Analysis
-
max time kernel
59s -
max time network
29s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 11:35
Static task
static1
Behavioral task
behavioral1
Sample
Invoice approved.pdf.exe
Resource
win7
Behavioral task
behavioral2
Sample
Invoice approved.pdf.exe
Resource
win10
General
-
Target
Invoice approved.pdf.exe
-
Size
676KB
-
MD5
dec84f6b8adf05075f43025708c0ccaa
-
SHA1
d8ed043b7b4057670dfbd7d7c8039fcb0f5de792
-
SHA256
18a41b50c8885afe4978787aa8c44601134838f73f66e7edc520bad7d76bfad2
-
SHA512
aaa3becc54d34d5ee1f884a527a1f73afbd774b72fc7d46106a87c4c08397447c3e2bae16275e5bc0b841ee332efd169fd12a9e4d021dbef086c69225e431cb9
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1032 Invoice approved.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1068 Invoice approved.pdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1032 Invoice approved.pdf.exe 1068 Invoice approved.pdf.exe 1068 Invoice approved.pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1032 wrote to memory of 1068 1032 Invoice approved.pdf.exe 24 PID 1032 wrote to memory of 1068 1032 Invoice approved.pdf.exe 24 PID 1032 wrote to memory of 1068 1032 Invoice approved.pdf.exe 24 PID 1032 wrote to memory of 1068 1032 Invoice approved.pdf.exe 24 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1032 set thread context of 1068 1032 Invoice approved.pdf.exe 24 -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
resource yara_rule behavioral1/memory/1068-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1068-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1068-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice approved.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice approved.pdf.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\Invoice approved.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice approved.pdf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1068
-