000000045C0000-0x0000000004600000-memory.dmpFilesize
256KB
-
memory/1252-58-0x00000000045C0000-0x0000000004600000-memory.dmpFilesize
256KB
-
memory/1252-57-0x0000000004310000-0x00000000043A2000-memory.dmpFilesize
584KB
-
memory/1252-56-0x00000000008E0000-0x0000000000902000-memory.dmpFilesize
136KB
-
memory/1252-55-0x0000000004BB0000-0x0000000004CD2000-memory.dmpFilesize
1.1MB