Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:33
Static task
static1
Behavioral task
behavioral1
Sample
InvoiveNingbo.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
InvoiveNingbo.exe
Resource
win10v2004-20231130-en
General
-
Target
InvoiveNingbo.exe
-
Size
1.1MB
-
MD5
a3fab3e88799e72baefbc47e35beea4c
-
SHA1
fd2dd3ead13b5dba83bcc923102e29fda19ef273
-
SHA256
d11d805c3dab49566aad8dfe6d9bbd1c206918980870792ed9d496e8836aefe6
-
SHA512
bd4f26df04ee36788ca0f4db22604f72d9a99ea4b59f25b3d9afab56b9538cdf647e4bfb7595882ef35a8f82f487d7dbfe2b86b4b7fb1f6b67185e8603965122
-
SSDEEP
24576:kWgtD/61INy65I1JByDr/YsR2s8vqiQrUTOqofIlhChgdgm:Q6KNbqBirXwvqzrUT7ofIlohsgm
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
Kene123456789 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
InvoiveNingbo.exedescription pid process target process PID 2924 set thread context of 2708 2924 InvoiveNingbo.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
InvoiveNingbo.exepowershell.exepowershell.exeRegSvcs.exepid process 2924 InvoiveNingbo.exe 2924 InvoiveNingbo.exe 2824 powershell.exe 2040 powershell.exe 2708 RegSvcs.exe 2708 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
InvoiveNingbo.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2924 InvoiveNingbo.exe Token: SeDebugPrivilege 2824 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 2708 RegSvcs.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
InvoiveNingbo.exedescription pid process target process PID 2924 wrote to memory of 2040 2924 InvoiveNingbo.exe powershell.exe PID 2924 wrote to memory of 2040 2924 InvoiveNingbo.exe powershell.exe PID 2924 wrote to memory of 2040 2924 InvoiveNingbo.exe powershell.exe PID 2924 wrote to memory of 2040 2924 InvoiveNingbo.exe powershell.exe PID 2924 wrote to memory of 2824 2924 InvoiveNingbo.exe powershell.exe PID 2924 wrote to memory of 2824 2924 InvoiveNingbo.exe powershell.exe PID 2924 wrote to memory of 2824 2924 InvoiveNingbo.exe powershell.exe PID 2924 wrote to memory of 2824 2924 InvoiveNingbo.exe powershell.exe PID 2924 wrote to memory of 2656 2924 InvoiveNingbo.exe schtasks.exe PID 2924 wrote to memory of 2656 2924 InvoiveNingbo.exe schtasks.exe PID 2924 wrote to memory of 2656 2924 InvoiveNingbo.exe schtasks.exe PID 2924 wrote to memory of 2656 2924 InvoiveNingbo.exe schtasks.exe PID 2924 wrote to memory of 2304 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2304 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2304 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2304 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2304 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2304 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2304 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe PID 2924 wrote to memory of 2708 2924 InvoiveNingbo.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\InvoiveNingbo.exe"C:\Users\Admin\AppData\Local\Temp\InvoiveNingbo.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\InvoiveNingbo.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BQrTsZTbHtxOU.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BQrTsZTbHtxOU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6577.tmp"2⤵
- Creates scheduled task(s)
PID:2656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2304
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b3386f9c72072d4b263a791918247329
SHA11c4348b1293ecbc9d0c6588e296d316f592f3412
SHA2569587bf913fd8758eefb48c40f6558bd2eb15de66871212a3c35748f4b2f7b03d
SHA512aa5830a7673f745f3bd3c8d4d5305c66617854f9c82b8c4070f2855e138e9a9eb99924851254eec56ffff549525828937837d96e23e00ea665655dc156c20be9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K4G270F9TH5LVNHGNJZL.temp
Filesize7KB
MD5cb04784ad16b67e5fc542d1334a05767
SHA1b41abe8d55df441841f76e56eb0b67aa64045918
SHA256e0fd97d5dd5a21c2b857e5f36efe20c93600336006d37902dbfb3b39088b1cb8
SHA512464245a410391eab8c99a029796b7cc2f0d938850c1755e2ae3581a17c9a7d92a8810b093ba7b9120b76b780bbe8d364ad2fdd90d873a8a5846dcc36173fcc2c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5cb04784ad16b67e5fc542d1334a05767
SHA1b41abe8d55df441841f76e56eb0b67aa64045918
SHA256e0fd97d5dd5a21c2b857e5f36efe20c93600336006d37902dbfb3b39088b1cb8
SHA512464245a410391eab8c99a029796b7cc2f0d938850c1755e2ae3581a17c9a7d92a8810b093ba7b9120b76b780bbe8d364ad2fdd90d873a8a5846dcc36173fcc2c