Overview
overview
10Static
static
1001d63645f4...e3.exe
windows7-x64
901d63645f4...e3.exe
windows10-2004-x64
1014bae02cc3...0e.exe
windows7-x64
1014bae02cc3...0e.exe
windows10-2004-x64
8TNT Origin...ce.exe
windows7-x64
10TNT Origin...ce.exe
windows10-2004-x64
10402ff605d7...97.exe
windows7-x64
10402ff605d7...97.exe
windows10-2004-x64
104d0dfae91f...bf.exe
windows7-x64
74d0dfae91f...bf.exe
windows10-2004-x64
75401a3332d...8e.exe
windows7-x64
105401a3332d...8e.exe
windows10-2004-x64
10Autoit3.exe
windows7-x64
3Autoit3.exe
windows10-2004-x64
36cfe745f03...d2.exe
windows7-x64
106cfe745f03...d2.exe
windows10-2004-x64
1090f19e1a78...ef.exe
windows7-x64
790f19e1a78...ef.exe
windows10-2004-x64
1a3eeef65c4...4.xlsx
windows7-x64
1a3eeef65c4...4.xlsx
windows10-2004-x64
1a71829e150...e5.exe
windows7-x64
7a71829e150...e5.exe
windows10-2004-x64
7db58eb7713...c4.exe
windows7-x64
10db58eb7713...c4.exe
windows10-2004-x64
7Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 14:00
Behavioral task
behavioral1
Sample
01d63645f4c648e12fa693ecc9a926eda29ca031c5d067c687ee65cab67e74e3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
01d63645f4c648e12fa693ecc9a926eda29ca031c5d067c687ee65cab67e74e3.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
14bae02cc31e4fb13f02aa594d65a977f1fdec305089c415985e11903769ae0e.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
TNT Original Invoice.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
TNT Original Invoice.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
402ff605d7f23f20e253e13b8cb1eb7b5b763a00311deba3cf13c9646ae1f397.exe
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
402ff605d7f23f20e253e13b8cb1eb7b5b763a00311deba3cf13c9646ae1f397.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral9
Sample
4d0dfae91fed3f9273356eae54dae047b51e374034fd7e8c1e50066c24add6bf.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
4d0dfae91fed3f9273356eae54dae047b51e374034fd7e8c1e50066c24add6bf.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
5401a3332d6bf674b3a25eb23745edd09f943284aa4448f9eb6c53620027f28e.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
5401a3332d6bf674b3a25eb23745edd09f943284aa4448f9eb6c53620027f28e.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral13
Sample
Autoit3.exe
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
Autoit3.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral15
Sample
6cfe745f03252b83604bf8159f4100e402af25444247e697165c96e2e12f58d2.exe
Resource
win7-20240419-en
Behavioral task
behavioral16
Sample
6cfe745f03252b83604bf8159f4100e402af25444247e697165c96e2e12f58d2.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral17
Sample
90f19e1a7843dbee63856899da664d073c2b8fadd0cad368e623d5f7426ba5ef.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
90f19e1a7843dbee63856899da664d073c2b8fadd0cad368e623d5f7426ba5ef.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral19
Sample
a3eeef65c42890fd372bc7c627b36d2b9d54a909b809663e0f0392fa34766794.xlsx
Resource
win7-20231129-en
Behavioral task
behavioral20
Sample
a3eeef65c42890fd372bc7c627b36d2b9d54a909b809663e0f0392fa34766794.xlsx
Resource
win10v2004-20240426-en
Behavioral task
behavioral21
Sample
a71829e150536a415790ed3f8897daab1da879adef2366f75ec939ec0e749de5.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
a71829e150536a415790ed3f8897daab1da879adef2366f75ec939ec0e749de5.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral23
Sample
db58eb77136d0a35453f949a25df9a2e0d344b389a136f966a1ec2c3c09ef2c4.exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
db58eb77136d0a35453f949a25df9a2e0d344b389a136f966a1ec2c3c09ef2c4.exe
Resource
win10v2004-20240226-en
General
-
Target
TNT Original Invoice.exe
-
