Analysis
-
max time kernel
195s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
29-04-2024 13:51
Static task
static1
Behavioral task
behavioral1
Sample
TNT Original Invoice.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TNT Original Invoice.scr
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
TNT Original Invoice.scr
Resource
win10v2004-20240419-en
Behavioral task
behavioral4
Sample
TNT Original Invoice.scr
Resource
win11-20240419-en
General
-
Target
TNT Original Invoice.scr
-
Size
697KB
-
MD5
4aa63ea35a6a68252888080722f2b403
-
SHA1
63ecde53df066919f84d35926dbea4efc1610b00
-
SHA256
8f26ff4683a2d8c5dda6b8aff8c4d6b95ffe97c2432b413e0f8f0a0c16c96d32
-
SHA512
a36aa7db91c5a98964b9285e85d07b255b4449dfd361ef09d8c4a8239c80adf895756c048f9ddc5ef9e35481a490005ace3aa36d1f93a0d59e80edae50ee8aa3
-
SSDEEP
12288:2+DbgRB778QekIKVkQv77DBpPMJ3aofMw98A/wR0Q+bnEimiQZWOWiP6ZtZbUqu9:vgRB1HbGHfMv0wR0vEJN6vpR+
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5239412158:AAHXn8rC3uvBHy_kv77GtIcxcuvBuXcKD_8/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT Original Invoice.scrdescription pid process target process PID 2024 set thread context of 416 2024 TNT Original Invoice.scr TNT Original Invoice.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
TNT Original Invoice.scrpowershell.exepowershell.exeTNT Original Invoice.scrpid process 2024 TNT Original Invoice.scr 2024 TNT Original Invoice.scr 2024 TNT Original Invoice.scr 2024 TNT Original Invoice.scr 2024 TNT Original Invoice.scr 2024 TNT Original Invoice.scr 1388 powershell.exe 2024 TNT Original Invoice.scr 2100 powershell.exe 416 TNT Original Invoice.scr 416 TNT Original Invoice.scr 2100 powershell.exe 1388 powershell.exe 1388 powershell.exe 2100 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
TNT Original Invoice.scrpowershell.exepowershell.exeTNT Original Invoice.scrdescription pid process Token: SeDebugPrivilege 2024 TNT Original Invoice.scr Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 416 TNT Original Invoice.scr -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TNT Original Invoice.scrpid process 416 TNT Original Invoice.scr -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
TNT Original Invoice.scrdescription pid process target process PID 2024 wrote to memory of 2100 2024 TNT Original Invoice.scr powershell.exe PID 2024 wrote to memory of 2100 2024 TNT Original Invoice.scr powershell.exe PID 2024 wrote to memory of 2100 2024 TNT Original Invoice.scr powershell.exe PID 2024 wrote to memory of 1388 2024 TNT Original Invoice.scr powershell.exe PID 2024 wrote to memory of 1388 2024 TNT Original Invoice.scr powershell.exe PID 2024 wrote to memory of 1388 2024 TNT Original Invoice.scr powershell.exe PID 2024 wrote to memory of 4324 2024 TNT Original Invoice.scr schtasks.exe PID 2024 wrote to memory of 4324 2024 TNT Original Invoice.scr schtasks.exe PID 2024 wrote to memory of 4324 2024 TNT Original Invoice.scr schtasks.exe PID 2024 wrote to memory of 416 2024 TNT Original Invoice.scr TNT Original Invoice.scr PID 2024 wrote to memory of 416 2024 TNT Original Invoice.scr TNT Original Invoice.scr PID 2024 wrote to memory of 416 2024 TNT Original Invoice.scr TNT Original Invoice.scr PID 2024 wrote to memory of 416 2024 TNT Original Invoice.scr TNT Original Invoice.scr PID 2024 wrote to memory of 416 2024 TNT Original Invoice.scr TNT Original Invoice.scr PID 2024 wrote to memory of 416 2024 TNT Original Invoice.scr TNT Original Invoice.scr PID 2024 wrote to memory of 416 2024 TNT Original Invoice.scr TNT Original Invoice.scr PID 2024 wrote to memory of 416 2024 TNT Original Invoice.scr TNT Original Invoice.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QKidaN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QKidaN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBAE4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD51d0a68947ad90d88a4d2a377af23e627
