Analysis
-
max time kernel
149s -
max time network
8s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 13:44
Static task
static1
Behavioral task
behavioral1
Sample
Paid Invoice.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Paid Invoice.exe
Resource
win10
General
-
Target
Paid Invoice.exe
-
Size
940KB
-
MD5
bde63b59d82e03cea80de443c6738c6f
-
SHA1
34e77df4e37a23a8c45f9b9a62a938d756add173
-
SHA256
b3bf1c568dfbb2a1af09b07eb0a7aff6e2d7addbf3c51e4c6850ebc96afd103e
-
SHA512
f1e68b492747884786996bec97214fb4a126444dc4928803cecfa7f0a716fa29c822f76eeff41d7b7ca164cde4b24a70e45aecdf8c8b9ff1d1cabd3800b6850d
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Paid Invoice.exepid process 1360 Paid Invoice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Paid Invoice.exedescription pid process Token: SeDebugPrivilege 1420 Paid Invoice.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Paid Invoice.exePaid Invoice.exepid process 1360 Paid Invoice.exe 1420 Paid Invoice.exe 1420 Paid Invoice.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Paid Invoice.exedescription pid process target process PID 1360 wrote to memory of 1420 1360 Paid Invoice.exe Paid Invoice.exe PID 1360 wrote to memory of 1420 1360 Paid Invoice.exe Paid Invoice.exe PID 1360 wrote to memory of 1420 1360 Paid Invoice.exe Paid Invoice.exe PID 1360 wrote to memory of 1420 1360 Paid Invoice.exe Paid Invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Paid Invoice.exedescription pid process target process PID 1360 set thread context of 1420 1360 Paid Invoice.exe Paid Invoice.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1420-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1420-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1420-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx
Processes
-
C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1420