Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 06:42
Static task
static1
Behavioral task
behavioral1
Sample
CMA-Inquiry DA39-RFQ-Urgent order-07820.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
CMA-Inquiry DA39-RFQ-Urgent order-07820.exe
Resource
win10
General
-
Target
CMA-Inquiry DA39-RFQ-Urgent order-07820.exe
-
Size
952KB
-
MD5
7e8eedd86f24f4e63ed26ff677162e75
-
SHA1
e9a7b4c02a2f2916a3604a417af65260e33436a4
-
SHA256
bb44a88339e83bc2ecbd06edef1acf6c54e66c4c4922005a67c27f970f717075
-
SHA512
f16624dd72c63bb944d45c25c80a6ed6d8400e994e852db3879602b3107dd3e09dd7d1c5c893598f0d64f15bd98828bc7e67a48ee91943e833e13324d0d016c3
Malware Config
Extracted
formbook
http://www.mansiobok2.info/ns424/
loginaccount-secure.com
roadside-web.com
lovelydays.info
mariotime.com
toursmundialrusia.com
confidentbeauty.tips
duongtinhot24h.com
wcw.info
rabatte.click
xn--2nyy10g.biz
botuzm.net
galebplast.com
mahony-diet.com
3ctoken.com
mantispeed.com
withyou-cm.com
rightwebmarketing.com
pksbarandgrill.net
systemscan12.top
velinablog.com
16qdd.com
opebet668.com
sonialafountain.com
alamonda.net
fujianchangyuan.com
gorillathreads.com
productossaludnaturales.com
53sbh.com
ttwpiv.info
datenschutz-24-7.online
hawaiiwoodsource.com
yilongjiancai.com
portasolvacationrentals.com
eaglevogue.com
internetking.ink
e-golden-boy.com
zan-c.com
nmnedconsulting.com
mollybphoto.com
ybvip222.com
mijindou2019.com
abcshop.biz
promtiobooking.com
kcsmqd.com
angelalevelsup.com
lux-dl.com
edit-live.com
top10asiancasino.com
yixinpuze.com
girlbossevents.net
autohaker.com
advancedappliancerepairsva.com
costcocanadaliguor.com
donateoneeight.net
primeals.com
elementarycap.com
bakingandcookingandmore.com
maralexhealthservices.com
daniellcreation.com
bricsfintech.com
nazifsevim.com
lx-w.com
office421.com
1123ll.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule \Users\Admin\Documents\NELLYORIBIN.exe family_agenttesla \Users\Admin\Documents\NELLYORIBIN.exe family_agenttesla C:\Users\Admin\Documents\NELLYORIBIN.exe family_agenttesla C:\Users\Admin\Documents\NELLYORIBIN.exe family_agenttesla -
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/580-8-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/580-9-0x000000000041E300-mapping.dmp formbook behavioral1/memory/284-10-0x0000000000000000-mapping.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
NELLYORIBIN.exepid process 1016 NELLYORIBIN.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1096 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
CMA-Inquiry DA39-RFQ-Urgent order-07820.exepid process 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
CMA-Inquiry DA39-RFQ-Urgent order-07820.exeCMA-Inquiry DA39-RFQ-Urgent order-07820.exerundll32.exedescription pid process target process PID 1400 set thread context of 580 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe CMA-Inquiry DA39-RFQ-Urgent order-07820.exe PID 580 set thread context of 1284 580 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe Explorer.EXE PID 284 set thread context of 1284 284 rundll32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
CMA-Inquiry DA39-RFQ-Urgent order-07820.exeNELLYORIBIN.exeCMA-Inquiry DA39-RFQ-Urgent order-07820.exerundll32.exepid process 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe 1016 NELLYORIBIN.exe 1016 NELLYORIBIN.exe 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe 580 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe 580 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe 284 rundll32.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
CMA-Inquiry DA39-RFQ-Urgent order-07820.exerundll32.exepid process 580 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe 580 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe 580 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe 284 rundll32.exe 284 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
CMA-Inquiry DA39-RFQ-Urgent order-07820.exeNELLYORIBIN.exeCMA-Inquiry DA39-RFQ-Urgent order-07820.exerundll32.exedescription pid process Token: SeDebugPrivilege 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe Token: SeDebugPrivilege 1016 NELLYORIBIN.exe Token: SeDebugPrivilege 580 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe Token: SeDebugPrivilege 284 rundll32.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NELLYORIBIN.exepid process 1016 NELLYORIBIN.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
