Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
Commercial Invoice PDF.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Commercial Invoice PDF.exe
Resource
win10v2004-20240426-en
General
-
Target
Commercial Invoice PDF.exe
-
Size
822KB
-
MD5
5a12438b3b4c926c12a9376c7bf13426
-
SHA1
c3185c6a5e5f07a5befbe4af7131d05634f5d1a3
-
SHA256
1a794211deaa0ecb6abc6101d7c1bd61111b4dd2d895ee7ecf78fbf17f4c9ab3
-
SHA512
16c1e0e18eb8b3345b8b05443b782cb1dd35492ac986811c39f3cdce8dfe85b003aba029ffca0e38aa33c951d0d08281825152b0e239471eac3de18ac67864d0
-
SSDEEP
12288:tEqnHvjNIrpf9rN/mc/CaBmIwsyaPSIir97G6NLOZCGKEgbjuPBB5uO12rq:txPjKr5BNDWVxcSIiRG6atlB5N
Malware Config
Extracted
Protocol: smtp- Host:
mail.fascia-arch.com - Port:
587 - Username:
[email protected] - Password:
HERbertstown1987
Extracted
agenttesla
Protocol: smtp- Host:
mail.fascia-arch.com - Port:
587 - Username:
[email protected] - Password:
HERbertstown1987 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4264-46-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4264-46-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4264-46-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4264-46-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4264-46-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4264-46-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Commercial Invoice PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation Commercial Invoice PDF.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Commercial Invoice PDF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BjTxJte = "C:\\Users\\Admin\\AppData\\Roaming\\BjTxJte\\BjTxJte.exe" Commercial Invoice PDF.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.ipify.org 15 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Commercial Invoice PDF.exedescription pid process target process PID 4068 set thread context of 4264 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
Commercial Invoice PDF.exepowershell.exepowershell.exeCommercial Invoice PDF.exepid process 4068 Commercial Invoice PDF.exe 4068 Commercial Invoice PDF.exe 4916 powershell.exe 1224 powershell.exe 4068 Commercial Invoice PDF.exe 4068 Commercial Invoice PDF.exe 4068 Commercial Invoice PDF.exe 4916 powershell.exe 4264 Commercial Invoice PDF.exe 4264 Commercial Invoice PDF.exe 1224 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Commercial Invoice PDF.exepowershell.exepowershell.exeCommercial Invoice PDF.exedescription pid process Token: SeDebugPrivilege 4068 Commercial Invoice PDF.exe Token: SeDebugPrivilege 4916 powershell.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeDebugPrivilege 4264 Commercial Invoice PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Commercial Invoice PDF.exepid process 4264 Commercial Invoice PDF.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Commercial Invoice PDF.exedescription pid process target process PID 4068 wrote to memory of 4916 4068 Commercial Invoice PDF.exe powershell.exe PID 4068 wrote to memory of 4916 4068 Commercial Invoice PDF.exe powershell.exe PID 4068 wrote to memory of 4916 4068 Commercial Invoice PDF.exe powershell.exe PID 4068 wrote to memory of 1224 4068 Commercial Invoice PDF.exe powershell.exe PID 4068 wrote to memory of 1224 4068 Commercial Invoice PDF.exe powershell.exe PID 4068 wrote to memory of 1224 4068 Commercial Invoice PDF.exe powershell.exe PID 4068 wrote to memory of 3228 4068 Commercial Invoice PDF.exe schtasks.exe PID 4068 wrote to memory of 3228 4068 Commercial Invoice PDF.exe schtasks.exe PID 4068 wrote to memory of 3228 4068 Commercial Invoice PDF.exe schtasks.exe PID 4068 wrote to memory of 4424 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe PID 4068 wrote to memory of 4424 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe PID 4068 wrote to memory of 4424 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe PID 4068 wrote to memory of 4264 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe PID 4068 wrote to memory of 4264 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe PID 4068 wrote to memory of 4264 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe PID 4068 wrote to memory of 4264 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe PID 4068 wrote to memory of 4264 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe PID 4068 wrote to memory of 4264 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe PID 4068 wrote to memory of 4264 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe PID 4068 wrote to memory of 4264 4068 Commercial Invoice PDF.exe Commercial Invoice PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Commercial Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\Commercial Invoice PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Commercial Invoice PDF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CmxzrHBB.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CmxzrHBB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D7F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Commercial Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\Commercial Invoice PDF.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Commercial Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\Commercial Invoice PDF.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD525cce41c2b369a9b78bbd93e3db9acde
