Analysis
-
max time kernel
100s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2023 13:44
Static task
static1
Behavioral task
behavioral1
Sample
DETAILS AND INVOICE .exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DETAILS AND INVOICE .exe
Resource
win10v2004-20230220-en
General
-
Target
DETAILS AND INVOICE .exe
-
Size
1.5MB
-
MD5
b68d2d763d668c02198d3e7b9790d643
-
SHA1
ac65465f888c83f1ad1697e111273b144d9d6635
-
SHA256
7be800543004524d306ac5da65ba76133ccec42616a06a75de21e8b958693993
-
SHA512
e77526c6af05773362201aff5194b91b304f0136c0a4e342e30576c78e5b539fb18817db6d1f6831eed7d44089dec4c3941f1086fc60c2b86bdde1fe952daa22
-
SSDEEP
24576:br/NMFJMwNTEVSNaDxIefc3Gz/WMbQ6SlAd4HkcUR6Ds5ogeXkC9i8DNnQCIjyx7:baxTf6wlA+PVkCs
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.newblessint.top - Port:
587 - Username:
[email protected] - Password:
K,j[5i~N4.iQ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DETAILS AND INVOICE .exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation DETAILS AND INVOICE .exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
DETAILS AND INVOICE .exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DETAILS AND INVOICE .exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DETAILS AND INVOICE .exe Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DETAILS AND INVOICE .exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DETAILS AND INVOICE .exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eogew = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fdeytv\\Eogew.exe\"" DETAILS AND INVOICE .exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DETAILS AND INVOICE .exedescription pid process target process PID 2880 set thread context of 2016 2880 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3360 powershell.exe 3360 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeDETAILS AND INVOICE .exeDETAILS AND INVOICE .exedescription pid process Token: SeDebugPrivilege 3360 powershell.exe Token: SeDebugPrivilege 2880 DETAILS AND INVOICE .exe Token: SeDebugPrivilege 2016 DETAILS AND INVOICE .exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
DETAILS AND INVOICE .exedescription pid process target process PID 2880 wrote to memory of 3360 2880 DETAILS AND INVOICE .exe powershell.exe PID 2880 wrote to memory of 3360 2880 DETAILS AND INVOICE .exe powershell.exe PID 2880 wrote to memory of 3360 2880 DETAILS AND INVOICE .exe powershell.exe PID 2880 wrote to memory of 2016 2880 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 2880 wrote to memory of 2016 2880 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 2880 wrote to memory of 2016 2880 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 2880 wrote to memory of 2016 2880 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 2880 wrote to memory of 2016 2880 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 2880 wrote to memory of 2016 2880 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 2880 wrote to memory of 2016 2880 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe PID 2880 wrote to memory of 2016 2880 DETAILS AND INVOICE .exe DETAILS AND INVOICE .exe -
outlook_office_path 1 IoCs
Processes:
DETAILS AND INVOICE .exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DETAILS AND INVOICE .exe -
outlook_win_path 1 IoCs
Processes:
DETAILS AND INVOICE .exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 DETAILS AND INVOICE .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DETAILS AND INVOICE .exe"C:\Users\Admin\AppData\Local\Temp\DETAILS AND INVOICE .exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DETAILS AND INVOICE .exe"C:\Users\Admin\AppData\Local\Temp\DETAILS AND INVOICE .exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DETAILS AND INVOICE .exe.logFilesize
1KB
MD57e88081fcf716d85992bb3af3d9b6454
SHA12153780fbc71061b0102a7a7b665349e1013e250
SHA2565ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2
SHA512ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1qb3xqs.y4g.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2016-172-0x0000000005090000-0x00000000050A0000-memory.dmpFilesize
64KB
-
memory/2016-171-0x0000000006600000-0x00000000067C2000-memory.dmpFilesize
1.8MB
-
memory/2016-170-0x00000000063E0000-0x0000000006430000-memory.dmpFilesize
320KB
-
memory/2016-169-0x00000000060B0000-0x00000000060BA000-memory.dmpFilesize
40KB
-
memory/2016-168-0x00000000060D0000-0x0000000006162000-memory.dmpFilesize
584KB
-
memory/2016-167-0x0000000005090000-0x00000000050A0000-memory.dmpFilesize
64KB
-
memory/2016-166-0x00000000055A0000-0x0000000005B44000-memory.dmpFilesize
5.6MB
-
memory/2016-163-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2880-155-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/2880-133-0x0000000000930000-0x0000000000ABC000-memory.dmpFilesize
1.5MB
-
memory/2880-135-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/2880-134-0x0000000005860000-0x0000000005882000-memory.dmpFilesize
136KB
-
memory/3360-139-0x0000000004E50000-0x0000000004E60000-memory.dmpFilesize
64KB
-
memory/3360-156-0x0000000004E50000-0x0000000004E60000-memory.dmpFilesize
64KB
-
memory/3360-157-0x0000000004E50000-0x0000000004E60000-memory.dmpFilesize
64KB
-
memory/3360-158-0x0000000004E50000-0x0000000004E60000-memory.dmpFilesize
64KB
-
memory/3360-154-0x00000000068A0000-0x00000000068BA000-memory.dmpFilesize
104KB
-
memory/3360-153-0x0000000007A00000-0x000000000807A000-memory.dmpFilesize
6.5MB
-
memory/3360-152-0x0000000004E50000-0x0000000004E60000-memory.dmpFilesize
64KB
-
memory/3360-151-0x00000000063A0000-0x00000000063BE000-memory.dmpFilesize
120KB
-
memory/3360-141-0x0000000005C40000-0x0000000005CA6000-memory.dmpFilesize
408KB
-
memory/3360-140-0x0000000005BD0000-0x0000000005C36000-memory.dmpFilesize
408KB
-
memory/3360-138-0x0000000004E50000-0x0000000004E60000-memory.dmpFilesize
64KB
-
memory/3360-137-0x00000000054D0000-0x0000000005AF8000-memory.dmpFilesize
6.2MB
-
memory/3360-136-0x0000000004E60000-0x0000000004E96000-memory.dmpFilesize
216KB