Analysis
-
max time kernel
88s -
max time network
116s -
platform
windows10_x64 -
resource
win10 -
submitted
29-06-2020 18:01
Static task
static1
Behavioral task
behavioral1
Sample
Invoice and Bill Ladin.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Invoice and Bill Ladin.exe
Resource
win10
General
-
Target
Invoice and Bill Ladin.exe
-
Size
418KB
-
MD5
81b83084ba6d55df81e62fe534167b28
-
SHA1
88df67f18966138bc3de5dc7485daef1af006ac1
-
SHA256
ef39f799a276b70651440c8b7e61b9095567fe2ab3a2b35a7f61d9bd116eca7b
-
SHA512
1381601af4cfec264446897e5355e1953214c03c55c1ed1513d176170ec718301d08c775cb3d08ce863ad0606118c30e1b3b38eae1666acc09548ec90c463b62
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
muhasebe@adanateknikkimya.com - Password:
atk9202
Signatures
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Invoice and Bill Ladin.exedescription pid process target process PID 3588 wrote to memory of 3932 3588 Invoice and Bill Ladin.exe schtasks.exe PID 3588 wrote to memory of 3932 3588 Invoice and Bill Ladin.exe schtasks.exe PID 3588 wrote to memory of 3932 3588 Invoice and Bill Ladin.exe schtasks.exe PID 3588 wrote to memory of 3872 3588 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 3588 wrote to memory of 3872 3588 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 3588 wrote to memory of 3872 3588 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 3588 wrote to memory of 3872 3588 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 3588 wrote to memory of 3872 3588 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 3588 wrote to memory of 3872 3588 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 3588 wrote to memory of 3872 3588 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe PID 3588 wrote to memory of 3872 3588 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Invoice and Bill Ladin.exedescription pid process target process PID 3588 set thread context of 3872 3588 Invoice and Bill Ladin.exe Invoice and Bill Ladin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Invoice and Bill Ladin.exedescription pid process Token: SeDebugPrivilege 3872 Invoice and Bill Ladin.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Invoice and Bill Ladin.exepid process 3872 Invoice and Bill Ladin.exe 3872 Invoice and Bill Ladin.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Invoice and Bill Ladin.exepid process 3872 Invoice and Bill Ladin.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
Invoice and Bill Ladin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe" Invoice and Bill Ladin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice and Bill Ladin.exe"C:\Users\Admin\AppData\Local\Temp\Invoice and Bill Ladin.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ejTJlXXtNCVKge" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C3F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Invoice and Bill Ladin.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Adds Run entry to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Invoice and Bill Ladin.exe.log
-
C:\Users\Admin\AppData\Local\Temp\tmp7C3F.tmp
-
memory/3872-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3872-3-0x0000000000446F9E-mapping.dmp
-
memory/3932-0-0x0000000000000000-mapping.dmp