Overview

overview

10

Static

static

3

shipment invoice.exe

windows7-x64

10

shipment invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2023 17:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shipment invoice.exe

  • Size

    991KB

  • MD5

    3d0e43113603bf2f7c7773ae08d1e03d

  • SHA1

    8d90a13d1e29bec0d4167fdcc67e6710724f79dc

  • SHA256

    91ff3998adf51757d7580e1c190ff9f4c12e9b2de48b56c7507824753a9930e2

  • SHA512

    b4a9ba85c7ce0cf04b0bc578d330910f8d03e90077466d4845af58c5f1d8c951bb78b32787cd6e871ab019da132e865c43f7f12ecced5108e20e668392574fa0

  • SSDEEP

    24576:Vb34/up+pJSpEBTxv7/S6buFPTPYMXu71oPX9Ikq2rMx:F38PJSoJ/iF8M7Pqkq2rMx

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shipment invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\shipment invoice.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\shipment invoice.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1648
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DrHGavhyoEe.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DrHGavhyoEe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B57.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2664
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2504

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7B57.tmp
    Filesize

    1KB

    MD5

    bf3445f7893100ec3368eb481c7dbf44

    SHA1

    0fa754100d7250b8df52555f1fb8e68af65904d2

    SHA256

    5d1d60f3ec5594b79d06b6649a98824085ded49aca350c93701c1aeb0ad40f8f

    SHA512

    83c417bee5a4854ca7f300fa88ca63f8679c22a199b22ad0d9060a615d29f129a5fe77387029bba6e04cbe80717baa21de6ebd8273c39f20246d2a16e8304a9b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\82CFKRCE0R6XWO9WL1C7.temp
    Filesize

    7KB

    MD5

    4ae273e751bef25203905437badae506

    SHA1

    00cf644c7dcadc37b65579a61add63858652bab0

    SHA256

    c3867e5560fb2649567854a355b9820dd4f69e83a7eeb3db0a6e8a4260c7e0c6

    SHA512

    01ce4109a36a8e111033588df5c1ae12c9a9e11308fadbe63ae470d68a13eb09eb7cfd261b1a222036c6dbb5520e43e13d17becc88f2aa5631bc057171254940

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    4ae273e751bef25203905437badae506

    SHA1

    00cf644c7dcadc37b65579a61add63858652bab0

    SHA256

    c3867e5560fb2649567854a355b9820dd4f69e83a7eeb3db0a6e8a4260c7e0c6

    SHA512

    01ce4109a36a8e111033588df5c1ae12c9a9e11308fadbe63ae470d68a13eb09eb7cfd261b1a222036c6dbb5520e43e13d17becc88f2aa5631bc057171254940

    Download Submit

  • memory/1648-26-0x0000000002140000-0x0000000002180000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1648-42-0x000000006F0B0000-0x000000006F65B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1648-31-0x0000000002140000-0x0000000002180000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1648-30-0x000000006F0B0000-0x000000006F65B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1648-22-0x000000006F0B0000-0x000000006F65B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2504-34-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-41-0x00000000021F0000-0x0000000002230000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2504-44-0x0000000074550000-0x0000000074C3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2504-45-0x00000000021F0000-0x0000000002230000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2504-36-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-39-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2504-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2504-40-0x0000000074550000-0x0000000074C3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2604-28-0x000000006F0B0000-0x000000006F65B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2604-24-0x000000006F0B0000-0x000000006F65B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2604-43-0x000000006F0B0000-0x000000006F65B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2924-0-0x0000000000170000-0x000000000026E000-memory.dmp

    Filesize

    1016KB

    Download

  • memory/2924-8-0x0000000002370000-0x00000000023B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2924-7-0x0000000074550000-0x0000000074C3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2924-37-0x0000000074550000-0x0000000074C3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2924-6-0x0000000005280000-0x00000000052FA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2924-5-0x0000000000840000-0x000000000084A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2924-4-0x0000000000830000-0x0000000000838000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2924-3-0x0000000000810000-0x0000000000828000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2924-2-0x0000000002370000-0x00000000023B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2924-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

    Filesize

    6.9MB

    Download