Analysis
-
max time kernel
146s -
max time network
33s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
payment swift copy 0992000030.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
payment swift copy 0992000030.exe
Resource
win10
General
-
Target
payment swift copy 0992000030.exe
-
Size
1.4MB
-
MD5
2819167a7dc8fcb29a15e384a6405daf
-
SHA1
0fb58427e88a08484092bde990465c9b21b83d49
-
SHA256
df8d53ae83fc3e3f3052436ec14a37d66474174f88c529e6a6162b4fb1be13d8
-
SHA512
8d278d4bf3263f911076f3dce0a67ada8503db9752dd66a68b66b0407c98e1623f4f8c455c44fdf523db2b6e075530ba98d30f651b6a32b32bb6106168ebdbd7
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
payment swift copy 0992000030.exeMSBuild.exedescription pid process target process PID 1400 wrote to memory of 1404 1400 payment swift copy 0992000030.exe MSBuild.exe PID 1400 wrote to memory of 1404 1400 payment swift copy 0992000030.exe MSBuild.exe PID 1400 wrote to memory of 1404 1400 payment swift copy 0992000030.exe MSBuild.exe PID 1400 wrote to memory of 1404 1400 payment swift copy 0992000030.exe MSBuild.exe PID 1400 wrote to memory of 1404 1400 payment swift copy 0992000030.exe MSBuild.exe PID 1400 wrote to memory of 1404 1400 payment swift copy 0992000030.exe MSBuild.exe PID 1404 wrote to memory of 688 1404 MSBuild.exe netsh.exe PID 1404 wrote to memory of 688 1404 MSBuild.exe netsh.exe PID 1404 wrote to memory of 688 1404 MSBuild.exe netsh.exe PID 1404 wrote to memory of 688 1404 MSBuild.exe netsh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment swift copy 0992000030.exedescription pid process target process PID 1400 set thread context of 1404 1400 payment swift copy 0992000030.exe MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1404 MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
MSBuild.exepayment swift copy 0992000030.exepid process 1404 MSBuild.exe 1404 MSBuild.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1404 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
payment swift copy 0992000030.exepid process 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
payment swift copy 0992000030.exepid process 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe 1400 payment swift copy 0992000030.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment swift copy 0992000030.exe"C:\Users\Admin\AppData\Local\Temp\payment swift copy 0992000030.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
- Modifies service