Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-04-2024 14:42
Static task
static1
Behavioral task
behavioral1
Sample
Total Invoices.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Total Invoices.exe
Resource
win10v2004-20240226-en
General
-
Target
Total Invoices.exe
-
Size
789KB
-
MD5
cd3c05ebb9a3fca7aa748f522559b1ea
-
SHA1
43dc8cdf47186a54dc38cd86450aca6f6361a9b4
-
SHA256
c96565623c3e405a370614f452383a763f5a48baf25e79f91a6311c9a0a8fd3a
-
SHA512
5d11d8dbec417ed7c8bd9f2b49925c01440b4d517cff1190d411e832528550f0e6645c7005dbd0953aafb82ba7d25977351f0ad5aba5736bd62140a3d0cc2e6a
-
SSDEEP
24576:7ldr5ja9fm5r+jrZf1vsAJ2jN5GFhXuv:7lbjH5srZtvXouj
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.unitechautomations.com - Port:
587 - Username:
[email protected] - Password:
Unitech@123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\GUIVTme = "C:\\Users\\Admin\\AppData\\Roaming\\GUIVTme\\GUIVTme.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Total Invoices.exedescription pid process target process PID 2368 set thread context of 2516 2368 Total Invoices.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Total Invoices.exepowershell.exepowershell.exeRegSvcs.exepid process 2368 Total Invoices.exe 2368 Total Invoices.exe 2368 Total Invoices.exe 2616 powershell.exe 2672 powershell.exe 2368 Total Invoices.exe 2516 RegSvcs.exe 2516 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Total Invoices.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2368 Total Invoices.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 2516 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
Total Invoices.exedescription pid process target process PID 2368 wrote to memory of 2672 2368 Total Invoices.exe powershell.exe PID 2368 wrote to memory of 2672 2368 Total Invoices.exe powershell.exe PID 2368 wrote to memory of 2672 2368 Total Invoices.exe powershell.exe PID 2368 wrote to memory of 2672 2368 Total Invoices.exe powershell.exe PID 2368 wrote to memory of 2616 2368 Total Invoices.exe powershell.exe PID 2368 wrote to memory of 2616 2368 Total Invoices.exe powershell.exe PID 2368 wrote to memory of 2616 2368 Total Invoices.exe powershell.exe PID 2368 wrote to memory of 2616 2368 Total Invoices.exe powershell.exe PID 2368 wrote to memory of 2764 2368 Total Invoices.exe schtasks.exe PID 2368 wrote to memory of 2764 2368 Total Invoices.exe schtasks.exe PID 2368 wrote to memory of 2764 2368 Total Invoices.exe schtasks.exe PID 2368 wrote to memory of 2764 2368 Total Invoices.exe schtasks.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe PID 2368 wrote to memory of 2516 2368 Total Invoices.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Total Invoices.exe"C:\Users\Admin\AppData\Local\Temp\Total Invoices.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Total Invoices.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dWXyZYb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dWXyZYb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6548.tmp"2⤵
- Creates scheduled task(s)
PID:2764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6548.tmpFilesize
1KB
MD572a456ac3521987c834c13f130cdc763
SHA101fd57866cc2bbe1abcd60c63de98630b801a57f
SHA256468e8f551a1a65ad9d4eeffea66468ca3855b9d238cbca0aedcdf8689d073374
SHA5120784a81e935fabc4354fdfb9e9416e68a737568a8c51a88693561d9605ab692504b42030183dc990b31a46870666417a9a6a2447827a5e1581a4dc8613e27a97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD570df9665930d80182f35467e9212b4c2
SHA1ebe4601c2fca34d20067635389acd6597081d33a
SHA256b8b1c0d66e9d193813b7e13a4466c58cfc6e06262dcadc6d95de7e4a322304d6
SHA5128df449a4513dbf54bfa48926ce3d3cce2b6cd95d064c57c49eaf646774e6c0ac7512ee3bed334ba5186a85374e85d74e5ef0bc219ec36032ba49075fe282cccd
-
memory/2368-0-0x0000000000B30000-0x0000000000BFC000-memory.dmpFilesize
816KB
-
memory/2368-1-0x0000000074660000-0x0000000074D4E000-memory.dmpFilesize
6.9MB
-
memory/2368-2-0x0000000004CD0000-0x0000000004D10000-memory.dmpFilesize
256KB
-
memory/2368-3-0x00000000004B0000-0x00000000004C8000-memory.dmpFilesize
96KB
-
memory/2368-4-0x0000000000580000-0x000000000058E000-memory.dmpFilesize
56KB
-
memory/2368-5-0x00000000005D0000-0x00000000005E4000-memory.dmpFilesize
80KB
-
memory/2368-6-0x0000000000940000-0x00000000009C4000-memory.dmpFilesize
528KB
-
memory/2368-35-0x0000000074660000-0x0000000074D4E000-memory.dmpFilesize
6.9MB
-
memory/2516-31-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2516-47-0x00000000048B0000-0x00000000048F0000-memory.dmpFilesize
256KB
-
memory/2516-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2516-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2516-27-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2516-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2516-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2516-43-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2516-50-0x00000000048B0000-0x00000000048F0000-memory.dmpFilesize
256KB
-
memory/2516-46-0x00000000745E0000-0x0000000074CCE000-memory.dmpFilesize
6.9MB
-
memory/2516-45-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2516-49-0x00000000745E0000-0x0000000074CCE000-memory.dmpFilesize
6.9MB
-
memory/2616-38-0x0000000002ED0000-0x0000000002F10000-memory.dmpFilesize
256KB
-
memory/2616-19-0x000000006E6F0000-0x000000006EC9B000-memory.dmpFilesize
5.7MB
-
memory/2616-40-0x0000000002ED0000-0x0000000002F10000-memory.dmpFilesize
256KB
-
memory/2616-41-0x000000006E6F0000-0x000000006EC9B000-memory.dmpFilesize
5.7MB
-
memory/2616-36-0x000000006E6F0000-0x000000006EC9B000-memory.dmpFilesize
5.7MB
-
memory/2616-33-0x0000000002ED0000-0x0000000002F10000-memory.dmpFilesize
256KB
-
memory/2672-37-0x000000006E6F0000-0x000000006EC9B000-memory.dmpFilesize
5.7MB
-
memory/2672-42-0x000000006E6F0000-0x000000006EC9B000-memory.dmpFilesize
5.7MB
-
memory/2672-39-0x0000000002A70000-0x0000000002AB0000-memory.dmpFilesize
256KB
-
memory/2672-20-0x000000006E6F0000-0x000000006EC9B000-memory.dmpFilesize
5.7MB
-
memory/2672-34-0x0000000002A70000-0x0000000002AB0000-memory.dmpFilesize
256KB