Overview

overview

10

Static

static

1

invoice CH...DF.exe

windows7-x64

10

invoice CH...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice CHN1080769.PDF.exe

  • Size

    761KB

  • MD5

    77c6015c8c679abe8cd11cb51125f6c9

  • SHA1

    f9fd8a7f13b03480ae58622c228d6a6bb660f409

  • SHA256

    63219f4d5975bf956a1c5c8b98011f721cfb1e2b4894c6ec9f5a94d77e2652e8

  • SHA512

    510a8a2e2905eebd97bbda9e4cf183392b59aa18f9bb3278fed82fd10721ebc1ad06633992e6f4ee8b4eb64b4d89cf185aeab3b316d041ccb523c0d46110f52a

  • SSDEEP

    12288:YzDn6yWn7fcpVZlu/6uHD73sYw0WJv1/wHiksaGdt8qmUMbpG/IinMkqFozGrCWW:sn698VVYHst0WrTkGrpm4/nMHvv/QO4v

Score
10/10
agentteslaexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\invoice CHN1080769.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\invoice CHN1080769.PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\invoice CHN1080769.PDF.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ziQWPdVrQxk.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ziQWPdVrQxk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp705F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2716
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp705F.tmp
    Filesize

    1KB

    MD5

    9023a77c42a85cb7d527af8d3acad8f9

    SHA1

    ee72ad3cf6529296ed68e95842f89601d9acc9a5

    SHA256

    3173c04c03269e5e9a6d21a1e48fab54ae79953de9f8c9eb57a75f4a66a46c88

    SHA512

    673ab8e428ca5c802302a31e3df96c1ec6999bcffe85461fd3dda6c697fc04be9132582d8d7f0a32f551d5bd0a8c9c45a617036ac2319a3057065abbe7025c1c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RCJROU4TG7D4O2T40613.temp
    Filesize

    7KB

    MD5

    96acf9d2ce75b5d4d33b79e1f28c29f8

    SHA1

    9faf391cb94dd3c3e0197aad5df53a2eecea1525

    SHA256

    593e1263a86abb1d35948c39294d67a2fb6e3a40deee1bef7f108eb82f52546d

    SHA512

    2cfe3163e1ae558f3145c5c8e83261e129c54c84eb01d22ade0e49f6b4c3e2747f0d091ce2e0d4c015b9c02b23f5ab2df87428f3e9e326bb54ed1d39ae6e3413

    Download Submit
  • memory/2212-4-0x0000000000650000-0x000000000065C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2212-3-0x0000000000630000-0x0000000000652000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2212-0-0x00000000745DE000-0x00000000745DF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2212-5-0x0000000000310000-0x0000000000320000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2212-6-0x00000000059F0000-0x0000000005A74000-memory.dmp
    Filesize

    528KB

    Download
  • memory/2212-2-0x00000000745D0000-0x0000000074CBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2212-1-0x0000000000030000-0x00000000000F0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/2212-19-0x00000000745DE000-0x00000000745DF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2212-32-0x00000000745D0000-0x0000000074CBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2460-31-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2460-30-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2460-29-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2460-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2460-22-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2460-20-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2460-26-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2460-24-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download