Analysis
-
max time kernel
22s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 16:38
Static task
static1
Behavioral task
behavioral1
Sample
INVOICES.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
INVOICES.exe
Resource
win10v2004-20231130-en
General
-
Target
INVOICES.exe
-
Size
859KB
-
MD5
5be52f675bc550b10626853abf6a2c06
-
SHA1
58dea8d092e1efa1b8a80c948fc633cbf48b550c
-
SHA256
49e851015562eb9ae6e3ef89adcb911497e4f68b7be32a6a8b89bbb50b76f367
-
SHA512
3ac6ba00bb2e00d8d13efd3bf9f7379e4438160d479231f50e5c14bd4b3ebe7a33293ad1f899139fcf6cd291822d31f25dadbeafe003906978f436259fefba5d
-
SSDEEP
24576:Imqde8PrKEAtzF1p22HiLFFQzUUybhxxGp/8q:I7dNxAppAnFUchDl
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gimpex-imerys.com - Port:
587 - Username:
[email protected] - Password:
h45ZVRb6(IMF - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
INVOICES.exepid process 688 INVOICES.exe 688 INVOICES.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
INVOICES.exedescription pid process Token: SeDebugPrivilege 688 INVOICES.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
INVOICES.exedescription pid process target process PID 688 wrote to memory of 2708 688 INVOICES.exe powershell.exe PID 688 wrote to memory of 2708 688 INVOICES.exe powershell.exe PID 688 wrote to memory of 2708 688 INVOICES.exe powershell.exe PID 688 wrote to memory of 2708 688 INVOICES.exe powershell.exe PID 688 wrote to memory of 2664 688 INVOICES.exe schtasks.exe PID 688 wrote to memory of 2664 688 INVOICES.exe schtasks.exe PID 688 wrote to memory of 2664 688 INVOICES.exe schtasks.exe PID 688 wrote to memory of 2664 688 INVOICES.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICES.exe"C:\Users\Admin\AppData\Local\Temp\INVOICES.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qisxFtGbSdXp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96E3.tmp"2⤵
- Creates scheduled task(s)
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\INVOICES.exe"C:\Users\Admin\AppData\Local\Temp\INVOICES.exe"2⤵PID:2348
-
C:\Users\Admin\AppData\Local\Temp\INVOICES.exe"C:\Users\Admin\AppData\Local\Temp\INVOICES.exe"2⤵PID:2516
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qisxFtGbSdXp.exe"2⤵PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c36b271fb5bc2ec5227455a334e6547a
SHA1267017a15323b4ff65b6a22a4289ef5bb8bc7edb
SHA256b36080b112ccce19786e6345648a608f35565f3aadcd4738c240124d593d55e1
SHA512a6958dbbe1929b8da7ee2f3610983f4d5681868daee793147e1023fe3cd4fe893a1fb8c8192190c03d48dda095b3f638eafc838f553dde09892d54a1670d1a3b