Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 14:39
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE and DETAILS.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
INVOICE and DETAILS.exe
Resource
win10v2004-20231130-en
General
-
Target
INVOICE and DETAILS.exe
-
Size
638KB
-
MD5
ebb74a0fae5bf676cc2db601c2524ece
-
SHA1
53194206f72983e5cdc408a885c8b549c395e286
-
SHA256
f3e9ff06f04b6f3fce67e3ae02f89eb6f006ae95391105703abded87bc53f362
-
SHA512
b98cdaf7b00d19ccb074939d8b1a378937e41b9f38219de88c1166ef7643687341df8c72b6159cd59084b4db1a0fbf15ae91bebce8043bbceeabe8f287410ec2
-
SSDEEP
12288:LkBgOWP6i9oGpby1sTr55RxD0yaxc0q64ZKNWqAzLuMC2jDTDPGNnjl:gCMGpSsTr55R90yaSF64wNWxzaV2jD3G
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.precise.co.in - Port:
587 - Username:
[email protected] - Password:
Singh@2022$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2800-3-0x00000000002A0000-0x00000000002B8000-memory.dmp family_zgrat_v1 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE and DETAILS.exedescription pid process target process PID 2800 set thread context of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
INVOICE and DETAILS.exepowershell.exepowershell.exeRegSvcs.exepid process 2800 INVOICE and DETAILS.exe 2800 INVOICE and DETAILS.exe 2800 INVOICE and DETAILS.exe 2800 INVOICE and DETAILS.exe 2800 INVOICE and DETAILS.exe 2800 INVOICE and DETAILS.exe 2800 INVOICE and DETAILS.exe 2480 powershell.exe 2528 powershell.exe 2800 INVOICE and DETAILS.exe 1900 RegSvcs.exe 1900 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
INVOICE and DETAILS.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2800 INVOICE and DETAILS.exe Token: SeDebugPrivilege 2480 powershell.exe Token: SeDebugPrivilege 2528 powershell.exe Token: SeDebugPrivilege 1900 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
INVOICE and DETAILS.exedescription pid process target process PID 2800 wrote to memory of 2480 2800 INVOICE and DETAILS.exe powershell.exe PID 2800 wrote to memory of 2480 2800 INVOICE and DETAILS.exe powershell.exe PID 2800 wrote to memory of 2480 2800 INVOICE and DETAILS.exe powershell.exe PID 2800 wrote to memory of 2480 2800 INVOICE and DETAILS.exe powershell.exe PID 2800 wrote to memory of 2528 2800 INVOICE and DETAILS.exe powershell.exe PID 2800 wrote to memory of 2528 2800 INVOICE and DETAILS.exe powershell.exe PID 2800 wrote to memory of 2528 2800 INVOICE and DETAILS.exe powershell.exe PID 2800 wrote to memory of 2528 2800 INVOICE and DETAILS.exe powershell.exe PID 2800 wrote to memory of 2552 2800 INVOICE and DETAILS.exe schtasks.exe PID 2800 wrote to memory of 2552 2800 INVOICE and DETAILS.exe schtasks.exe PID 2800 wrote to memory of 2552 2800 INVOICE and DETAILS.exe schtasks.exe PID 2800 wrote to memory of 2552 2800 INVOICE and DETAILS.exe schtasks.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe PID 2800 wrote to memory of 1900 2800 INVOICE and DETAILS.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE and DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE and DETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\INVOICE and DETAILS.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kqLNrgBFwWv.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2528 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kqLNrgBFwWv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE975.tmp"2⤵
- Creates scheduled task(s)
PID:2552 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD563318dc0a9af347052509b6aed36012f
SHA1cfe087630202549c7982f713ee095c9db51864e1
SHA256581987ff10c717b591e0637a8f677dfbb616626675005ec0ea2ea48c194ee7f1
SHA51284a6cc95203c8842c690fbcaac48301bb5552fb78bc02654011791e11edc802a35547279e7213c4d2dbf8348a9036d0b83b9bee9998d3b0b9309debedf45b1a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OQNDH3J00XYU4SURQ7PJ.temp
Filesize7KB
MD5b8831325cce8b5e08ebe628c33cb2e5c
SHA1a4e70e05ec056f84e412ab546b3034ab36c5aa7e
SHA256ec7ca1dfe2e020c1a712b06e8adb3b88fd366c2b795b8b2b894bacb8cc60b660
SHA512f50498f680858fd50bd56857b06ae35caf15082def265b8877daa94c86835763ab437c255ca276a60f2b36f0c20f21bc82e8dca25681a23bec15bd7e398cc865