Analysis
-
max time kernel
149s -
max time network
8s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 13:44
General
-
Target
Paid Invoice.exe
-
Size
940KB
-
MD5
bde63b59d82e03cea80de443c6738c6f
-
SHA1
34e77df4e37a23a8c45f9b9a62a938d756add173
-
SHA256
b3bf1c568dfbb2a1af09b07eb0a7aff6e2d7addbf3c51e4c6850ebc96afd103e
-
SHA512
f1e68b492747884786996bec97214fb4a126444dc4928803cecfa7f0a716fa29c822f76eeff41d7b7ca164cde4b24a70e45aecdf8c8b9ff1d1cabd3800b6850d
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
656KB
-
-
Filesize
656KB
-
Filesize
656KB
-
Filesize
304KB
-
Filesize
4KB
-
Filesize
280KB