Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2024 14:58

General

  • Target

    Ningbo - Past Due Invoices.scr

  • Size

    657KB

  • MD5

    05971e8521240cd588015e689baab4b7

  • SHA1

    1911d514d8e9d3310b2876ee591553250a31f44f

  • SHA256

    d71f85d32dd19dd5a0c5ad3b97c3eba3277a5966035970a2c9ea7dd8e23fafa3

  • SHA512

    01db290b831f6e60efaa8bfeb8bb0e1f1137c7843b29da34f024ee6e4f4b2f341ed4f8f2ed7c1a202a7a99781224bfca8bbaf7479ba23796707fc3d0d9994448

  • SSDEEP

    12288:pOjsJrm2DORelTAeZjqjhazCtH42QWkn5IxQMj7RYLgXeevG3j8bQb:pWsJrm2DO0TvqH42ZLuMj7GEXze3UI

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.iaa-airferight.com
  • Port:
    587
  • Username:
    classic@iaa-airferight.com
  • Password:
    BIGNAIRA2024
  • Email To:
    team001@iaa-airferight.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ningbo - Past Due Invoices.scr
    "C:\Users\Admin\AppData\Local\Temp\Ningbo - Past Due Invoices.scr" /S
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ningbo - Past Due Invoices.scr"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jzARpPDhrks.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jzARpPDhrks" /XML "C:\Users\Admin\AppData\Local\Temp\tmp255C.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2680
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3052

Network

  • flag-us
    DNS
    api.ipify.org
    RegSvcs.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.12.205
  • flag-us
    GET
    https://api.ipify.org/
    RegSvcs.exe
    Remote address:
    104.26.13.205:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 24 Sep 2024 14:58:27 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Vary: Origin
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8c83a1faada89483-LHR
  • 104.26.13.205:443
    https://api.ipify.org/
    tls, http
    RegSvcs.exe
    919 B
    3.8kB
    10
    10

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 8.8.8.8:53
    api.ipify.org
    dns
    RegSvcs.exe
    59 B
    107 B
    1
    1

    DNS Request

    api.ipify.org

    DNS Response

    104.26.13.205
    172.67.74.152
    104.26.12.205

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp255C.tmp

    Filesize

    1KB

    MD5

    39b84cfa544d48db2ec387486ad77a66

    SHA1

    bea5f3a0b3ed4b5d9a32f425bae1fb6316c8b595

    SHA256

    c7b1a0ce9e6831566e9124a691450fef649caf7f16d98c9e8a67ee07f7859bc0

    SHA512

    fa5d3aa2f234a80ab8ea6749ab1266d48f8e0ef039e7f9ad3ce6718e355162d39afbc8c4e6e7ab5f5d1eb7f41f738736b77533ff0b01825dba66e79dff297020

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BHBZMGBGHPIXA7AW9B73.temp

    Filesize

    7KB

    MD5

    fe3f1ae5b109040b12b6d99282bf528c

    SHA1

    a3dcb52eef4520a86f091d8bff07c50f3b4b2727

    SHA256

    8214d957363de0e0c325abf8a238ff91bf52ca9f7febbc62690873bbdabe67f4

    SHA512

    ea56d08fddfc75f37ff1716b44f19db4c16adf837059c61fb3137baa5aa91aa3713b2f9581b047b72421be94b215d4ca24666fb584b298f8ec6270278a6df7bf

  • memory/2688-4-0x00000000004D0000-0x00000000004E2000-memory.dmp

    Filesize

    72KB

  • memory/2688-3-0x0000000074840000-0x0000000074F2E000-memory.dmp

    Filesize

    6.9MB

  • memory/2688-0-0x000000007484E000-0x000000007484F000-memory.dmp

    Filesize

    4KB

  • memory/2688-5-0x000000007484E000-0x000000007484F000-memory.dmp

    Filesize

    4KB

  • memory/2688-6-0x0000000074840000-0x0000000074F2E000-memory.dmp

    Filesize

    6.9MB

  • memory/2688-7-0x0000000005640000-0x00000000056C2000-memory.dmp

    Filesize

    520KB

  • memory/2688-2-0x0000000074840000-0x0000000074F2E000-memory.dmp

    Filesize

    6.9MB

  • memory/2688-1-0x0000000000AA0000-0x0000000000B4A000-memory.dmp

    Filesize

    680KB

  • memory/2688-32-0x0000000074840000-0x0000000074F2E000-memory.dmp

    Filesize

    6.9MB

  • memory/3052-31-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/3052-30-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/3052-29-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/3052-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/3052-26-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/3052-24-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/3052-22-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

  • memory/3052-20-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.