Analysis
-
max time kernel
105s -
max time network
111s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
FedExi jälgimisandmed-pdf.exe
Resource
win7
Behavioral task
behavioral2
Sample
FedExi jälgimisandmed-pdf.exe
Resource
win10
General
-
Target
FedExi jälgimisandmed-pdf.exe
-
Size
1.4MB
-
MD5
1150b9a59ef934775c16bdf0a3358540
-
SHA1
064a2d5aaa8481862d561019eb1aea04fdcf58cf
-
SHA256
d846912135d84580a51b7304ac088a59fad4708b6193e25a8dfd6e515164976c
-
SHA512
d484cd4681a57561333f5990561d67ea4aa7788cb84039714ed365bfa4d2ef217646427c0ceae52d7ed5c23fc26868c0ec2dee316a63b343cc6ba9c27293866e
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
FedExi jälgimisandmed-pdf.exedescription pid process target process PID 1464 set thread context of 1496 1464 FedExi jälgimisandmed-pdf.exe MSBuild.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
FedExi jälgimisandmed-pdf.exepid process 1464 FedExi jälgimisandmed-pdf.exe 1464 FedExi jälgimisandmed-pdf.exe 1464 FedExi jälgimisandmed-pdf.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
FedExi jälgimisandmed-pdf.exepid process 1464 FedExi jälgimisandmed-pdf.exe 1464 FedExi jälgimisandmed-pdf.exe 1464 FedExi jälgimisandmed-pdf.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
FedExi jälgimisandmed-pdf.exeMSBuild.exedescription pid process target process PID 1464 wrote to memory of 1496 1464 FedExi jälgimisandmed-pdf.exe MSBuild.exe PID 1464 wrote to memory of 1496 1464 FedExi jälgimisandmed-pdf.exe MSBuild.exe PID 1464 wrote to memory of 1496 1464 FedExi jälgimisandmed-pdf.exe MSBuild.exe PID 1464 wrote to memory of 1496 1464 FedExi jälgimisandmed-pdf.exe MSBuild.exe PID 1464 wrote to memory of 1496 1464 FedExi jälgimisandmed-pdf.exe MSBuild.exe PID 1464 wrote to memory of 1496 1464 FedExi jälgimisandmed-pdf.exe MSBuild.exe PID 1496 wrote to memory of 1700 1496 MSBuild.exe netsh.exe PID 1496 wrote to memory of 1700 1496 MSBuild.exe netsh.exe PID 1496 wrote to memory of 1700 1496 MSBuild.exe netsh.exe PID 1496 wrote to memory of 1700 1496 MSBuild.exe netsh.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1496 MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1496 MSBuild.exe 1496 MSBuild.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FedExi jälgimisandmed-pdf.exe"C:\Users\Admin\AppData\Local\Temp\FedExi jälgimisandmed-pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
- Modifies service