Analysis
-
max time kernel
148s -
max time network
44s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-07-2020 09:44
Static task
static1
Behavioral task
behavioral1
Sample
Scan doc.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Scan doc.exe
Resource
win10
General
-
Target
Scan doc.exe
-
Size
776KB
-
MD5
998dc4993b24a9e7a5e3c42d140dd002
-
SHA1
34375c9f17328c6cc93cecac0a8b517c6574fb0d
-
SHA256
41649c5c44d64e2764e4753b6d458589dedca163d8a0a365f05fd50261465e38
-
SHA512
54541baf6caea77a81344dd4843e51548078624b25d0190b2314f313af7574123a767d9a0f18dd966da7819a163c8e26bbc41379d2c1d696b5dd59a1af918616
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Scan doc.exeScan doc.exepid Process 888 Scan doc.exe 1048 Scan doc.exe 1048 Scan doc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Scan doc.exedescription pid Process procid_target PID 888 wrote to memory of 1048 888 Scan doc.exe 24 PID 888 wrote to memory of 1048 888 Scan doc.exe 24 PID 888 wrote to memory of 1048 888 Scan doc.exe 24 PID 888 wrote to memory of 1048 888 Scan doc.exe 24 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scan doc.exedescription pid Process procid_target PID 888 set thread context of 1048 888 Scan doc.exe 24 -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Scan doc.exepid Process 888 Scan doc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Scan doc.exedescription pid Process Token: SeDebugPrivilege 1048 Scan doc.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1048-0-0x0000000000400000-0x00000000004A5000-memory.dmp upx behavioral1/memory/1048-2-0x0000000000400000-0x00000000004A5000-memory.dmp upx behavioral1/memory/1048-3-0x0000000000400000-0x00000000004A5000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan doc.exe"C:\Users\Admin\AppData\Local\Temp\Scan doc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:888 -
C:\Users\Admin\AppData\Local\Temp\Scan doc.exe"C:\Users\Admin\AppData\Local\Temp\Scan doc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-