Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 01:45
Static task
static1
Behavioral task
behavioral1
Sample
FW CMA SHZ Freight invoice CHN1080769.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FW CMA SHZ Freight invoice CHN1080769.exe
Resource
win10v2004-20240426-en
General
-
Target
FW CMA SHZ Freight invoice CHN1080769.exe
-
Size
683KB
-
MD5
3288dbaae811a799ea563988c0d78315
-
SHA1
48802f823b253a45d829b15bd0802db54ce35993
-
SHA256
e0e366834de34a6e93035842b46662c2b1b05d350c1218953f8faab632ead3ae
-
SHA512
fc6b2c90ad9c9f2b906a6247230d2f71a0cbe764b0e3ea2c67d49477fb4f81580dd96a5ba2e3d11e92b15f8421b48e8afd7bd06e6d5ee009b8babfc1acf9cc80
-
SSDEEP
12288:3I23I9uvcHdMFGNX/m7EA++tat0kanlWimxg8NBcHYPLICoPw896GpQkR:YYyK+wGGs+sY8283c4THew8EG9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3316-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3316-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3316-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3316-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3316-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3316-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1012 powershell.exe 4336 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FW CMA SHZ Freight invoice CHN1080769.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation FW CMA SHZ Freight invoice CHN1080769.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exedescription pid process target process PID 928 set thread context of 3316 928 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exepowershell.exepowershell.exeRegSvcs.exepid process 928 FW CMA SHZ Freight invoice CHN1080769.exe 928 FW CMA SHZ Freight invoice CHN1080769.exe 928 FW CMA SHZ Freight invoice CHN1080769.exe 928 FW CMA SHZ Freight invoice CHN1080769.exe 928 FW CMA SHZ Freight invoice CHN1080769.exe 928 FW CMA SHZ Freight invoice CHN1080769.exe 4336 powershell.exe 928 FW CMA SHZ Freight invoice CHN1080769.exe 1012 powershell.exe 3316 RegSvcs.exe 3316 RegSvcs.exe 4336 powershell.exe 1012 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exepowershell.exepowershell.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 928 FW CMA SHZ Freight invoice CHN1080769.exe Token: SeDebugPrivilege 4336 powershell.exe Token: SeDebugPrivilege 1012 powershell.exe Token: SeDebugPrivilege 3316 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
FW CMA SHZ Freight invoice CHN1080769.exedescription pid process target process PID 928 wrote to memory of 4336 928 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 928 wrote to memory of 4336 928 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 928 wrote to memory of 4336 928 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 928 wrote to memory of 1012 928 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 928 wrote to memory of 1012 928 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 928 wrote to memory of 1012 928 FW CMA SHZ Freight invoice CHN1080769.exe powershell.exe PID 928 wrote to memory of 4356 928 FW CMA SHZ Freight invoice CHN1080769.exe schtasks.exe PID 928 wrote to memory of 4356 928 FW CMA SHZ Freight invoice CHN1080769.exe schtasks.exe PID 928 wrote to memory of 4356 928 FW CMA SHZ Freight invoice CHN1080769.exe schtasks.exe PID 928 wrote to memory of 3316 928 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 928 wrote to memory of 3316 928 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 928 wrote to memory of 3316 928 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 928 wrote to memory of 3316 928 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 928 wrote to memory of 3316 928 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 928 wrote to memory of 3316 928 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 928 wrote to memory of 3316 928 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe PID 928 wrote to memory of 3316 928 FW CMA SHZ Freight invoice CHN1080769.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FW CMA SHZ Freight invoice CHN1080769.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HDTjheWPb.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HDTjheWPb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87BE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5e117858f9a37e315df3227e41343d276