Size
750KB
-
MD5
1354b73c2f0f2a6a9cd4e5708a3d20c0
-
SHA1
b450dc0d878cd80fe4ab8f8692a0ccbc2add52bf
-
SHA256
e0c8b02870ad1dbca34a9167a4ed5316e8a3cba0d0872e48ee2f77642c1b70a5
-
SHA512
062545776dcf29d5c90ecf8721b7df78373cc05fa599dd634a01262b0a7dff676c5b5ed3f9420e5fbe5f28190ccb13ef1ab7ebc7e56b30c20186750860e60215
-
SSDEEP
12288:2hB2iNT/SHh92i5DIKYPWgMfX1v2aBWi1pJSx+BbcMc1QZt/V3E5C:2L1cHhxIKYPWgi1PcK6IB+QZt/Fj
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5239412158:AAHXn8rC3uvBHy_kv77GtIcxcuvBuXcKD_8/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2588 powershell.exe 2668 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1540 set thread context of 1612 1540 TNT Original Invoice.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2568 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1540 TNT Original Invoice.exe 1540 TNT Original Invoice.exe 1540 TNT Original Invoice.exe 1540 TNT Original Invoice.exe 1540 TNT Original Invoice.exe 1540 TNT Original Invoice.exe 1612 TNT Original Invoice.exe 1612 TNT Original Invoice.exe 2668 powershell.exe 2588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1540 TNT Original Invoice.exe Token: SeDebugPrivilege 1612 TNT Original Invoice.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1612 TNT Original Invoice.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1540 wrote to memory of 2588 1540 TNT Original Invoice.exe 28 PID 1540 wrote to memory of 2588 1540 TNT Original Invoice.exe 28 PID 1540 wrote to memory of 2588 1540 TNT Original Invoice.exe 28 PID 1540 wrote to memory of 2588 1540 TNT Original Invoice.exe 28 PID 1540 wrote to memory of 2668 1540 TNT Original Invoice.exe 30 PID 1540 wrote to memory of 2668 1540 TNT Original Invoice.exe 30 PID 1540 wrote to memory of 2668 1540 TNT Original Invoice.exe 30 PID 1540 wrote to memory of 2668 1540 TNT Original Invoice.exe 30 PID 1540 wrote to memory of 2568 1540 TNT Original Invoice.exe 32 PID 1540 wrote to memory of 2568 1540 TNT Original Invoice.exe 32 PID 1540 wrote to memory of 2568 1540 TNT Original Invoice.exe 32 PID 1540 wrote to memory of 2568 1540 TNT Original Invoice.exe 32 PID 1540 wrote to memory of 1612 1540 TNT Original Invoice.exe 34 PID 1540 wrote to memory of 1612 1540 TNT Original Invoice.exe 34 PID 1540 wrote to memory of 1612 1540 TNT Original Invoice.exe 34 PID 1540 wrote to memory of 1612 1540 TNT Original Invoice.exe 34 PID 1540 wrote to memory of 1612 1540 TNT Original Invoice.exe 34 PID 1540 wrote to memory of 1612 1540 TNT Original Invoice.exe 34 PID 1540 wrote to memory of 1612 1540 TNT Original Invoice.exe 34 PID 1540 wrote to memory of 1612 1540 TNT Original Invoice.exe 34 PID 1540 wrote to memory of 1612 1540 TNT Original Invoice.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DSlCcUOlJ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DSlCcUOlJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5966.tmp"2⤵
- Creates scheduled task(s)
PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1612
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD589dadf9668626fe31fa30a826a8a7695
SHA1eb1f007b468d0779f40ff0c440b1f587f757b5f8
SHA2566e8f19f263ec454df755245782592019b0afc32097faea461b169077e5b23f8d
SHA5126c4593a22c846b199fda1600f0e45f035b51363d396968ea842f0eae07e8c0cfedbdc3f047cc120bc6cf6263c9c437cc251ad129e65c1b352453234b638c0fd6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XN3FMS3TS0CTGFXG1E2H.temp
Filesize7KB
MD58d65e531f51c7db6efb4862cb4c809ea
SHA1da7ae7255027472df4ff00619f3c1316bb04c939
SHA25649a5857f1c3d4d3592254bdd57c5e9854893c7354c7b5bda919db564862fa451
SHA5129068deccf50f36849e246ad25f39d71c3f081288459b994f5df2754f78e4dca84dfbaf888d0f1bb33c6d0b78c748a00166490563b8beb02f508f015e78a083d1