Analysis
-
max time kernel
139s -
max time network
32s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 08:55
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Payment Advice.exe
Resource
win10
General
-
Target
Payment Advice.exe
-
Size
418KB
-
MD5
ffdaaef92b097c2edb85b1bdcf302b74
-
SHA1
5065f1b6378fa9f7d4793a93627ac3dd98a30bcd
-
SHA256
5654964b039231ce7a956b13d9c55c412ad05387b0f9b3dd800f2030eb1761d0
-
SHA512
0e17c8ee3afa0d497839d6868a46932652e3a21df3f5104b0b7cab68bf5fddf8bf2dc2bfa577bcc576b5c401ef6d7afa5e70726a47594684de159a8f06b0a7d6
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
Payment Advice.exePayment Advice.exedescription pid process target process PID 1492 wrote to memory of 1820 1492 Payment Advice.exe schtasks.exe PID 1492 wrote to memory of 1820 1492 Payment Advice.exe schtasks.exe PID 1492 wrote to memory of 1820 1492 Payment Advice.exe schtasks.exe PID 1492 wrote to memory of 1820 1492 Payment Advice.exe schtasks.exe PID 1492 wrote to memory of 1836 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 1836 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 1836 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 1836 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 1832 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 1832 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 1832 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 1832 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 316 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 316 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 316 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 316 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 652 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 652 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 652 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 652 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 652 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 652 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 652 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 652 1492 Payment Advice.exe Payment Advice.exe PID 1492 wrote to memory of 652 1492 Payment Advice.exe Payment Advice.exe PID 652 wrote to memory of 1776 652 Payment Advice.exe netsh.exe PID 652 wrote to memory of 1776 652 Payment Advice.exe netsh.exe PID 652 wrote to memory of 1776 652 Payment Advice.exe netsh.exe PID 652 wrote to memory of 1776 652 Payment Advice.exe netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Payment Advice.exePayment Advice.exedescription pid process Token: SeDebugPrivilege 1492 Payment Advice.exe Token: SeDebugPrivilege 652 Payment Advice.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Payment Advice.exePayment Advice.exepid process 1492 Payment Advice.exe 1492 Payment Advice.exe 1492 Payment Advice.exe 652 Payment Advice.exe 652 Payment Advice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Advice.exedescription pid process target process PID 1492 set thread context of 652 1492 Payment Advice.exe Payment Advice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Payment Advice.exepid process 652 Payment Advice.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyDraNWzCWcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD0F4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD0F4.tmp
-
memory/652-2-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/652-3-0x000000000044C92E-mapping.dmp
-
memory/652-4-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/652-5-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1776-6-0x0000000000000000-mapping.dmp
-
memory/1820-0-0x0000000000000000-mapping.dmp