SHA1de9cabf85be30ce4b8cc7da8782087c7e9f51a00
SHA25645b7c305b7ab44ece8fb0a008a616b245f35b29a177c74887f661cce07276119
SHA512650a176b914cbc22359c5a9a23fc50f2f082d456472616527242f92f508444e3d08b1daee43a7bcb0097008c12a4769c1bd21578984013d44d188eed381c81a2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5nycycmd.gkk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmp87BE.tmpFilesize
1KB
MD570795d27de69b4bf73c0b9c077bbac88
SHA1fadf48e23151ba0e534eabe3ad0686fc45f024de
SHA25662a75e29abf5a64e31ce097ce4c51791eb01009c8f0d9b71da091a00b31a3733
SHA512f8ea65d878257601e47b3eb04dcad135416224daa305efa7cd32ff5390a5ead89d3d0aebc429273d79f408a396c4c4422104b9b3582d0f19e26acdd1bd717819
-
memory/928-16-0x000000007529E000-0x000000007529F000-memory.dmpFilesize
4KB
-
memory/928-2-0x00000000051D0000-0x0000000005774000-memory.dmpFilesize
5.6MB
-
memory/928-6-0x00000000062F0000-0x0000000006392000-memory.dmpFilesize
648KB
-
memory/928-7-0x0000000004F30000-0x0000000004F4A000-memory.dmpFilesize
104KB
-
memory/928-8-0x0000000004F50000-0x0000000004F60000-memory.dmpFilesize
64KB
-
memory/928-9-0x0000000006140000-0x00000000061C4000-memory.dmpFilesize
528KB
-
memory/928-10-0x0000000008950000-0x00000000089EC000-memory.dmpFilesize
624KB
-
memory/928-0-0x000000007529E000-0x000000007529F000-memory.dmpFilesize
4KB
-
memory/928-4-0x0000000004CC0000-0x0000000004CCA000-memory.dmpFilesize
40KB
-
memory/928-41-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/928-3-0x0000000004C20000-0x0000000004CB2000-memory.dmpFilesize
584KB
-
memory/928-5-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/928-1-0x0000000000180000-0x000000000022E000-memory.dmpFilesize
696KB
-
memory/928-21-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/1012-22-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/1012-86-0x00000000072A0000-0x00000000072A8000-memory.dmpFilesize
32KB
-
memory/1012-27-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/1012-55-0x0000000075B00000-0x0000000075B4C000-memory.dmpFilesize
304KB
-
memory/1012-53-0x0000000006C00000-0x0000000006C32000-memory.dmpFilesize
200KB
-
memory/1012-28-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/1012-93-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/3316-82-0x00000000061E0000-0x0000000006230000-memory.dmpFilesize
320KB
-
memory/3316-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4336-15-0x0000000002570000-0x00000000025A6000-memory.dmpFilesize
216KB
-
memory/4336-24-0x0000000005620000-0x0000000005642000-memory.dmpFilesize
136KB
-
memory/4336-52-0x0000000005F50000-0x0000000005F9C000-memory.dmpFilesize
304KB
-
memory/4336-51-0x0000000005E90000-0x0000000005EAE000-memory.dmpFilesize
120KB
-
memory/4336-30-0x0000000005820000-0x0000000005B74000-memory.dmpFilesize
3.3MB
-
memory/4336-74-0x0000000006490000-0x00000000064AE000-memory.dmpFilesize
120KB
-
memory/4336-25-0x00000000056C0000-0x0000000005726000-memory.dmpFilesize
408KB
-
memory/4336-54-0x0000000075B00000-0x0000000075B4C000-memory.dmpFilesize
304KB
-
memory/4336-75-0x0000000006EC0000-0x0000000006F63000-memory.dmpFilesize
652KB
-
memory/4336-77-0x0000000007810000-0x0000000007E8A000-memory.dmpFilesize
6.5MB
-
memory/4336-78-0x00000000071D0000-0x00000000071EA000-memory.dmpFilesize
104KB
-
memory/4336-79-0x0000000007240000-0x000000000724A000-memory.dmpFilesize
40KB
-
memory/4336-80-0x0000000007450000-0x00000000074E6000-memory.dmpFilesize
600KB
-
memory/4336-81-0x00000000073D0000-0x00000000073E1000-memory.dmpFilesize
68KB
-
memory/4336-26-0x0000000005730000-0x0000000005796000-memory.dmpFilesize
408KB
-
memory/4336-83-0x0000000007400000-0x000000000740E000-memory.dmpFilesize
56KB
-
memory/4336-84-0x0000000007410000-0x0000000007424000-memory.dmpFilesize
80KB
-
memory/4336-85-0x0000000007510000-0x000000000752A000-memory.dmpFilesize
104KB
-
memory/4336-20-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/4336-19-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/4336-18-0x0000000004FC0000-0x00000000055E8000-memory.dmpFilesize
6.2MB
-
memory/4336-17-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB
-
memory/4336-92-0x0000000075290000-0x0000000075A40000-memory.dmpFilesize
7.7MB