Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 14:05
Static task
static1
Behavioral task
behavioral1
Sample
TNT Original Invoice.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
TNT Original Invoice.scr
Resource
win10v2004-20240419-en
General
-
Target
TNT Original Invoice.scr
-
Size
697KB
-
MD5
4aa63ea35a6a68252888080722f2b403
-
SHA1
63ecde53df066919f84d35926dbea4efc1610b00
-
SHA256
8f26ff4683a2d8c5dda6b8aff8c4d6b95ffe97c2432b413e0f8f0a0c16c96d32
-
SHA512
a36aa7db91c5a98964b9285e85d07b255b4449dfd361ef09d8c4a8239c80adf895756c048f9ddc5ef9e35481a490005ace3aa36d1f93a0d59e80edae50ee8aa3
-
SSDEEP
12288:2+DbgRB778QekIKVkQv77DBpPMJ3aofMw98A/wR0Q+bnEimiQZWOWiP6ZtZbUqu9:vgRB1HbGHfMv0wR0vEJN6vpR+
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5239412158:AAHXn8rC3uvBHy_kv77GtIcxcuvBuXcKD_8/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT Original Invoice.scrdescription pid process target process PID 2976 set thread context of 2448 2976 TNT Original Invoice.scr TNT Original Invoice.scr -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
TNT Original Invoice.scrTNT Original Invoice.scrpowershell.exepowershell.exepid process 2976 TNT Original Invoice.scr 2976 TNT Original Invoice.scr 2976 TNT Original Invoice.scr 2976 TNT Original Invoice.scr 2976 TNT Original Invoice.scr 2976 TNT Original Invoice.scr 2976 TNT Original Invoice.scr 2448 TNT Original Invoice.scr 2448 TNT Original Invoice.scr 2112 powershell.exe 2712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
TNT Original Invoice.scrTNT Original Invoice.scrpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2976 TNT Original Invoice.scr Token: SeDebugPrivilege 2448 TNT Original Invoice.scr Token: SeDebugPrivilege 2112 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TNT Original Invoice.scrpid process 2448 TNT Original Invoice.scr -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
TNT Original Invoice.scrdescription pid process target process PID 2976 wrote to memory of 2712 2976 TNT Original Invoice.scr powershell.exe PID 2976 wrote to memory of 2712 2976 TNT Original Invoice.scr powershell.exe PID 2976 wrote to memory of 2712 2976 TNT Original Invoice.scr powershell.exe PID 2976 wrote to memory of 2712 2976 TNT Original Invoice.scr powershell.exe PID 2976 wrote to memory of 2112 2976 TNT Original Invoice.scr powershell.exe PID 2976 wrote to memory of 2112 2976 TNT Original Invoice.scr powershell.exe PID 2976 wrote to memory of 2112 2976 TNT Original Invoice.scr powershell.exe PID 2976 wrote to memory of 2112 2976 TNT Original Invoice.scr powershell.exe PID 2976 wrote to memory of 2720 2976 TNT Original Invoice.scr schtasks.exe PID 2976 wrote to memory of 2720 2976 TNT Original Invoice.scr schtasks.exe PID 2976 wrote to memory of 2720 2976 TNT Original Invoice.scr schtasks.exe PID 2976 wrote to memory of 2720 2976 TNT Original Invoice.scr schtasks.exe PID 2976 wrote to memory of 2448 2976 TNT Original Invoice.scr TNT Original Invoice.scr PID 2976 wrote to memory of 2448 2976 TNT Original Invoice.scr TNT Original Invoice.scr PID 2976 wrote to memory of 2448 2976 TNT Original Invoice.scr TNT Original Invoice.scr PID 2976 wrote to memory of 2448 2976 TNT Original Invoice.scr TNT Original Invoice.scr PID 2976 wrote to memory of 2448 2976 TNT Original Invoice.scr TNT Original Invoice.scr PID 2976 wrote to memory of 2448 2976 TNT Original Invoice.scr TNT Original Invoice.scr PID 2976 wrote to memory of 2448 2976 TNT Original Invoice.scr TNT Original Invoice.scr PID 2976 wrote to memory of 2448 2976 TNT Original Invoice.scr TNT Original Invoice.scr PID 2976 wrote to memory of 2448 2976 TNT Original Invoice.scr TNT Original Invoice.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QKidaN.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QKidaN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60B6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.scr"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp60B6.tmpFilesize
1KB
MD5fe54802e14bc1ee458bab94c1edecdab
SHA184c4e4b1221ab9c6b0690200dc32a6be0d0ac3fa
SHA25659c94f73cb0457205b05ccb08c9e6aa3f6415aab8d22e65f2ab1c1c378fffeea
SHA512db764e2e922a8c1a477c49c4f1d2fa872691cdd3300bba159e69ece799ad2ea892a6f193bd6e34539b2f51ca74595c29e78845c672f5e817edf36a8d610f2b97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD52d4f8696d390f7cdb1531a528e91104a
SHA1e58142623c36f59f39c2dfda87df5e163223d65c
SHA25665e661e368623055717b7a5059e54731f4e13833626cbf5a81cc4aef2539bfd5
SHA512021f9596f5010f8a755e042398417377849beedf45ae000654148922e015116fe3eab632090f9e60ea16608feabd624d542dd7db976c271dd701b55f309543e6
-
memory/2448-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2448-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2448-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2448-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2448-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2448-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2448-31-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2448-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2976-6-0x0000000004800000-0x0000000004884000-memory.dmpFilesize
528KB
-
memory/2976-1-0x0000000074A50000-0x000000007513E000-memory.dmpFilesize
6.9MB
-
memory/2976-0-0x0000000001070000-0x0000000001124000-memory.dmpFilesize
720KB
-
memory/2976-2-0x0000000004FD0000-0x0000000005010000-memory.dmpFilesize
256KB
-
memory/2976-3-0x0000000000540000-0x0000000000558000-memory.dmpFilesize
96KB
-
memory/2976-5-0x0000000000670000-0x0000000000686000-memory.dmpFilesize
88KB
-
memory/2976-4-0x0000000000660000-0x000000000066E000-memory.dmpFilesize
56KB
-
memory/2976-32-0x0000000074A50000-0x000000007513E000-memory.dmpFilesize
6.9MB