SHA16314ef5ebbbc0a54d7985de90b3ac382134f8789
SHA256d49dee514ede5b1334061fc370a594b2d4b8c72f7f89a8d40e42adb5057280b2
SHA512104e05f45dad8f87ca54581788e51beecced915fd7a5a54952a8e3eda6e0a9f99b4db8169741e183dc14e6755f4e7c8a36a118a4e702467bfbf66400ccca8375
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phcrspij.qua.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp6D7F.tmpFilesize
1KB
MD51f39d6539088edc730e7dfafdd5a54be
SHA14a17275e3dc2d4b84b5a35a47debaafba9686fe4
SHA2561d3b0014bbdd3dd17ae9e4ee5d5f8e3385cba4c45e3fcb39ddc49bfdbb3ca7c6
SHA512eb6c73990b43b34681033a950670802b6ba17d1ae0b8f3f21d17e01a8627ceb81c188ac60276924db0e6f580200614004f61983d29a465f32b70736b52920450
-
memory/1224-80-0x0000000007EC0000-0x0000000007ED4000-memory.dmpFilesize
80KB
-
memory/1224-31-0x0000000006360000-0x00000000063C6000-memory.dmpFilesize
408KB
-
memory/1224-75-0x0000000007C80000-0x0000000007C9A000-memory.dmpFilesize
104KB
-
memory/1224-74-0x00000000082C0000-0x000000000893A000-memory.dmpFilesize
6.5MB
-
memory/1224-76-0x0000000007CF0000-0x0000000007CFA000-memory.dmpFilesize
40KB
-
memory/1224-79-0x0000000007EB0000-0x0000000007EBE000-memory.dmpFilesize
56KB
-
memory/1224-25-0x0000000006280000-0x00000000062E6000-memory.dmpFilesize
408KB
-
memory/1224-63-0x0000000075750000-0x000000007579C000-memory.dmpFilesize
304KB
-
memory/1224-81-0x0000000007FC0000-0x0000000007FDA000-memory.dmpFilesize
104KB
-
memory/1224-86-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/1224-23-0x0000000003050000-0x0000000003060000-memory.dmpFilesize
64KB
-
memory/1224-82-0x0000000007FA0000-0x0000000007FA8000-memory.dmpFilesize
32KB
-
memory/1224-20-0x0000000003050000-0x0000000003060000-memory.dmpFilesize
64KB
-
memory/1224-19-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/4068-48-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/4068-6-0x0000000006720000-0x0000000006740000-memory.dmpFilesize
128KB
-
memory/4068-2-0x0000000005760000-0x0000000005D04000-memory.dmpFilesize
5.6MB
-
memory/4068-0-0x0000000000780000-0x0000000000854000-memory.dmpFilesize
848KB
-
memory/4068-1-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/4068-4-0x0000000005450000-0x0000000005460000-memory.dmpFilesize
64KB
-
memory/4068-22-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/4068-5-0x0000000005220000-0x000000000522A000-memory.dmpFilesize
40KB
-
memory/4068-8-0x00000000090E0000-0x0000000009164000-memory.dmpFilesize
528KB
-
memory/4068-3-0x0000000005250000-0x00000000052E2000-memory.dmpFilesize
584KB
-
memory/4068-9-0x000000000C200000-0x000000000C29C000-memory.dmpFilesize
624KB
-
memory/4068-7-0x0000000006590000-0x00000000065A4000-memory.dmpFilesize
80KB
-
memory/4264-89-0x0000000006C80000-0x0000000006CD0000-memory.dmpFilesize
320KB
-
memory/4264-46-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4916-16-0x0000000004EE0000-0x0000000004EF0000-memory.dmpFilesize
64KB
-
memory/4916-73-0x00000000074E0000-0x0000000007583000-memory.dmpFilesize
652KB
-
memory/4916-62-0x00000000068C0000-0x00000000068DE000-memory.dmpFilesize
120KB
-
memory/4916-52-0x0000000075750000-0x000000007579C000-memory.dmpFilesize
304KB
-
memory/4916-51-0x00000000072A0000-0x00000000072D2000-memory.dmpFilesize
200KB
-
memory/4916-50-0x0000000006820000-0x000000000686C000-memory.dmpFilesize
304KB
-
memory/4916-77-0x0000000007890000-0x0000000007926000-memory.dmpFilesize
600KB
-
memory/4916-78-0x0000000007810000-0x0000000007821000-memory.dmpFilesize
68KB
-
memory/4916-49-0x00000000062D0000-0x00000000062EE000-memory.dmpFilesize
120KB
-
memory/4916-37-0x0000000005C90000-0x0000000005FE4000-memory.dmpFilesize
3.3MB
-
memory/4916-24-0x0000000005310000-0x0000000005332000-memory.dmpFilesize
136KB
-
memory/4916-18-0x0000000004EE0000-0x0000000004EF0000-memory.dmpFilesize
64KB
-
memory/4916-17-0x0000000005520000-0x0000000005B48000-memory.dmpFilesize
6.2MB
-
memory/4916-87-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/4916-15-0x0000000074EE0000-0x0000000075690000-memory.dmpFilesize
7.7MB
-
memory/4916-14-0x0000000002990000-0x00000000029C6000-memory.dmpFilesize
216KB