Analysis
-
max time kernel
108s -
max time network
109s -
platform
windows10_x64 -
resource
win10 -
submitted
07/07/2020, 09:52
Static task
static1
Behavioral task
behavioral1
Sample
SPEC.exe
Resource
win7v200430
windows7_x64
Behavioral task
behavioral2
Sample
SPEC.exe
Resource
win10
windows10_x64
General
-
Target
SPEC.exe
-
Size
782KB
-
MD5
c2d99cdb9cf6bfeb657ecc6c07ff4883
-
SHA1
3ddf79447494930ef29b3b2c0c2387379b308a39
-
SHA256
47ecae395889d51a3835daa21b154644f1af8f53e03d2118f71850775777b87b
-
SHA512
6604f92dcf5e8f7674a58891758b8522b12b8654e3af1c6522d0a90e3e3aa426e8a33c217ed5ec4e58acfde0b7dd3a8217591211bba9f5d4a39dfc92bcd0e809
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
henry1234
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3060 set thread context of 3836 3060 SPEC.exe 67 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3836 SPEC.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 78 IoCs
pid Process 3060 SPEC.exe 3060 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3868 SPEC.exe 3836 SPEC.exe 3836 SPEC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3060 wrote to memory of 3836 3060 SPEC.exe 67 PID 3060 wrote to memory of 3836 3060 SPEC.exe 67 PID 3060 wrote to memory of 3836 3060 SPEC.exe 67 PID 3060 wrote to memory of 3868 3060 SPEC.exe 68 PID 3060 wrote to memory of 3868 3060 SPEC.exe 68 PID 3060 wrote to memory of 3868 3060 SPEC.exe 68 -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3060 SPEC.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
resource yara_rule behavioral2/memory/3836-0-0x0000000000400000-0x00000000004AC000-memory.dmp upx behavioral2/memory/3836-3-0x0000000000400000-0x00000000004AC000-memory.dmp upx behavioral2/memory/3836-4-0x0000000000400000-0x00000000004AC000-memory.dmp upx
Processes
-
C:\Users\Admin\AppData\Local\Temp\SPEC.exe"C:\Users\Admin\AppData\Local\Temp\SPEC.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\SPEC.exe"C:\Users\Admin\AppData\Local\Temp\SPEC.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3836
-
-
C:\Users\Admin\AppData\Local\Temp\SPEC.exe"C:\Users\Admin\AppData\Local\Temp\SPEC.exe" 2 3836 617342⤵
- Suspicious behavior: EnumeratesProcesses
PID:3868
-