Overview

overview

10

Static

static

3

shipment invoice.exe

windows7-x64

10

shipment invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 08:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shipment invoice.exe

  • Size

    991KB

  • MD5

    3d0e43113603bf2f7c7773ae08d1e03d

  • SHA1

    8d90a13d1e29bec0d4167fdcc67e6710724f79dc

  • SHA256

    91ff3998adf51757d7580e1c190ff9f4c12e9b2de48b56c7507824753a9930e2

  • SHA512

    b4a9ba85c7ce0cf04b0bc578d330910f8d03e90077466d4845af58c5f1d8c951bb78b32787cd6e871ab019da132e865c43f7f12ecced5108e20e668392574fa0

  • SSDEEP

    24576:Vb34/up+pJSpEBTxv7/S6buFPTPYMXu71oPX9Ikq2rMx:F38PJSoJ/iF8M7Pqkq2rMx

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shipment invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\shipment invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipment invoice.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DrHGavhyoEe.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DrHGavhyoEe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2804
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3F.tmp
    Filesize

    1KB

    MD5

    0b9f048ee5d3d1858611b71fe17b7dc1

    SHA1

    84ae2dc8cdb639a6017ee698610d46d3c6a138c0

    SHA256

    8b10f82d4323a13673f33e1b64c987292b0b8b836172bdb997ac407417d4f6d4

    SHA512

    54e4a21c61b74f8c79a29a157907804ac0a34e44b2869c146503a528a1147363854ceed1c0b836811e3de06d563aba399c6a27c971d5effb2d18bbf7942879ea

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YCD3Q6WABUVNUFC7XMEO.temp
    Filesize

    7KB

    MD5

    2c995c71f99d2bcd21936f2b7887c75f

    SHA1

    3d4e716783915690d9a183d448aab62e72234c4f

    SHA256

    7be67d1e6fa751ddcdd23b6bce123e6b8323426e427c5212b1badc7f8bf44f94

    SHA512

    fb9593c0e85c04e815349e57bd04762d9aa38fe022ea4f490dd5b342827dfd5852d8ac799a32aa26f9b84a465eb71af2892482b447c5ccd41b801dde7e522bd1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    2c995c71f99d2bcd21936f2b7887c75f

    SHA1

    3d4e716783915690d9a183d448aab62e72234c4f

    SHA256

    7be67d1e6fa751ddcdd23b6bce123e6b8323426e427c5212b1badc7f8bf44f94

    SHA512

    fb9593c0e85c04e815349e57bd04762d9aa38fe022ea4f490dd5b342827dfd5852d8ac799a32aa26f9b84a465eb71af2892482b447c5ccd41b801dde7e522bd1

    Download Submit

  • memory/2256-3-0x0000000000760000-0x0000000000778000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2256-4-0x0000000000960000-0x0000000000968000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2256-5-0x0000000001E70000-0x0000000001E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2256-6-0x0000000004D90000-0x0000000004E0A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2256-7-0x0000000074EA0000-0x000000007558E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2256-8-0x0000000004E70000-0x0000000004EB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2256-0-0x0000000000970000-0x0000000000A6E000-memory.dmp

    Filesize

    1016KB

    Download

  • memory/2256-2-0x0000000004E70000-0x0000000004EB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2256-1-0x0000000074EA0000-0x000000007558E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2256-37-0x0000000074EA0000-0x000000007558E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2548-35-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2548-42-0x0000000004A50000-0x0000000004A90000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2548-46-0x0000000004A50000-0x0000000004A90000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2548-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2548-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2548-29-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2548-31-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2548-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-45-0x0000000073C50000-0x000000007433E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2548-41-0x0000000073C50000-0x000000007433E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2548-40-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2548-38-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2704-21-0x000000006EF70000-0x000000006F51B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2704-23-0x0000000002650000-0x0000000002690000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2704-44-0x000000006EF70000-0x000000006F51B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2704-24-0x000000006EF70000-0x000000006F51B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2712-43-0x000000006EF70000-0x000000006F51B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2712-22-0x000000006EF70000-0x000000006F51B000-memory.dmp

    Filesize

    5.7MB

    Download