Analysis
-
max time kernel
135s -
max time network
30s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
29-06-2020 18:01
Static task
static1
Behavioral task
behavioral1
Sample
Invoice and Bill Ladin.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Invoice and Bill Ladin.exe
Resource
win10
General
-
Target
Invoice and Bill Ladin.exe
-
Size
418KB
-
MD5
81b83084ba6d55df81e62fe534167b28
-
SHA1
88df67f18966138bc3de5dc7485daef1af006ac1
-
SHA256
ef39f799a276b70651440c8b7e61b9095567fe2ab3a2b35a7f61d9bd116eca7b
-
SHA512
1381601af4cfec264446897e5355e1953214c03c55c1ed1513d176170ec718301d08c775cb3d08ce863ad0606118c30e1b3b38eae1666acc09548ec90c463b62
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
Invoice and Bill Ladin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe" Invoice and Bill Ladin.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Invoice and Bill Ladin.exedescription pid process target process PID 1432 wrote to memory of 1788 1432 Invoice and Bill Ladin.exe schtasks.exe PID 1432 wrote to memory of 1788 1432 Invoice and Bill Ladin.exe schtasks.exe PID 1432 wrote to memory of 1788 1432 Invoice and Bill Ladin.exe schtasks.exe PID 1432 wrote to memory of 1788 1432 Invoice and Bill Ladin.exe schtasks.exe PID 1432 wrote to memory of 1848 1432 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 1432 wrote to memory of 1848 1432 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 1432 wrote to memory of 1848 1432 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 1432 wrote to memory of 1848 1432 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 1432 wrote to memory of 1848 1432 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 1432 wrote to memory of 1848 1432 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 1432 wrote to memory of 1848 1432 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 1432 wrote to memory of 1848 1432 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 1432 wrote to memory of 1848 1432 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice and Bill Ladin.exedescription pid process target process PID 1432 set thread context of 1848 1432 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Invoice and Bill Ladin.exedescription pid process Token: SeDebugPrivilege 1848 Invoice and Bill Ladin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Invoice and Bill Ladin.exepid process 1848 Invoice and Bill Ladin.exe 1848 Invoice and Bill Ladin.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Invoice and Bill Ladin.exepid process 1848 Invoice and Bill Ladin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice and Bill Ladin.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and Bill Ladin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ejTJlXXtNCVKge" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D71.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Invoice and Bill Ladin.exe"{path}"2⤵
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6D71.tmp
-
memory/1788-0-0x0000000000000000-mapping.dmp
-
memory/1848-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1848-3-0x0000000000446F9E-mapping.dmp
-
memory/1848-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1848-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB