Analysis
-
max time kernel
127s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2024 05:25
Static task
static1
Behavioral task
behavioral1
Sample
DHL INVOICE pfd.bat.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
DHL INVOICE pfd.bat.exe
Resource
win10v2004-20240802-en
General
-
Target
DHL INVOICE pfd.bat.exe
-
Size
626KB
-
MD5
f344a454d4cb1d1e01da2e2c080dac29
-
SHA1
3936c488c511a6ca05b992fda487ce5e971e57a0
-
SHA256
fd4ca109bbafcc509f99cea673648c2baa6934e9eb9a903b0c24c2e7f84d56c4
-
SHA512
2c71626ff41eac134c6f071c8ce124de87f46ec27ba4075bc452a80d4992688bbd7e056af74b8ab43d623dbea05de8311d76562216a7cc3f20467cfe22677f8d
-
SSDEEP
12288:DHWZ0mNke8OvXWRA64zeEZgrJckmzDQVpOOn99zgL3qF0KsUvwiqk8:D2DV+EzepS/DQVpQMsUvwRH
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.horizongroup.com.bd - Port:
587 - Username:
[email protected] - Password:
horizon@%%%5 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 872 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation DHL INVOICE pfd.bat.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 api.ipify.org 22 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3384 set thread context of 3356 3384 DHL INVOICE pfd.bat.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL INVOICE pfd.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2900 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 3384 DHL INVOICE pfd.bat.exe 3384 DHL INVOICE pfd.bat.exe 3384 DHL INVOICE pfd.bat.exe 3384 DHL INVOICE pfd.bat.exe 3384 DHL INVOICE pfd.bat.exe 3384 DHL INVOICE pfd.bat.exe 872 powershell.exe 3384 DHL INVOICE pfd.bat.exe 3356 RegSvcs.exe 3356 RegSvcs.exe 872 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3384 DHL INVOICE pfd.bat.exe Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 3356 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3356 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3384 wrote to memory of 872 3384 DHL INVOICE pfd.bat.exe 92 PID 3384 wrote to memory of 872 3384 DHL INVOICE pfd.bat.exe 92 PID 3384 wrote to memory of 872 3384 DHL INVOICE pfd.bat.exe 92 PID 3384 wrote to memory of 2900 3384 DHL INVOICE pfd.bat.exe 94 PID 3384 wrote to memory of 2900 3384 DHL INVOICE pfd.bat.exe 94 PID 3384 wrote to memory of 2900 3384 DHL INVOICE pfd.bat.exe 94 PID 3384 wrote to memory of 3356 3384 DHL INVOICE pfd.bat.exe 96 PID 3384 wrote to memory of 3356 3384 DHL INVOICE pfd.bat.exe 96 PID 3384 wrote to memory of 3356 3384 DHL INVOICE pfd.bat.exe 96 PID 3384 wrote to memory of 3356 3384 DHL INVOICE pfd.bat.exe 96 PID 3384 wrote to memory of 3356 3384 DHL INVOICE pfd.bat.exe 96 PID 3384 wrote to memory of 3356 3384 DHL INVOICE pfd.bat.exe 96 PID 3384 wrote to memory of 3356 3384 DHL INVOICE pfd.bat.exe 96 PID 3384 wrote to memory of 3356 3384 DHL INVOICE pfd.bat.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL INVOICE pfd.bat.exe"C:\Users\Admin\AppData\Local\Temp\DHL INVOICE pfd.bat.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\PCTbKNp.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:872
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PCTbKNp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp241D.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2900
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3356
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5ff3e84b3c614ad7230b85136ed28ad53
SHA19e72dff6dcc8fa4e6f876edd2377f2bf93669688
SHA256a5f77af69f4c14fde601d3262773be6869f086d65fa339b56fc62d18c106b118
SHA51283df5df17ce5aed798a08f41a6b90d5dc639cd9d49888e04e73b83007f2c0a1df5178e1c9f73376f51ecadd691da3d8b2ec912e70dc4f1049cde4f43cda97c3d