Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 09:56
Static task
static1
Behavioral task
behavioral1
Sample
Invoive Ningbo.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Invoive Ningbo.exe
Resource
win10v2004-20231130-en
General
-
Target
Invoive Ningbo.exe
-
Size
1.1MB
-
MD5
a3fab3e88799e72baefbc47e35beea4c
-
SHA1
fd2dd3ead13b5dba83bcc923102e29fda19ef273
-
SHA256
d11d805c3dab49566aad8dfe6d9bbd1c206918980870792ed9d496e8836aefe6
-
SHA512
bd4f26df04ee36788ca0f4db22604f72d9a99ea4b59f25b3d9afab56b9538cdf647e4bfb7595882ef35a8f82f487d7dbfe2b86b4b7fb1f6b67185e8603965122
-
SSDEEP
24576:kWgtD/61INy65I1JByDr/YsR2s8vqiQrUTOqofIlhChgdgm:Q6KNbqBirXwvqzrUT7ofIlohsgm
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
Kene123456789 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoive Ningbo.exedescription pid process target process PID 812 set thread context of 2508 812 Invoive Ningbo.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exepid process 2720 powershell.exe 2748 powershell.exe 2508 RegSvcs.exe 2508 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2508 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Invoive Ningbo.exedescription pid process target process PID 812 wrote to memory of 2748 812 Invoive Ningbo.exe powershell.exe PID 812 wrote to memory of 2748 812 Invoive Ningbo.exe powershell.exe PID 812 wrote to memory of 2748 812 Invoive Ningbo.exe powershell.exe PID 812 wrote to memory of 2748 812 Invoive Ningbo.exe powershell.exe PID 812 wrote to memory of 2720 812 Invoive Ningbo.exe powershell.exe PID 812 wrote to memory of 2720 812 Invoive Ningbo.exe powershell.exe PID 812 wrote to memory of 2720 812 Invoive Ningbo.exe powershell.exe PID 812 wrote to memory of 2720 812 Invoive Ningbo.exe powershell.exe PID 812 wrote to memory of 484 812 Invoive Ningbo.exe schtasks.exe PID 812 wrote to memory of 484 812 Invoive Ningbo.exe schtasks.exe PID 812 wrote to memory of 484 812 Invoive Ningbo.exe schtasks.exe PID 812 wrote to memory of 484 812 Invoive Ningbo.exe schtasks.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe PID 812 wrote to memory of 2508 812 Invoive Ningbo.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoive Ningbo.exe"C:\Users\Admin\AppData\Local\Temp\Invoive Ningbo.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Invoive Ningbo.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BQrTsZTbHtxOU.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BQrTsZTbHtxOU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA67C.tmp"2⤵
- Creates scheduled task(s)
PID:484 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD511434616bee04de2537bfb9627085260
SHA1c3bd2e78490ee3fcfcda02795f53eba5c99c72e6
SHA25651abbb32cea7360d985216198312a4c7aa8a7c6d18b2fe0f3ead45c95b1eb459
SHA5125e16ba2948a089cec20906e2df826bb37c5c98dd6992d172bf717a7a515dd64f2e6f562c0dc6e29eec52d58f0f61ee9a6052bcce30c30f3805b1b212212c622e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0F33I6BCFDKDRPCA70BS.temp
Filesize7KB
MD5f71741893c4869e9e7bd5a022eb699e8
SHA1403386003b0841a08d1dd03447aa030d15966799
SHA2569e6269be9511724b8aa99c52778e02f94f27be0145193f19db4879bb06a5fe31
SHA51275d672bfcc1d80f91be46cb2ce35333434d26c3c26393b8bcbb0e0359d26419c97d02be42e36781a4066ed8b5d5c398e223d46f6bbb80ec137035e3ebcb8f484
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5f71741893c4869e9e7bd5a022eb699e8
SHA1403386003b0841a08d1dd03447aa030d15966799
SHA2569e6269be9511724b8aa99c52778e02f94f27be0145193f19db4879bb06a5fe31
SHA51275d672bfcc1d80f91be46cb2ce35333434d26c3c26393b8bcbb0e0359d26419c97d02be42e36781a4066ed8b5d5c398e223d46f6bbb80ec137035e3ebcb8f484