Analysis
-
max time kernel
124s -
max time network
124s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 08:55
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Payment Advice.exe
Resource
win10
General
-
Target
Payment Advice.exe
-
Size
418KB
-
MD5
ffdaaef92b097c2edb85b1bdcf302b74
-
SHA1
5065f1b6378fa9f7d4793a93627ac3dd98a30bcd
-
SHA256
5654964b039231ce7a956b13d9c55c412ad05387b0f9b3dd800f2030eb1761d0
-
SHA512
0e17c8ee3afa0d497839d6868a46932652e3a21df3f5104b0b7cab68bf5fddf8bf2dc2bfa577bcc576b5c401ef6d7afa5e70726a47594684de159a8f06b0a7d6
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
georgemoored@yandex.com - Password:
1989dennis
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment Advice.exedescription pid process Token: SeDebugPrivilege 3392 Payment Advice.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment Advice.exepid process 3392 Payment Advice.exe 3392 Payment Advice.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Payment Advice.exePayment Advice.exedescription pid process target process PID 2920 wrote to memory of 3164 2920 Payment Advice.exe schtasks.exe PID 2920 wrote to memory of 3164 2920 Payment Advice.exe schtasks.exe PID 2920 wrote to memory of 3164 2920 Payment Advice.exe schtasks.exe PID 2920 wrote to memory of 3392 2920 Payment Advice.exe Payment Advice.exe PID 2920 wrote to memory of 3392 2920 Payment Advice.exe Payment Advice.exe PID 2920 wrote to memory of 3392 2920 Payment Advice.exe Payment Advice.exe PID 2920 wrote to memory of 3392 2920 Payment Advice.exe Payment Advice.exe PID 2920 wrote to memory of 3392 2920 Payment Advice.exe Payment Advice.exe PID 2920 wrote to memory of 3392 2920 Payment Advice.exe Payment Advice.exe PID 2920 wrote to memory of 3392 2920 Payment Advice.exe Payment Advice.exe PID 2920 wrote to memory of 3392 2920 Payment Advice.exe Payment Advice.exe PID 3392 wrote to memory of 356 3392 Payment Advice.exe netsh.exe PID 3392 wrote to memory of 356 3392 Payment Advice.exe netsh.exe PID 3392 wrote to memory of 356 3392 Payment Advice.exe netsh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Advice.exedescription pid process target process PID 2920 set thread context of 3392 2920 Payment Advice.exe Payment Advice.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Payment Advice.exepid process 3392 Payment Advice.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xyDraNWzCWcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF6E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Payment Advice.exe.log
-
C:\Users\Admin\AppData\Local\Temp\tmpDF6E.tmp
-
memory/356-5-0x0000000000000000-mapping.dmp
-
memory/3164-0-0x0000000000000000-mapping.dmp
-
memory/3392-2-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3392-3-0x000000000044C92E-mapping.dmp