Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 10:03
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice.scr.exe
Resource
win7-20241010-en
General
-
Target
Proforma Invoice.scr.exe
-
Size
13KB
-
MD5
3efcf6123cc2697d54be8e8d17f70eb6
-
SHA1
194d4304e6fbea7bcc5203d9f5dd7c0883277fb1
-
SHA256
a05acadb64d5923e931a42aecca755b6a160b39f96ec1bff8611cd5116b4c926
-
SHA512
73ac5727e012611904ca6be764a92db67cbea082cdaca37017e1b6db04fee6bae884aaf82dcf4eb36094012463dcfd0b5beecfc36048d87db01f17dafe7c32a9
-
SSDEEP
192:Z6F7KvWISi8OXTjyr4mikpAfQZz/IJCKVxmy:ZZNSEDjyHikpAIZz/In
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7245016847:AAHTGgEGytVrrQCnyNC6RGvqcnPdZoR0H5U/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1176 created 3432 1176 Proforma Invoice.scr.exe 56 -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EncoderFallback.vbs Proforma Invoice.scr.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 api.ipify.org 30 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1176 set thread context of 2308 1176 Proforma Invoice.scr.exe 100 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Proforma Invoice.scr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1176 Proforma Invoice.scr.exe 2308 InstallUtil.exe 2308 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1176 Proforma Invoice.scr.exe Token: SeDebugPrivilege 1176 Proforma Invoice.scr.exe Token: SeDebugPrivilege 2308 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2308 InstallUtil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1176 wrote to memory of 2308 1176 Proforma Invoice.scr.exe 100 PID 1176 wrote to memory of 2308 1176 Proforma Invoice.scr.exe 100 PID 1176 wrote to memory of 2308 1176 Proforma Invoice.scr.exe 100 PID 1176 wrote to memory of 2308 1176 Proforma Invoice.scr.exe 100 PID 1176 wrote to memory of 2308 1176 Proforma Invoice.scr.exe 100 PID 1176 wrote to memory of 2308 1176 Proforma Invoice.scr.exe 100 PID 1176 wrote to memory of 2308 1176 Proforma Invoice.scr.exe 100 PID 1176 wrote to memory of 2308 1176 Proforma Invoice.scr.exe 100
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.scr.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice.scr.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2308
-