Analysis
-
max time kernel
135s -
max time network
27s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 12:16
Static task
static1
Behavioral task
behavioral1
Sample
AWB RECEIPT.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
AWB RECEIPT.exe
Resource
win10
General
-
Target
AWB RECEIPT.exe
-
Size
414KB
-
MD5
e6376ce6fe0b01359cb87e8685243a85
-
SHA1
11c69fbfe899c0b0117f8461f755047cc9cc8686
-
SHA256
b06e7c2b4c5fb87404178047bc54c303463808ac0b5586d31dd2537d35e61ecf
-
SHA512
c11e5073d83da48b186cdc49fb49ec0a5d413dd4720847cd6855dedb651345392aad893e2d8ca3c7e31731107de6b8322cbccff69f9c628aa269ac04285859f4
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
AWB RECEIPT.exedescription pid process target process PID 1428 wrote to memory of 1764 1428 AWB RECEIPT.exe schtasks.exe PID 1428 wrote to memory of 1764 1428 AWB RECEIPT.exe schtasks.exe PID 1428 wrote to memory of 1764 1428 AWB RECEIPT.exe schtasks.exe PID 1428 wrote to memory of 1764 1428 AWB RECEIPT.exe schtasks.exe PID 1428 wrote to memory of 524 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 524 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 524 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 524 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 660 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 660 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 660 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 660 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 660 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 660 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 660 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 660 1428 AWB RECEIPT.exe AWB RECEIPT.exe PID 1428 wrote to memory of 660 1428 AWB RECEIPT.exe AWB RECEIPT.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AWB RECEIPT.exeAWB RECEIPT.exedescription pid process Token: SeDebugPrivilege 1428 AWB RECEIPT.exe Token: SeDebugPrivilege 660 AWB RECEIPT.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
AWB RECEIPT.exeAWB RECEIPT.exepid process 1428 AWB RECEIPT.exe 660 AWB RECEIPT.exe 660 AWB RECEIPT.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AWB RECEIPT.exedescription pid process target process PID 1428 set thread context of 660 1428 AWB RECEIPT.exe AWB RECEIPT.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\AWB RECEIPT.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wDxsIGgSvmElt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58E8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\AWB RECEIPT.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\AWB RECEIPT.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp58E8.tmp
-
memory/660-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/660-3-0x00000000004471FE-mapping.dmp
-
memory/660-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/660-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1764-0-0x0000000000000000-mapping.dmp