Analysis
-
max time kernel
150s -
max time network
55s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 14:54
Static task
static1
Behavioral task
behavioral1
Sample
new_order_#5422_pdf_file.exe
Resource
win7
Behavioral task
behavioral2
Sample
new_order_#5422_pdf_file.exe
Resource
win10
General
-
Target
new_order_#5422_pdf_file.exe
-
Size
1.4MB
-
MD5
5e346887d828f39b480f316159ee79b7
-
SHA1
be7441a3d826d83e545865986dde7abc6a522eec
-
SHA256
b01594842e3d5d79f262899e0eb357ea538a3f96145b77f102b4ea0ae531c3c6
-
SHA512
0f7dc8d0b19b6a6bfbff5f769864692175c1e436c2c2e7e225d8d099c75005af55087c7b9ce16de525655dcd64b82cdc1fb2868d00c9fe9572c634b8187caf12
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
MSBuild.exenew_order_#5422_pdf_file.exepid process 1484 MSBuild.exe 1484 MSBuild.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
new_order_#5422_pdf_file.exedescription pid process target process PID 1456 set thread context of 1484 1456 new_order_#5422_pdf_file.exe MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1484 MSBuild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
new_order_#5422_pdf_file.exedescription pid process target process PID 1456 wrote to memory of 1484 1456 new_order_#5422_pdf_file.exe MSBuild.exe PID 1456 wrote to memory of 1484 1456 new_order_#5422_pdf_file.exe MSBuild.exe PID 1456 wrote to memory of 1484 1456 new_order_#5422_pdf_file.exe MSBuild.exe PID 1456 wrote to memory of 1484 1456 new_order_#5422_pdf_file.exe MSBuild.exe PID 1456 wrote to memory of 1484 1456 new_order_#5422_pdf_file.exe MSBuild.exe PID 1456 wrote to memory of 1484 1456 new_order_#5422_pdf_file.exe MSBuild.exe -
Drops startup file 1 IoCs
Processes:
new_order_#5422_pdf_file.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\easinvoker.url new_order_#5422_pdf_file.exe -
Drops file in Drivers directory 1 IoCs
Processes:
MSBuild.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
new_order_#5422_pdf_file.exepid process 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
new_order_#5422_pdf_file.exepid process 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe 1456 new_order_#5422_pdf_file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new_order_#5422_pdf_file.exe"C:\Users\Admin\AppData\Local\Temp\new_order_#5422_pdf_file.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Drops file in Drivers directory