Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 13:10
Static task
static1
Behavioral task
behavioral1
Sample
freight invoice.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
freight invoice.exe
Resource
win10v2004-20240508-en
General
-
Target
freight invoice.exe
-
Size
1007KB
-
MD5
ad2b14ed6077cddcb6fe7caa1b4fc6bb
-
SHA1
e1df5697ba2b1d38f23c242c85873f4b9ae98c57
-
SHA256
44f99d24049bdd928b66782697112d31e45c2de51a515fdd6298e5a57f4eab35
-
SHA512
f8b66bc86dbff4f1765f76a65d1c4b1572fcdd5c2dcaa1a7f2e084378e4e34a0100580134c8a039d9c53c52f7e0a3af95ea4849678e86269a002fd7d41fa7a6a
-
SSDEEP
12288:/TFIsPAaY5QH3xbiSlaMkzE10MKzOzvMJ+EMMuDEzcmFEmm7I3sL4ZNKmobj:JIKsSBbLaMtUzOCPJzNm7IcL4bKHj
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.naveentour.com - Port:
587 - Username:
[email protected] - Password:
nav!T6u2@001 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 3044 powershell.exe 2696 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
freight invoice.exedescription pid process target process PID 2844 set thread context of 2652 2844 freight invoice.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
freight invoice.exeRegSvcs.exepowershell.exepowershell.exepid process 2844 freight invoice.exe 2844 freight invoice.exe 2844 freight invoice.exe 2652 RegSvcs.exe 2652 RegSvcs.exe 3044 powershell.exe 2696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
freight invoice.exeRegSvcs.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2844 freight invoice.exe Token: SeDebugPrivilege 2652 RegSvcs.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
freight invoice.exedescription pid process target process PID 2844 wrote to memory of 3044 2844 freight invoice.exe powershell.exe PID 2844 wrote to memory of 3044 2844 freight invoice.exe powershell.exe PID 2844 wrote to memory of 3044 2844 freight invoice.exe powershell.exe PID 2844 wrote to memory of 3044 2844 freight invoice.exe powershell.exe PID 2844 wrote to memory of 2696 2844 freight invoice.exe powershell.exe PID 2844 wrote to memory of 2696 2844 freight invoice.exe powershell.exe PID 2844 wrote to memory of 2696 2844 freight invoice.exe powershell.exe PID 2844 wrote to memory of 2696 2844 freight invoice.exe powershell.exe PID 2844 wrote to memory of 2756 2844 freight invoice.exe schtasks.exe PID 2844 wrote to memory of 2756 2844 freight invoice.exe schtasks.exe PID 2844 wrote to memory of 2756 2844 freight invoice.exe schtasks.exe PID 2844 wrote to memory of 2756 2844 freight invoice.exe schtasks.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe PID 2844 wrote to memory of 2652 2844 freight invoice.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\freight invoice.exe"C:\Users\Admin\AppData\Local\Temp\freight invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\freight invoice.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ASUenBCZUZgfeR.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ASUenBCZUZgfeR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69F9.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2756
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b127156cebb5baee814cc781cbf3b661
SHA1ad5fd9fd55564c6deed825497b74c1234db001d3
SHA256b7c155b940a88df6fcab292dfd20aa5c8e8f08b1686d4068c0217369fa0e6a2c
SHA5122ef10e47c3bdca989b6f49b9369570b5901b6e18001cda02657a3802a7c6f971fcf680bab78a85d1c52cc81066593390487cf27c8d4a0e6e28ce8bff072fef0a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d6cee450885278cd27bb9b8ed4ecfff9
SHA10c362f9d331eb188ea01e02499f8c7e522f2f765
SHA25683effc2f4853b083a0fa8a92dd8eea4b91c488ab0aed3aeda38476e5bd9b2012
SHA512278a279cd4897f752b93c17762bd5e945614e7246ea387a20d3460d6c4982cb335a71f0c59c4f6025fbfab45b512ce867001a90e2e16cda58719ffabf89e2748