SHA128d59fe72c9014beb58baad35aa8369dbc31e1ba
SHA256c17be7ec439f5cadaf2aee5a84b83b12317bb93af87ab613e6aa4d6d86029824
SHA512a651062d9e8b27704227cf82fd1b27053e5353a19750baa864d5c3e08c0d54fcce53b4a07498eca319c759c5ec1dc6a9dad7dd60973b7e867bf96f3f6541ec42
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cypc4vz5.5es.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\tmpBAE4.tmpFilesize
1KB
MD57f7c0a00a71dacf5b6155301467b3e5b
SHA1b5791651c780fdb513601f0a32f0456c2f057ad2
SHA256364e65a5cdb975e2f73760b2c83588395ea415f631961204b35a31f9f915306a
SHA51251b07d61a582c5e3284bbd2781f5db0417ded49b6650cfe858ac465eb442a937a928d508ae90261e12c4ede98b7978d3d081d1f2f707b42690d0980efe05f2aa
-
memory/416-512-0x00000000060F0000-0x0000000006140000-memory.dmpFilesize
320KB
-
memory/416-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1388-72-0x0000000070520000-0x000000007056B000-memory.dmpFilesize
300KB
-
memory/1388-33-0x0000000007530000-0x0000000007596000-memory.dmpFilesize
408KB
-
memory/1388-510-0x00000000736A0000-0x0000000073D8E000-memory.dmpFilesize
6.9MB
-
memory/1388-453-0x0000000009750000-0x000000000976A000-memory.dmpFilesize
104KB
-
memory/1388-474-0x0000000009740000-0x0000000009748000-memory.dmpFilesize
32KB
-
memory/1388-84-0x00000000097B0000-0x0000000009844000-memory.dmpFilesize
592KB
-
memory/1388-71-0x0000000009490000-0x00000000094C3000-memory.dmpFilesize
204KB
-
memory/1388-73-0x0000000009470000-0x000000000948E000-memory.dmpFilesize
120KB
-
memory/1388-35-0x0000000007DE0000-0x0000000008130000-memory.dmpFilesize
3.3MB
-
memory/1388-25-0x0000000001100000-0x0000000001110000-memory.dmpFilesize
64KB
-
memory/1388-27-0x00000000736A0000-0x0000000073D8E000-memory.dmpFilesize
6.9MB
-
memory/1388-24-0x0000000001100000-0x0000000001110000-memory.dmpFilesize
64KB
-
memory/1388-31-0x0000000007C10000-0x0000000007C76000-memory.dmpFilesize
408KB
-
memory/1388-29-0x0000000007320000-0x0000000007342000-memory.dmpFilesize
136KB
-
memory/2024-9-0x0000000006C40000-0x0000000006CC4000-memory.dmpFilesize
528KB
-
memory/2024-2-0x00000000059E0000-0x0000000005EDE000-memory.dmpFilesize
5.0MB
-
memory/2024-5-0x00000000055E0000-0x00000000055EA000-memory.dmpFilesize
40KB
-
memory/2024-4-0x0000000005760000-0x0000000005770000-memory.dmpFilesize
64KB
-
memory/2024-34-0x00000000736A0000-0x0000000073D8E000-memory.dmpFilesize
6.9MB
-
memory/2024-7-0x0000000005960000-0x000000000596E000-memory.dmpFilesize
56KB
-
memory/2024-26-0x0000000005760000-0x0000000005770000-memory.dmpFilesize
64KB
-
memory/2024-8-0x0000000005970000-0x0000000005986000-memory.dmpFilesize
88KB
-
memory/2024-3-0x00000000054E0000-0x0000000005572000-memory.dmpFilesize
584KB
-
memory/2024-10-0x00000000092A0000-0x000000000933C000-memory.dmpFilesize
624KB
-
memory/2024-1-0x00000000736A0000-0x0000000073D8E000-memory.dmpFilesize
6.9MB
-
memory/2024-6-0x0000000005740000-0x0000000005758000-memory.dmpFilesize
96KB
-
memory/2024-18-0x00000000736A0000-0x0000000073D8E000-memory.dmpFilesize
6.9MB
-
memory/2024-0-0x0000000000B70000-0x0000000000C24000-memory.dmpFilesize
720KB
-
memory/2100-19-0x0000000007570000-0x0000000007B98000-memory.dmpFilesize
6.2MB
-
memory/2100-83-0x0000000009660000-0x0000000009705000-memory.dmpFilesize
660KB
-
memory/2100-17-0x0000000004940000-0x0000000004976000-memory.dmpFilesize
216KB
-
memory/2100-38-0x00000000084D0000-0x0000000008546000-memory.dmpFilesize
472KB
-
memory/2100-22-0x00000000736A0000-0x0000000073D8E000-memory.dmpFilesize
6.9MB
-
memory/2100-36-0x0000000007F30000-0x0000000007F4C000-memory.dmpFilesize
112KB
-
memory/2100-37-0x00000000081E0000-0x000000000822B000-memory.dmpFilesize
300KB
-
memory/2100-74-0x0000000070520000-0x000000007056B000-memory.dmpFilesize
300KB
-
memory/2100-511-0x00000000736A0000-0x0000000073D8E000-memory.dmpFilesize
6.9MB
-
memory/2100-23-0x0000000006F30000-0x0000000006F40000-memory.dmpFilesize
64KB