Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 14:39
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE and DETAILS.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
INVOICE and DETAILS.exe
Resource
win10v2004-20231127-en
General
-
Target
INVOICE and DETAILS.exe
-
Size
621KB
-
MD5
12528895f0306755c4fdee8ba97d89d1
-
SHA1
408636fe1438ba5f210705057beaf9a746ea83f6
-
SHA256
4dd2869a36c4b826221c8b8131503fd48d3e8871af1ba2405823947c9915de74
-
SHA512
b139b1a7d08833490e4fa3872391a4b953e0fd97700e46315d86ac41243368b02c3de1d36621e1b9e430018867a9b0211fc48a7c9d1a68cc17af685ce18cb0c7
-
SSDEEP
12288:L3IU8S6eUdsQKwNsP4xcI1MJwNfA/R4lPd5V18EENHSkkEDWYAj:7ItSAdsQK3I1RNfA/RwP1hENHSkkEKD
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.precise.co.in - Port:
587 - Username:
[email protected] - Password:
Singh@2022$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2712-3-0x00000000009E0000-0x00000000009F8000-memory.dmp family_zgrat_v1 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE and DETAILS.exedescription pid process target process PID 2712 set thread context of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
INVOICE and DETAILS.exepowershell.exepowershell.exeRegSvcs.exepid process 2712 INVOICE and DETAILS.exe 2712 INVOICE and DETAILS.exe 2712 INVOICE and DETAILS.exe 2712 INVOICE and DETAILS.exe 2712 INVOICE and DETAILS.exe 2712 INVOICE and DETAILS.exe 2192 powershell.exe 1060 powershell.exe 2712 INVOICE and DETAILS.exe 592 RegSvcs.exe 592 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
INVOICE and DETAILS.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2712 INVOICE and DETAILS.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 1060 powershell.exe Token: SeDebugPrivilege 592 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
INVOICE and DETAILS.exedescription pid process target process PID 2712 wrote to memory of 2192 2712 INVOICE and DETAILS.exe powershell.exe PID 2712 wrote to memory of 2192 2712 INVOICE and DETAILS.exe powershell.exe PID 2712 wrote to memory of 2192 2712 INVOICE and DETAILS.exe powershell.exe PID 2712 wrote to memory of 2192 2712 INVOICE and DETAILS.exe powershell.exe PID 2712 wrote to memory of 1060 2712 INVOICE and DETAILS.exe powershell.exe PID 2712 wrote to memory of 1060 2712 INVOICE and DETAILS.exe powershell.exe PID 2712 wrote to memory of 1060 2712 INVOICE and DETAILS.exe powershell.exe PID 2712 wrote to memory of 1060 2712 INVOICE and DETAILS.exe powershell.exe PID 2712 wrote to memory of 2700 2712 INVOICE and DETAILS.exe schtasks.exe PID 2712 wrote to memory of 2700 2712 INVOICE and DETAILS.exe schtasks.exe PID 2712 wrote to memory of 2700 2712 INVOICE and DETAILS.exe schtasks.exe PID 2712 wrote to memory of 2700 2712 INVOICE and DETAILS.exe schtasks.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe PID 2712 wrote to memory of 592 2712 INVOICE and DETAILS.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE and DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE and DETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\INVOICE and DETAILS.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ulsrayNTRmtgvg.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ulsrayNTRmtgvg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB107.tmp"2⤵
- Creates scheduled task(s)
PID:2700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD534a8b23549831454d03559e22e9f4263
SHA1725ed3ea31f66af6ac12f6bf2c8e87254bcb5da2
SHA256ab52449c80dcb299c88b8342183816bb6b487866b49eb694034add65998a14ca
SHA512faa3c6acc5292fa516d2f753f83ec0551f361e4260c392d4a5a8b1b5a376de9f8b42458c65c64759b6db4e0e65171a723cfe3b55d4f55724ad903b2bc7ffb575
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AG4QDEYJ2B70K0KA62TH.temp
Filesize7KB
MD51e49e09e0022b2f5e54ef1fc748b1292
SHA1e30243f6e049a520385b2106b2eed7e80a488571
SHA256b397ccc7420d0d15f9dbc4ded5299351618c2a40501e38d585679ab81d246868
SHA5126dd2c7b291c728379810f7395a8f6acbb143fea1a1f98ca2660e3c320e661ec03bb1dceb422bc4d0b4ccb90fc8ca6347a3ac358ab4d1464a895a2a81584073e6