Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 13:55
Static task
static1
Behavioral task
behavioral1
Sample
TNT Original Invoice.scr.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TNT Original Invoice.scr.exe
Resource
win10v2004-20240426-en
General
-
Target
TNT Original Invoice.scr.exe
-
Size
697KB
-
MD5
4aa63ea35a6a68252888080722f2b403
-
SHA1
63ecde53df066919f84d35926dbea4efc1610b00
-
SHA256
8f26ff4683a2d8c5dda6b8aff8c4d6b95ffe97c2432b413e0f8f0a0c16c96d32
-
SHA512
a36aa7db91c5a98964b9285e85d07b255b4449dfd361ef09d8c4a8239c80adf895756c048f9ddc5ef9e35481a490005ace3aa36d1f93a0d59e80edae50ee8aa3
-
SSDEEP
12288:2+DbgRB778QekIKVkQv77DBpPMJ3aofMw98A/wR0Q+bnEimiQZWOWiP6ZtZbUqu9:vgRB1HbGHfMv0wR0vEJN6vpR+
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5239412158:AAHXn8rC3uvBHy_kv77GtIcxcuvBuXcKD_8/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT Original Invoice.scr.exedescription pid process target process PID 2344 set thread context of 2600 2344 TNT Original Invoice.scr.exe TNT Original Invoice.scr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
TNT Original Invoice.scr.exeTNT Original Invoice.scr.exepowershell.exepowershell.exepid process 2344 TNT Original Invoice.scr.exe 2344 TNT Original Invoice.scr.exe 2344 TNT Original Invoice.scr.exe 2344 TNT Original Invoice.scr.exe 2344 TNT Original Invoice.scr.exe 2344 TNT Original Invoice.scr.exe 2344 TNT Original Invoice.scr.exe 2600 TNT Original Invoice.scr.exe 2600 TNT Original Invoice.scr.exe 2692 powershell.exe 2540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
TNT Original Invoice.scr.exeTNT Original Invoice.scr.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2344 TNT Original Invoice.scr.exe Token: SeDebugPrivilege 2600 TNT Original Invoice.scr.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TNT Original Invoice.scr.exepid process 2600 TNT Original Invoice.scr.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
TNT Original Invoice.scr.exedescription pid process target process PID 2344 wrote to memory of 2540 2344 TNT Original Invoice.scr.exe powershell.exe PID 2344 wrote to memory of 2540 2344 TNT Original Invoice.scr.exe powershell.exe PID 2344 wrote to memory of 2540 2344 TNT Original Invoice.scr.exe powershell.exe PID 2344 wrote to memory of 2540 2344 TNT Original Invoice.scr.exe powershell.exe PID 2344 wrote to memory of 2692 2344 TNT Original Invoice.scr.exe powershell.exe PID 2344 wrote to memory of 2692 2344 TNT Original Invoice.scr.exe powershell.exe PID 2344 wrote to memory of 2692 2344 TNT Original Invoice.scr.exe powershell.exe PID 2344 wrote to memory of 2692 2344 TNT Original Invoice.scr.exe powershell.exe PID 2344 wrote to memory of 2888 2344 TNT Original Invoice.scr.exe schtasks.exe PID 2344 wrote to memory of 2888 2344 TNT Original Invoice.scr.exe schtasks.exe PID 2344 wrote to memory of 2888 2344 TNT Original Invoice.scr.exe schtasks.exe PID 2344 wrote to memory of 2888 2344 TNT Original Invoice.scr.exe schtasks.exe PID 2344 wrote to memory of 2600 2344 TNT Original Invoice.scr.exe TNT Original Invoice.scr.exe PID 2344 wrote to memory of 2600 2344 TNT Original Invoice.scr.exe TNT Original Invoice.scr.exe PID 2344 wrote to memory of 2600 2344 TNT Original Invoice.scr.exe TNT Original Invoice.scr.exe PID 2344 wrote to memory of 2600 2344 TNT Original Invoice.scr.exe TNT Original Invoice.scr.exe PID 2344 wrote to memory of 2600 2344 TNT Original Invoice.scr.exe TNT Original Invoice.scr.exe PID 2344 wrote to memory of 2600 2344 TNT Original Invoice.scr.exe TNT Original Invoice.scr.exe PID 2344 wrote to memory of 2600 2344 TNT Original Invoice.scr.exe TNT Original Invoice.scr.exe PID 2344 wrote to memory of 2600 2344 TNT Original Invoice.scr.exe TNT Original Invoice.scr.exe PID 2344 wrote to memory of 2600 2344 TNT Original Invoice.scr.exe TNT Original Invoice.scr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QKidaN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QKidaN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6FD3.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6FD3.tmpFilesize
1KB
MD56f51d635e1d72db9e92832d009527a89
SHA1a2faa04d19a629d125d949a25cd40e1a0a9fc162
SHA2569fe9175470f6f4149dccc2430157e9858e4af5632e07cf2823b31d6cdf002b03
SHA51239a0133ab5a987bbb5893a654deecfcfae2e20b78a139ed6d4b988c55592378b66359e09a59991e575a9e855e9863e6e6cc332cc0367717dc152dee745634ab0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YRC61J8WA5CERJAA94UZ.tempFilesize
7KB
MD593e62abfffc73259c8d37fa1ba079c4e
SHA1beb510a2a9a32e1e5aefc5eb234b1e24153c880e
SHA25633623a61fc78c8a060ecfea04d97c11d3d7783a9a58259ea260b3fcae0739107
SHA512f5d907f4ab8cb5687cf35121d2325160c8c98de709f24a52438dec75eef14c69a6e7287899ede492afb7224f5f8c8488b861bc679af2b7413daff9ecc74c21e9
-
memory/2344-4-0x0000000000480000-0x000000000048E000-memory.dmpFilesize
56KB
-
memory/2344-3-0x0000000000440000-0x0000000000458000-memory.dmpFilesize
96KB
-
memory/2344-0-0x0000000000A70000-0x0000000000B24000-memory.dmpFilesize
720KB
-
memory/2344-5-0x0000000000490000-0x00000000004A6000-memory.dmpFilesize
88KB
-
memory/2344-6-0x00000000042F0000-0x0000000004374000-memory.dmpFilesize
528KB
-
memory/2344-2-0x0000000004500000-0x0000000004540000-memory.dmpFilesize
256KB
-
memory/2344-1-0x0000000074DC0000-0x00000000754AE000-memory.dmpFilesize
6.9MB
-
memory/2344-32-0x0000000074DC0000-0x00000000754AE000-memory.dmpFilesize
6.9MB
-
memory/2344-31-0x0000000074DC0000-0x00000000754AE000-memory.dmpFilesize
6.9MB
-
memory/2600-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2600-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2600-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2600-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2600-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2600-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2600-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2600-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB