Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 17:07
Static task
static1
Behavioral task
behavioral1
Sample
invoice CHN1080769.PDF.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
invoice CHN1080769.PDF.exe
Resource
win10v2004-20240426-en
General
-
Target
invoice CHN1080769.PDF.exe
-
Size
761KB
-
MD5
77c6015c8c679abe8cd11cb51125f6c9
-
SHA1
f9fd8a7f13b03480ae58622c228d6a6bb660f409
-
SHA256
63219f4d5975bf956a1c5c8b98011f721cfb1e2b4894c6ec9f5a94d77e2652e8
-
SHA512
510a8a2e2905eebd97bbda9e4cf183392b59aa18f9bb3278fed82fd10721ebc1ad06633992e6f4ee8b4eb64b4d89cf185aeab3b316d041ccb523c0d46110f52a
-
SSDEEP
12288:YzDn6yWn7fcpVZlu/6uHD73sYw0WJv1/wHiksaGdt8qmUMbpG/IinMkqFozGrCWW:sn698VVYHst0WrTkGrpm4/nMHvv/QO4v
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.shaktiinstrumentations.in - Port:
587 - Username:
[email protected] - Password:
Shakti54231!@#$%#@! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2688 powershell.exe 2820 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice CHN1080769.PDF.exedescription pid process target process PID 2212 set thread context of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
invoice CHN1080769.PDF.exepowershell.exepowershell.exeRegSvcs.exepid process 2212 invoice CHN1080769.PDF.exe 2212 invoice CHN1080769.PDF.exe 2212 invoice CHN1080769.PDF.exe 2212 invoice CHN1080769.PDF.exe 2212 invoice CHN1080769.PDF.exe 2212 invoice CHN1080769.PDF.exe 2820 powershell.exe 2688 powershell.exe 2212 invoice CHN1080769.PDF.exe 2460 RegSvcs.exe 2460 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
invoice CHN1080769.PDF.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2212 invoice CHN1080769.PDF.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2460 RegSvcs.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
invoice CHN1080769.PDF.exedescription pid process target process PID 2212 wrote to memory of 2688 2212 invoice CHN1080769.PDF.exe powershell.exe PID 2212 wrote to memory of 2688 2212 invoice CHN1080769.PDF.exe powershell.exe PID 2212 wrote to memory of 2688 2212 invoice CHN1080769.PDF.exe powershell.exe PID 2212 wrote to memory of 2688 2212 invoice CHN1080769.PDF.exe powershell.exe PID 2212 wrote to memory of 2820 2212 invoice CHN1080769.PDF.exe powershell.exe PID 2212 wrote to memory of 2820 2212 invoice CHN1080769.PDF.exe powershell.exe PID 2212 wrote to memory of 2820 2212 invoice CHN1080769.PDF.exe powershell.exe PID 2212 wrote to memory of 2820 2212 invoice CHN1080769.PDF.exe powershell.exe PID 2212 wrote to memory of 2716 2212 invoice CHN1080769.PDF.exe schtasks.exe PID 2212 wrote to memory of 2716 2212 invoice CHN1080769.PDF.exe schtasks.exe PID 2212 wrote to memory of 2716 2212 invoice CHN1080769.PDF.exe schtasks.exe PID 2212 wrote to memory of 2716 2212 invoice CHN1080769.PDF.exe schtasks.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe PID 2212 wrote to memory of 2460 2212 invoice CHN1080769.PDF.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice CHN1080769.PDF.exe"C:\Users\Admin\AppData\Local\Temp\invoice CHN1080769.PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\invoice CHN1080769.PDF.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ziQWPdVrQxk.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ziQWPdVrQxk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp705F.tmp"2⤵
- Creates scheduled task(s)
PID:2716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp705F.tmpFilesize
1KB
MD59023a77c42a85cb7d527af8d3acad8f9
SHA1ee72ad3cf6529296ed68e95842f89601d9acc9a5
SHA2563173c04c03269e5e9a6d21a1e48fab54ae79953de9f8c9eb57a75f4a66a46c88
SHA512673ab8e428ca5c802302a31e3df96c1ec6999bcffe85461fd3dda6c697fc04be9132582d8d7f0a32f551d5bd0a8c9c45a617036ac2319a3057065abbe7025c1c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RCJROU4TG7D4O2T40613.tempFilesize
7KB
MD596acf9d2ce75b5d4d33b79e1f28c29f8
SHA19faf391cb94dd3c3e0197aad5df53a2eecea1525
SHA256593e1263a86abb1d35948c39294d67a2fb6e3a40deee1bef7f108eb82f52546d
SHA5122cfe3163e1ae558f3145c5c8e83261e129c54c84eb01d22ade0e49f6b4c3e2747f0d091ce2e0d4c015b9c02b23f5ab2df87428f3e9e326bb54ed1d39ae6e3413
-
memory/2212-4-0x0000000000650000-0x000000000065C000-memory.dmpFilesize
48KB
-
memory/2212-3-0x0000000000630000-0x0000000000652000-memory.dmpFilesize
136KB
-
memory/2212-0-0x00000000745DE000-0x00000000745DF000-memory.dmpFilesize
4KB
-
memory/2212-5-0x0000000000310000-0x0000000000320000-memory.dmpFilesize
64KB
-
memory/2212-6-0x00000000059F0000-0x0000000005A74000-memory.dmpFilesize
528KB
-
memory/2212-2-0x00000000745D0000-0x0000000074CBE000-memory.dmpFilesize
6.9MB
-
memory/2212-1-0x0000000000030000-0x00000000000F0000-memory.dmpFilesize
768KB
-
memory/2212-19-0x00000000745DE000-0x00000000745DF000-memory.dmpFilesize
4KB
-
memory/2212-32-0x00000000745D0000-0x0000000074CBE000-memory.dmpFilesize
6.9MB
-
memory/2460-31-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2460-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2460-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2460-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2460-22-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2460-20-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2460-26-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2460-24-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB