Overview

overview

10

Static

static

3

INVOICE an...LS.exe

windows7-x64

10

INVOICE an...LS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2023 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    INVOICE and DETAILS.exe

  • Size

    621KB

  • MD5

    12528895f0306755c4fdee8ba97d89d1

  • SHA1

    408636fe1438ba5f210705057beaf9a746ea83f6

  • SHA256

    4dd2869a36c4b826221c8b8131503fd48d3e8871af1ba2405823947c9915de74

  • SHA512

    b139b1a7d08833490e4fa3872391a4b953e0fd97700e46315d86ac41243368b02c3de1d36621e1b9e430018867a9b0211fc48a7c9d1a68cc17af685ce18cb0c7

  • SSDEEP

    12288:L3IU8S6eUdsQKwNsP4xcI1MJwNfA/R4lPd5V18EENHSkkEDWYAj:7ItSAdsQK3I1RNfA/RwP1hENHSkkEKD

Score
10/10
agentteslazgratkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\INVOICE and DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\INVOICE and DETAILS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\INVOICE and DETAILS.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2192
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ulsrayNTRmtgvg.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1060
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ulsrayNTRmtgvg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB107.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2700
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:592

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpB107.tmp
    Filesize

    1KB

    MD5

    34a8b23549831454d03559e22e9f4263

    SHA1

    725ed3ea31f66af6ac12f6bf2c8e87254bcb5da2

    SHA256

    ab52449c80dcb299c88b8342183816bb6b487866b49eb694034add65998a14ca

    SHA512

    faa3c6acc5292fa516d2f753f83ec0551f361e4260c392d4a5a8b1b5a376de9f8b42458c65c64759b6db4e0e65171a723cfe3b55d4f55724ad903b2bc7ffb575

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AG4QDEYJ2B70K0KA62TH.temp
    Filesize

    7KB

    MD5

    1e49e09e0022b2f5e54ef1fc748b1292

    SHA1

    e30243f6e049a520385b2106b2eed7e80a488571

    SHA256

    b397ccc7420d0d15f9dbc4ded5299351618c2a40501e38d585679ab81d246868

    SHA512

    6dd2c7b291c728379810f7395a8f6acbb143fea1a1f98ca2660e3c320e661ec03bb1dceb422bc4d0b4ccb90fc8ca6347a3ac358ab4d1464a895a2a81584073e6

    Download Submit

  • memory/592-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/592-47-0x0000000074860000-0x0000000074F4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/592-43-0x0000000074860000-0x0000000074F4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/592-35-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/592-33-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/592-31-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/592-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/592-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/592-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/592-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1060-38-0x000000006F900000-0x000000006FEAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1060-45-0x000000006F900000-0x000000006FEAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1060-40-0x000000006F900000-0x000000006FEAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-37-0x000000006F900000-0x000000006FEAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-44-0x000000006F900000-0x000000006FEAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-42-0x00000000026A0000-0x00000000026E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2192-41-0x000000006F900000-0x000000006FEAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2192-39-0x00000000026A0000-0x00000000026E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2712-4-0x00000000003A0000-0x00000000003A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2712-0-0x0000000000DD0000-0x0000000000E70000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2712-36-0x0000000074860000-0x0000000074F4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2712-3-0x00000000009E0000-0x00000000009F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2712-8-0x0000000004C00000-0x0000000004C40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2712-5-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2712-2-0x0000000004C00000-0x0000000004C40000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2712-6-0x00000000059A0000-0x0000000005A1C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2712-7-0x0000000074860000-0x0000000074F4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2712-1-0x0000000074860000-0x0000000074F4E000-memory.dmp

    Filesize

    6.9MB

    Download