Analysis
-
max time kernel
23s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 13:51
Static task
static1
Behavioral task
behavioral1
Sample
TNT Original Invoice.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TNT Original Invoice.scr
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
TNT Original Invoice.scr
Resource
win10v2004-20240419-en
Behavioral task
behavioral4
Sample
TNT Original Invoice.scr
Resource
win11-20240419-en
General
-
Target
TNT Original Invoice.scr
-
Size
697KB
-
MD5
4aa63ea35a6a68252888080722f2b403
-
SHA1
63ecde53df066919f84d35926dbea4efc1610b00
-
SHA256
8f26ff4683a2d8c5dda6b8aff8c4d6b95ffe97c2432b413e0f8f0a0c16c96d32
-
SHA512
a36aa7db91c5a98964b9285e85d07b255b4449dfd361ef09d8c4a8239c80adf895756c048f9ddc5ef9e35481a490005ace3aa36d1f93a0d59e80edae50ee8aa3
-
SSDEEP
12288:2+DbgRB778QekIKVkQv77DBpPMJ3aofMw98A/wR0Q+bnEimiQZWOWiP6ZtZbUqu9:vgRB1HbGHfMv0wR0vEJN6vpR+
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5239412158:AAHXn8rC3uvBHy_kv77GtIcxcuvBuXcKD_8/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT Original Invoice.scrdescription pid process target process PID 3028 set thread context of 2788 3028 TNT Original Invoice.scr TNT Original Invoice.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
TNT Original Invoice.scrTNT Original Invoice.scrpowershell.exepowershell.exepid process 3028 TNT Original Invoice.scr 3028 TNT Original Invoice.scr 3028 TNT Original Invoice.scr 3028 TNT Original Invoice.scr 3028 TNT Original Invoice.scr 3028 TNT Original Invoice.scr 3028 TNT Original Invoice.scr 2788 TNT Original Invoice.scr 2788 TNT Original Invoice.scr 2840 powershell.exe 2584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
TNT Original Invoice.scrTNT Original Invoice.scrpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3028 TNT Original Invoice.scr Token: SeDebugPrivilege 2788 TNT Original Invoice.scr Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TNT Original Invoice.scrpid process 2788 TNT Original Invoice.scr -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
TNT Original Invoice.scrdescription pid process target process PID 3028 wrote to memory of 2840 3028 TNT Original Invoice.scr powershell.exe PID 3028 wrote to memory of 2840 3028 TNT Original Invoice.scr powershell.exe PID 3028 wrote to memory of 2840 3028 TNT Original Invoice.scr powershell.exe PID 3028 wrote to memory of 2840 3028 TNT Original Invoice.scr powershell.exe PID 3028 wrote to memory of 2584 3028 TNT Original Invoice.scr powershell.exe PID 3028 wrote to memory of 2584 3028 TNT Original Invoice.scr powershell.exe PID 3028 wrote to memory of 2584 3028 TNT Original Invoice.scr powershell.exe PID 3028 wrote to memory of 2584 3028 TNT Original Invoice.scr powershell.exe PID 3028 wrote to memory of 2700 3028 TNT Original Invoice.scr schtasks.exe PID 3028 wrote to memory of 2700 3028 TNT Original Invoice.scr schtasks.exe PID 3028 wrote to memory of 2700 3028 TNT Original Invoice.scr schtasks.exe PID 3028 wrote to memory of 2700 3028 TNT Original Invoice.scr schtasks.exe PID 3028 wrote to memory of 2788 3028 TNT Original Invoice.scr TNT Original Invoice.scr PID 3028 wrote to memory of 2788 3028 TNT Original Invoice.scr TNT Original Invoice.scr PID 3028 wrote to memory of 2788 3028 TNT Original Invoice.scr TNT Original Invoice.scr PID 3028 wrote to memory of 2788 3028 TNT Original Invoice.scr TNT Original Invoice.scr PID 3028 wrote to memory of 2788 3028 TNT Original Invoice.scr TNT Original Invoice.scr PID 3028 wrote to memory of 2788 3028 TNT Original Invoice.scr TNT Original Invoice.scr PID 3028 wrote to memory of 2788 3028 TNT Original Invoice.scr TNT Original Invoice.scr PID 3028 wrote to memory of 2788 3028 TNT Original Invoice.scr TNT Original Invoice.scr PID 3028 wrote to memory of 2788 3028 TNT Original Invoice.scr TNT Original Invoice.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QKidaN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QKidaN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp737B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp737B.tmpFilesize
1KB
MD56f51d635e1d72db9e92832d009527a89
SHA1a2faa04d19a629d125d949a25cd40e1a0a9fc162
SHA2569fe9175470f6f4149dccc2430157e9858e4af5632e07cf2823b31d6cdf002b03
SHA51239a0133ab5a987bbb5893a654deecfcfae2e20b78a139ed6d4b988c55592378b66359e09a59991e575a9e855e9863e6e6cc332cc0367717dc152dee745634ab0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD52c1d7ac3afb27b2c4ff37f6943199af6
SHA11aef13cbd219d76a15c1637bc687f859eacda502
SHA25619aa83c2d23802d71a902912598a8c482736699e9db1ab75dbbc41488b7bb2df
SHA512841eb8d9eff8a2270c903900913ce7b011eafd9dc03c2b7a932fb3fdd54dd6b00166f379135411e6ea3977c4696070ad202cc059d8412c4b801c40342e03de34
-
memory/2788-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2788-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2788-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2788-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2788-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2788-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2788-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2788-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3028-6-0x00000000053E0000-0x0000000005464000-memory.dmpFilesize
528KB
-
memory/3028-1-0x0000000073F50000-0x000000007463E000-memory.dmpFilesize
6.9MB
-
memory/3028-0-0x0000000000D00000-0x0000000000DB4000-memory.dmpFilesize
720KB
-
memory/3028-2-0x0000000004980000-0x00000000049C0000-memory.dmpFilesize
256KB
-
memory/3028-3-0x0000000000510000-0x0000000000528000-memory.dmpFilesize
96KB
-
memory/3028-5-0x0000000000590000-0x00000000005A6000-memory.dmpFilesize
88KB
-
memory/3028-4-0x0000000000580000-0x000000000058E000-memory.dmpFilesize
56KB
-
memory/3028-31-0x0000000073F50000-0x000000007463E000-memory.dmpFilesize
6.9MB