Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 12:13
Static task
static1
Behavioral task
behavioral1
Sample
PO and Proforma invoice.exe
Resource
win7-20240419-en
General
-
Target
PO and Proforma invoice.exe
-
Size
814KB
-
MD5
b289f51e58a368997298cc205b10d8be
-
SHA1
4e3256b8699de2d2a67aa122337bfaa7407a737b
-
SHA256
18f7507efdb35483a8642553f66647b9c1cc54d67614782622b7a64261042924
-
SHA512
54ceecb268ef81664b7ae4af7e399a72643a9415877c3b3ac9c14b8a363d72d07d1dff51e20dc60e6e4529c57b1e545434c93385d0d46ba74a3acf884df1b4f3
-
SSDEEP
12288:nlIc81H9rI6rgKmQgVsavXLJkM5ghECVFnMfkNbaz3e0igw0D9OwhEDin:nlUlRMK8JdX5aECdNba60igw0k0n
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mahesh-ent.com - Port:
587 - Username:
[email protected] - Password:
M@hesh3981 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO and Proforma invoice.exedescription pid Process procid_target PID 1200 set thread context of 2496 1200 PO and Proforma invoice.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
PO and Proforma invoice.exeMSBuild.exepowershell.exepid Process 1200 PO and Proforma invoice.exe 1200 PO and Proforma invoice.exe 1200 PO and Proforma invoice.exe 2496 MSBuild.exe 2496 MSBuild.exe 3020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO and Proforma invoice.exeMSBuild.exepowershell.exedescription pid Process Token: SeDebugPrivilege 1200 PO and Proforma invoice.exe Token: SeDebugPrivilege 2496 MSBuild.exe Token: SeDebugPrivilege 3020 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid Process 2496 MSBuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PO and Proforma invoice.exedescription pid Process procid_target PID 1200 wrote to memory of 3020 1200 PO and Proforma invoice.exe 28 PID 1200 wrote to memory of 3020 1200 PO and Proforma invoice.exe 28 PID 1200 wrote to memory of 3020 1200 PO and Proforma invoice.exe 28 PID 1200 wrote to memory of 3020 1200 PO and Proforma invoice.exe 28 PID 1200 wrote to memory of 2692 1200 PO and Proforma invoice.exe 30 PID 1200 wrote to memory of 2692 1200 PO and Proforma invoice.exe 30 PID 1200 wrote to memory of 2692 1200 PO and Proforma invoice.exe 30 PID 1200 wrote to memory of 2692 1200 PO and Proforma invoice.exe 30 PID 1200 wrote to memory of 2496 1200 PO and Proforma invoice.exe 32 PID 1200 wrote to memory of 2496 1200 PO and Proforma invoice.exe 32 PID 1200 wrote to memory of 2496 1200 PO and Proforma invoice.exe 32 PID 1200 wrote to memory of 2496 1200 PO and Proforma invoice.exe 32 PID 1200 wrote to memory of 2496 1200 PO and Proforma invoice.exe 32 PID 1200 wrote to memory of 2496 1200 PO and Proforma invoice.exe 32 PID 1200 wrote to memory of 2496 1200 PO and Proforma invoice.exe 32 PID 1200 wrote to memory of 2496 1200 PO and Proforma invoice.exe 32 PID 1200 wrote to memory of 2496 1200 PO and Proforma invoice.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO and Proforma invoice.exe"C:\Users\Admin\AppData\Local\Temp\PO and Proforma invoice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hebYuJoo.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hebYuJoo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp41F0.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2692
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50b6eddc374e8a6460ddd117ff3bcd512
SHA1cbefed245bc2d44e68e6d072bf2541e298cbe78d
SHA256d02fd67a6693cc86cc161869d5bd5736714779229be74d990c3cb5c8470e4a7b
SHA512652c655b4775a8fe47967441949408b7aff65b4bdf77693629b1ff565e1e7b8a065e4f9383dbdeac8c9f6c0da2dbfae66261ab522f9b1b08757b05a9ea9d91bc