Analysis
-
max time kernel
148s -
max time network
27s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe
Resource
win10
General
-
Target
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe
-
Size
1.4MB
-
MD5
5fe333e1a731213b8b761cfa114a4c24
-
SHA1
c0eef045d92eac31b471e3e80abc1591088ada0b
-
SHA256
b6be0879f87f35a6f4c27d1666cf8e183427e868944e6a23d035a13b6208dfb6
-
SHA512
ee1dec45423c9c276add252c6f37270e356edc99bf27501b7ddaefeb78056dd5fcae5b55cdf19355b06bf19c9fba5ef33d38780a6d58933737be3f099015307a
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exepid process 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exeMSBuild.exedescription pid process target process PID 1100 wrote to memory of 1048 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe PID 1100 wrote to memory of 1048 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe PID 1100 wrote to memory of 1048 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe PID 1100 wrote to memory of 1048 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe PID 1100 wrote to memory of 1048 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe PID 1100 wrote to memory of 1048 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe PID 1048 wrote to memory of 1760 1048 MSBuild.exe netsh.exe PID 1048 wrote to memory of 1760 1048 MSBuild.exe netsh.exe PID 1048 wrote to memory of 1760 1048 MSBuild.exe netsh.exe PID 1048 wrote to memory of 1760 1048 MSBuild.exe netsh.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1048 MSBuild.exe 1048 MSBuild.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exepid process 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DETALLES DE SEGUIMIENTO DE FedEx-pdf.exedescription pid process target process PID 1100 set thread context of 1048 1100 DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1048 MSBuild.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe"C:\Users\Admin\AppData\Local\Temp\DETALLES DE SEGUIMIENTO DE FedEx-pdf.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
- Modifies service