Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-09-2024 14:58
Static task
static1
Behavioral task
behavioral1
Sample
Ningbo - Past Due Invoices.scr
Resource
win7-20240903-en
General
-
Target
Ningbo - Past Due Invoices.scr
-
Size
657KB
-
MD5
05971e8521240cd588015e689baab4b7
-
SHA1
1911d514d8e9d3310b2876ee591553250a31f44f
-
SHA256
d71f85d32dd19dd5a0c5ad3b97c3eba3277a5966035970a2c9ea7dd8e23fafa3
-
SHA512
01db290b831f6e60efaa8bfeb8bb0e1f1137c7843b29da34f024ee6e4f4b2f341ed4f8f2ed7c1a202a7a99781224bfca8bbaf7479ba23796707fc3d0d9994448
-
SSDEEP
12288:pOjsJrm2DORelTAeZjqjhazCtH42QWkn5IxQMj7RYLgXeevG3j8bQb:pWsJrm2DO0TvqH42ZLuMj7GEXze3UI
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
classic@iaa-airferight.com - Password:
BIGNAIRA2024 - Email To:
team001@iaa-airferight.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2844 powershell.exe 2568 powershell.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org 3 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2688 set thread context of 3052 2688 Ningbo - Past Due Invoices.scr 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ningbo - Past Due Invoices.scr -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2680 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2688 Ningbo - Past Due Invoices.scr 2688 Ningbo - Past Due Invoices.scr 2688 Ningbo - Past Due Invoices.scr 3052 RegSvcs.exe 3052 RegSvcs.exe 2568 powershell.exe 2844 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2688 Ningbo - Past Due Invoices.scr Token: SeDebugPrivilege 3052 RegSvcs.exe Token: SeDebugPrivilege 2568 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2844 2688 Ningbo - Past Due Invoices.scr 31 PID 2688 wrote to memory of 2844 2688 Ningbo - Past Due Invoices.scr 31 PID 2688 wrote to memory of 2844 2688 Ningbo - Past Due Invoices.scr 31 PID 2688 wrote to memory of 2844 2688 Ningbo - Past Due Invoices.scr 31 PID 2688 wrote to memory of 2568 2688 Ningbo - Past Due Invoices.scr 33 PID 2688 wrote to memory of 2568 2688 Ningbo - Past Due Invoices.scr 33 PID 2688 wrote to memory of 2568 2688 Ningbo - Past Due Invoices.scr 33 PID 2688 wrote to memory of 2568 2688 Ningbo - Past Due Invoices.scr 33 PID 2688 wrote to memory of 2680 2688 Ningbo - Past Due Invoices.scr 35 PID 2688 wrote to memory of 2680 2688 Ningbo - Past Due Invoices.scr 35 PID 2688 wrote to memory of 2680 2688 Ningbo - Past Due Invoices.scr 35 PID 2688 wrote to memory of 2680 2688 Ningbo - Past Due Invoices.scr 35 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37 PID 2688 wrote to memory of 3052 2688 Ningbo - Past Due Invoices.scr 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ningbo - Past Due Invoices.scr"C:\Users\Admin\AppData\Local\Temp\Ningbo - Past Due Invoices.scr" /S1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ningbo - Past Due Invoices.scr"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jzARpPDhrks.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jzARpPDhrks" /XML "C:\Users\Admin\AppData\Local\Temp\tmp255C.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
Network
-
Remote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN A104.26.13.205api.ipify.orgIN A172.67.74.152api.ipify.orgIN A104.26.12.205
-
Remote address:104.26.13.205:443RequestGET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Host: api.ipify.org
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 8c83a1faada89483-LHR
-
919 B 3.8kB 10 10
HTTP Request
GET https://api.ipify.org/HTTP Response
200
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD539b84cfa544d48db2ec387486ad77a66
SHA1bea5f3a0b3ed4b5d9a32f425bae1fb6316c8b595
SHA256c7b1a0ce9e6831566e9124a691450fef649caf7f16d98c9e8a67ee07f7859bc0
SHA512fa5d3aa2f234a80ab8ea6749ab1266d48f8e0ef039e7f9ad3ce6718e355162d39afbc8c4e6e7ab5f5d1eb7f41f738736b77533ff0b01825dba66e79dff297020
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BHBZMGBGHPIXA7AW9B73.temp
Filesize7KB
MD5fe3f1ae5b109040b12b6d99282bf528c
SHA1a3dcb52eef4520a86f091d8bff07c50f3b4b2727
SHA2568214d957363de0e0c325abf8a238ff91bf52ca9f7febbc62690873bbdabe67f4
SHA512ea56d08fddfc75f37ff1716b44f19db4c16adf837059c61fb3137baa5aa91aa3713b2f9581b047b72421be94b215d4ca24666fb584b298f8ec6270278a6df7bf