Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 09:54
Static task
static1
Behavioral task
behavioral1
Sample
Invoive Ningbo.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
Invoive Ningbo.exe
Resource
win10v2004-20231130-en
General
-
Target
Invoive Ningbo.exe
-
Size
1.1MB
-
MD5
a3fab3e88799e72baefbc47e35beea4c
-
SHA1
fd2dd3ead13b5dba83bcc923102e29fda19ef273
-
SHA256
d11d805c3dab49566aad8dfe6d9bbd1c206918980870792ed9d496e8836aefe6
-
SHA512
bd4f26df04ee36788ca0f4db22604f72d9a99ea4b59f25b3d9afab56b9538cdf647e4bfb7595882ef35a8f82f487d7dbfe2b86b4b7fb1f6b67185e8603965122
-
SSDEEP
24576:kWgtD/61INy65I1JByDr/YsR2s8vqiQrUTOqofIlhChgdgm:Q6KNbqBirXwvqzrUT7ofIlohsgm
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
Kene123456789 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoive Ningbo.exedescription pid process target process PID 2344 set thread context of 2716 2344 Invoive Ningbo.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exepid process 2108 powershell.exe 2204 powershell.exe 2716 RegSvcs.exe 2716 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 2716 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Invoive Ningbo.exedescription pid process target process PID 2344 wrote to memory of 2204 2344 Invoive Ningbo.exe powershell.exe PID 2344 wrote to memory of 2204 2344 Invoive Ningbo.exe powershell.exe PID 2344 wrote to memory of 2204 2344 Invoive Ningbo.exe powershell.exe PID 2344 wrote to memory of 2204 2344 Invoive Ningbo.exe powershell.exe PID 2344 wrote to memory of 2108 2344 Invoive Ningbo.exe powershell.exe PID 2344 wrote to memory of 2108 2344 Invoive Ningbo.exe powershell.exe PID 2344 wrote to memory of 2108 2344 Invoive Ningbo.exe powershell.exe PID 2344 wrote to memory of 2108 2344 Invoive Ningbo.exe powershell.exe PID 2344 wrote to memory of 2604 2344 Invoive Ningbo.exe schtasks.exe PID 2344 wrote to memory of 2604 2344 Invoive Ningbo.exe schtasks.exe PID 2344 wrote to memory of 2604 2344 Invoive Ningbo.exe schtasks.exe PID 2344 wrote to memory of 2604 2344 Invoive Ningbo.exe schtasks.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe PID 2344 wrote to memory of 2716 2344 Invoive Ningbo.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoive Ningbo.exe"C:\Users\Admin\AppData\Local\Temp\Invoive Ningbo.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoive Ningbo.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BQrTsZTbHtxOU.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BQrTsZTbHtxOU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6603.tmp"2⤵
- Creates scheduled task(s)
PID:2604 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56d92f8d618a24b6c925691d090b653b1
SHA10686afc892a8694319a9559556abb0c7d435dd3b
SHA2569d6f7aa88b51ae32a18dde9b03654706598d95ac0efa180a8a210227459e2e23
SHA5120271db83d0c9afed3a636811b62eb974b993c78c90462453923a6006946bf99cb65f0169ecec2c1a3f95e869ab2f3f781c61adc1ca12c60b36259d6e33b52859
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8YIWW5H64870E9ZYEFGQ.temp
Filesize7KB
MD51c9c7c4942d6d60a9b11acc2baaf56c9
SHA1944859c87f00012b17f48f29cf4f99985091ee7c
SHA256e7ac5fbe6d91b824000408b99c75fc45d708a466d914ff792ceaf3ca45672eff
SHA512fc99f11e562cbd40a29d0d212e73df0657626dd24e737bdfdb115eb0cf4f542970c2ce229b9412371698e23f3b5b6a07f495a635db58262da25184b875f0ef8e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD51c9c7c4942d6d60a9b11acc2baaf56c9
SHA1944859c87f00012b17f48f29cf4f99985091ee7c
SHA256e7ac5fbe6d91b824000408b99c75fc45d708a466d914ff792ceaf3ca45672eff
SHA512fc99f11e562cbd40a29d0d212e73df0657626dd24e737bdfdb115eb0cf4f542970c2ce229b9412371698e23f3b5b6a07f495a635db58262da25184b875f0ef8e