Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
04-12-2023 16:02
Static task
static1
Behavioral task
behavioral1
Sample
OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe
Resource
win10v2004-20231127-en
General
-
Target
OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe
-
Size
909KB
-
MD5
0167b00f658c04b84b22927a449106eb
-
SHA1
177e099d9470f371f53d063b9c68703cde2b6977
-
SHA256
1fa497fd2ea5004a12f885d7dac2b47c0494aae2fbe45eb70f96a7f3bb03cbd1
-
SHA512
d4bc3736404708398349efb8f190887c48d7d06f86115a2a51ebd030fea031230892e86614aff3a2bcd75c4fa67d902cfd1ed72a960e7dc41e68f99219d2253f
-
SSDEEP
24576:9Tm4Qyr3+0Dda+2GBxy0QbiU+XL9XKMvO:xm4Y0DtvBQbL8LT
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail5.planetc.net - Port:
587 - Username:
[email protected] - Password:
623434@esit - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exedescription pid process target process PID 2916 set thread context of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exepowershell.exepowershell.exeRegSvcs.exepid process 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe 2164 powershell.exe 2708 powershell.exe 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe 2572 RegSvcs.exe 2572 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2708 powershell.exe Token: SeDebugPrivilege 2572 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exedescription pid process target process PID 2916 wrote to memory of 2164 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe powershell.exe PID 2916 wrote to memory of 2164 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe powershell.exe PID 2916 wrote to memory of 2164 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe powershell.exe PID 2916 wrote to memory of 2164 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe powershell.exe PID 2916 wrote to memory of 2708 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe powershell.exe PID 2916 wrote to memory of 2708 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe powershell.exe PID 2916 wrote to memory of 2708 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe powershell.exe PID 2916 wrote to memory of 2708 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe powershell.exe PID 2916 wrote to memory of 2520 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe schtasks.exe PID 2916 wrote to memory of 2520 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe schtasks.exe PID 2916 wrote to memory of 2520 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe schtasks.exe PID 2916 wrote to memory of 2520 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe schtasks.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe PID 2916 wrote to memory of 2572 2916 OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe"C:\Users\Admin\AppData\Local\Temp\OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\OUTSTANDING INVOICE.pdf_____________________________________________________________________________.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gbEFiipzn.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gbEFiipzn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp53FA.tmp"2⤵
- Creates scheduled task(s)
PID:2520 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD553811a53f48f1d7145f0c9b5f2a0a6fc
SHA1d39fe6a484309f6f6f155c133112b0d5d00809ae
SHA256dc04c07791a77bfcd094894d61c03972d738b2e1ebf18948c88fde618c9c772e
SHA5126e822509c3854efca19ff72c44e55ac8427ba720c7096beec5b27893940252ca0aedbd55d6e1fe3bd657003c889e5175315961988b39ee76f92591d398f6cc2a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PHTB94NG3V5QA8SZPYGL.temp
Filesize7KB
MD5a3934890181c802ce525180e5c3c7c88
SHA1968bf26ea1519beb5dba04ec2ae7c99d7a5f8d40
SHA2567f1973a4bdb5eb85312b4e53f1908765dd0d337d0dcc0b24f3ec0155349feab0
SHA5122046437ab46c3c5dd95daf0701056254bb661eee2cec8b9770d86dc0c12cb7f255895d014d7a1742f5d6ca19a0a2542eeeaa50a9bc07ed095a967ec82006fc40
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5a3934890181c802ce525180e5c3c7c88
SHA1968bf26ea1519beb5dba04ec2ae7c99d7a5f8d40
SHA2567f1973a4bdb5eb85312b4e53f1908765dd0d337d0dcc0b24f3ec0155349feab0
SHA5122046437ab46c3c5dd95daf0701056254bb661eee2cec8b9770d86dc0c12cb7f255895d014d7a1742f5d6ca19a0a2542eeeaa50a9bc07ed095a967ec82006fc40