Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 07:38
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice - Well Ergon 16-09-2023.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Proforma Invoice - Well Ergon 16-09-2023.exe
Resource
win10v2004-20231127-en
General
-
Target
Proforma Invoice - Well Ergon 16-09-2023.exe
-
Size
981KB
-
MD5
ff1eb59fead63e9e085cc141cfe2ea05
-
SHA1
f367f16f00b643194270fae417603025fd720a4e
-
SHA256
fa9768671a5cf88a6140c7dc6a4a23e428707e903640e66d7eab3fa7e0ba52e2
-
SHA512
18befc027e7bce78743845becac2c97551e7b197a08cc59a1ffba032cff4259078c93f8e5da3d26a2b62656a7c5ec9a815219a20f4ea13241fa0bc24f2ef069d
-
SSDEEP
12288:DsJ28iaLMu8KCzKXB/wqKFtAEJaGyrP11UFWopoxpgn2IyFqpXWr0EeS7J/P7r9O:D+2vaLP8v+lhj1UYei1q
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
kex#-rHjHM4qKk52 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Proforma Invoice - Well Ergon 16-09-2023.exedescription pid process target process PID 2248 set thread context of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RegSvcs.exepowershell.exepowershell.exepid process 2704 RegSvcs.exe 2704 RegSvcs.exe 2980 powershell.exe 2628 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2704 RegSvcs.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Proforma Invoice - Well Ergon 16-09-2023.exedescription pid process target process PID 2248 wrote to memory of 2980 2248 Proforma Invoice - Well Ergon 16-09-2023.exe powershell.exe PID 2248 wrote to memory of 2980 2248 Proforma Invoice - Well Ergon 16-09-2023.exe powershell.exe PID 2248 wrote to memory of 2980 2248 Proforma Invoice - Well Ergon 16-09-2023.exe powershell.exe PID 2248 wrote to memory of 2980 2248 Proforma Invoice - Well Ergon 16-09-2023.exe powershell.exe PID 2248 wrote to memory of 2628 2248 Proforma Invoice - Well Ergon 16-09-2023.exe powershell.exe PID 2248 wrote to memory of 2628 2248 Proforma Invoice - Well Ergon 16-09-2023.exe powershell.exe PID 2248 wrote to memory of 2628 2248 Proforma Invoice - Well Ergon 16-09-2023.exe powershell.exe PID 2248 wrote to memory of 2628 2248 Proforma Invoice - Well Ergon 16-09-2023.exe powershell.exe PID 2248 wrote to memory of 2640 2248 Proforma Invoice - Well Ergon 16-09-2023.exe schtasks.exe PID 2248 wrote to memory of 2640 2248 Proforma Invoice - Well Ergon 16-09-2023.exe schtasks.exe PID 2248 wrote to memory of 2640 2248 Proforma Invoice - Well Ergon 16-09-2023.exe schtasks.exe PID 2248 wrote to memory of 2640 2248 Proforma Invoice - Well Ergon 16-09-2023.exe schtasks.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe PID 2248 wrote to memory of 2704 2248 Proforma Invoice - Well Ergon 16-09-2023.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice - Well Ergon 16-09-2023.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice - Well Ergon 16-09-2023.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Proforma Invoice - Well Ergon 16-09-2023.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EPGkbIwTIm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EPGkbIwTIm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD826.tmp"2⤵
- Creates scheduled task(s)
PID:2640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e83c03c3fa8c3d86bf61bf60b07bf5d6
SHA1d97a962aace92c6dfa22b8c88fed392157f8df41
SHA256398ebcaaccd8b37d2ab6ec85b62c2d632c5b896ed19efa53e2b0c45c5c5f1128
SHA5121f60896d8fda32bd12afddff550236fc2cdaa9608bab2c09f023893b8c384a35b1681c2388e98a9dc1f1fc60d0a04bf1ae8324c9cae1e2753ae2628ab068a0c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CF5C02ITD3UQU5TFK2IV.temp
Filesize7KB
MD5268fedbfe03eb3ad085cb65702891a9b
SHA123f35ca8ae493e7c7bcd770f7bdd820ea6dc92db
SHA256efee45a5eb120777d566cb0c240aa4a78f9951998dc6cea5f1114a67a2898794
SHA512351d1531ff394b9304a1cfa9b65e22e89f5f1c7edd00a33f110e328a97773ab69b2113e09eb4286056c46b4aa05b0242d32c6a6a6d5a8bb6cf01565b912a7810
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5268fedbfe03eb3ad085cb65702891a9b
SHA123f35ca8ae493e7c7bcd770f7bdd820ea6dc92db
SHA256efee45a5eb120777d566cb0c240aa4a78f9951998dc6cea5f1114a67a2898794
SHA512351d1531ff394b9304a1cfa9b65e22e89f5f1c7edd00a33f110e328a97773ab69b2113e09eb4286056c46b4aa05b0242d32c6a6a6d5a8bb6cf01565b912a7810