Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 08:03
Static task
static1
Behavioral task
behavioral1
Sample
shipment invoice.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
shipment invoice.exe
Resource
win10v2004-20231130-en
General
-
Target
shipment invoice.exe
-
Size
991KB
-
MD5
3d0e43113603bf2f7c7773ae08d1e03d
-
SHA1
8d90a13d1e29bec0d4167fdcc67e6710724f79dc
-
SHA256
91ff3998adf51757d7580e1c190ff9f4c12e9b2de48b56c7507824753a9930e2
-
SHA512
b4a9ba85c7ce0cf04b0bc578d330910f8d03e90077466d4845af58c5f1d8c951bb78b32787cd6e871ab019da132e865c43f7f12ecced5108e20e668392574fa0
-
SSDEEP
24576:Vb34/up+pJSpEBTxv7/S6buFPTPYMXu71oPX9Ikq2rMx:F38PJSoJ/iF8M7Pqkq2rMx
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
Kene123456789 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
shipment invoice.exedescription pid process target process PID 2256 set thread context of 2548 2256 shipment invoice.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exepid process 2704 powershell.exe 2712 powershell.exe 2548 RegSvcs.exe 2548 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2704 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 2548 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
shipment invoice.exedescription pid process target process PID 2256 wrote to memory of 2712 2256 shipment invoice.exe powershell.exe PID 2256 wrote to memory of 2712 2256 shipment invoice.exe powershell.exe PID 2256 wrote to memory of 2712 2256 shipment invoice.exe powershell.exe PID 2256 wrote to memory of 2712 2256 shipment invoice.exe powershell.exe PID 2256 wrote to memory of 2704 2256 shipment invoice.exe powershell.exe PID 2256 wrote to memory of 2704 2256 shipment invoice.exe powershell.exe PID 2256 wrote to memory of 2704 2256 shipment invoice.exe powershell.exe PID 2256 wrote to memory of 2704 2256 shipment invoice.exe powershell.exe PID 2256 wrote to memory of 2804 2256 shipment invoice.exe schtasks.exe PID 2256 wrote to memory of 2804 2256 shipment invoice.exe schtasks.exe PID 2256 wrote to memory of 2804 2256 shipment invoice.exe schtasks.exe PID 2256 wrote to memory of 2804 2256 shipment invoice.exe schtasks.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe PID 2256 wrote to memory of 2548 2256 shipment invoice.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipment invoice.exe"C:\Users\Admin\AppData\Local\Temp\shipment invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipment invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DrHGavhyoEe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DrHGavhyoEe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F.tmp"2⤵
- Creates scheduled task(s)
PID:2804 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50b9f048ee5d3d1858611b71fe17b7dc1
SHA184ae2dc8cdb639a6017ee698610d46d3c6a138c0
SHA2568b10f82d4323a13673f33e1b64c987292b0b8b836172bdb997ac407417d4f6d4
SHA51254e4a21c61b74f8c79a29a157907804ac0a34e44b2869c146503a528a1147363854ceed1c0b836811e3de06d563aba399c6a27c971d5effb2d18bbf7942879ea
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YCD3Q6WABUVNUFC7XMEO.temp
Filesize7KB
MD52c995c71f99d2bcd21936f2b7887c75f
SHA13d4e716783915690d9a183d448aab62e72234c4f
SHA2567be67d1e6fa751ddcdd23b6bce123e6b8323426e427c5212b1badc7f8bf44f94
SHA512fb9593c0e85c04e815349e57bd04762d9aa38fe022ea4f490dd5b342827dfd5852d8ac799a32aa26f9b84a465eb71af2892482b447c5ccd41b801dde7e522bd1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD52c995c71f99d2bcd21936f2b7887c75f
SHA13d4e716783915690d9a183d448aab62e72234c4f
SHA2567be67d1e6fa751ddcdd23b6bce123e6b8323426e427c5212b1badc7f8bf44f94
SHA512fb9593c0e85c04e815349e57bd04762d9aa38fe022ea4f490dd5b342827dfd5852d8ac799a32aa26f9b84a465eb71af2892482b447c5ccd41b801dde7e522bd1