CMA-Inquiry DA39-RFQ-Urgent order-07820.exeExplorer.EXErundll32.exedescription pid process target process PID 1400 wrote to memory of 1016 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe NELLYORIBIN.exe PID 1400 wrote to memory of 1016 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe NELLYORIBIN.exe PID 1400 wrote to memory of 1016 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe NELLYORIBIN.exe PID 1400 wrote to memory of 1016 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe NELLYORIBIN.exe PID 1400 wrote to memory of 580 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe CMA-Inquiry DA39-RFQ-Urgent order-07820.exe PID 1400 wrote to memory of 580 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe CMA-Inquiry DA39-RFQ-Urgent order-07820.exe PID 1400 wrote to memory of 580 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe CMA-Inquiry DA39-RFQ-Urgent order-07820.exe PID 1400 wrote to memory of 580 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe CMA-Inquiry DA39-RFQ-Urgent order-07820.exe PID 1400 wrote to memory of 580 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe CMA-Inquiry DA39-RFQ-Urgent order-07820.exe PID 1400 wrote to memory of 580 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe CMA-Inquiry DA39-RFQ-Urgent order-07820.exe PID 1400 wrote to memory of 580 1400 CMA-Inquiry DA39-RFQ-Urgent order-07820.exe CMA-Inquiry DA39-RFQ-Urgent order-07820.exe PID 1284 wrote to memory of 284 1284 Explorer.EXE rundll32.exe PID 1284 wrote to memory of 284 1284 Explorer.EXE rundll32.exe PID 1284 wrote to memory of 284 1284 Explorer.EXE rundll32.exe PID 1284 wrote to memory of 284 1284 Explorer.EXE rundll32.exe PID 1284 wrote to memory of 284 1284 Explorer.EXE rundll32.exe PID 1284 wrote to memory of 284 1284 Explorer.EXE rundll32.exe PID 1284 wrote to memory of 284 1284 Explorer.EXE rundll32.exe PID 284 wrote to memory of 1096 284 rundll32.exe cmd.exe PID 284 wrote to memory of 1096 284 rundll32.exe cmd.exe PID 284 wrote to memory of 1096 284 rundll32.exe cmd.exe PID 284 wrote to memory of 1096 284 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\CMA-Inquiry DA39-RFQ-Urgent order-07820.exe"C:\Users\Admin\AppData\Local\Temp\CMA-Inquiry DA39-RFQ-Urgent order-07820.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\Documents\NELLYORIBIN.exe"C:\Users\Admin\Documents\NELLYORIBIN.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\CMA-Inquiry DA39-RFQ-Urgent order-07820.exe"C:\Users\Admin\AppData\Local\Temp\CMA-Inquiry DA39-RFQ-Urgent order-07820.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:580 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\CMA-Inquiry DA39-RFQ-Urgent order-07820.exe"3⤵
- Deletes itself
PID:1096
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d8fe0929e3699d59e8d8a2d677dbe863
SHA1a253d625f69b1f537f2deefe2a51d80999686bd2
SHA2567cd4dc47ff59ffc6fc42ae75f2d16376a0966c4e3608d411fa2d68b6f816ab43
SHA5125f262d26f8733b49ab70c9139e13636583ac8254ba37e1ebeb01cf0ecc6aca4fab866e9c61ee1295073d37118e8da98ef9c394ac94471d6b81e8417d6ac9d0ab
-
MD5
d8fe0929e3699d59e8d8a2d677dbe863
SHA1a253d625f69b1f537f2deefe2a51d80999686bd2
SHA2567cd4dc47ff59ffc6fc42ae75f2d16376a0966c4e3608d411fa2d68b6f816ab43
SHA5125f262d26f8733b49ab70c9139e13636583ac8254ba37e1ebeb01cf0ecc6aca4fab866e9c61ee1295073d37118e8da98ef9c394ac94471d6b81e8417d6ac9d0ab
-
MD5
d8fe0929e3699d59e8d8a2d677dbe863
SHA1a253d625f69b1f537f2deefe2a51d80999686bd2
SHA2567cd4dc47ff59ffc6fc42ae75f2d16376a0966c4e3608d411fa2d68b6f816ab43
SHA5125f262d26f8733b49ab70c9139e13636583ac8254ba37e1ebeb01cf0ecc6aca4fab866e9c61ee1295073d37118e8da98ef9c394ac94471d6b81e8417d6ac9d0ab
-
MD5
d8fe0929e3699d59e8d8a2d677dbe863
SHA1a253d625f69b1f537f2deefe2a51d80999686bd2
SHA2567cd4dc47ff59ffc6fc42ae75f2d16376a0966c4e3608d411fa2d68b6f816ab43
SHA5125f262d26f8733b49ab70c9139e13636583ac8254ba37e1ebeb01cf0ecc6aca4fab866e9c61ee1295073d37118e8da98ef9c394ac94471d6b81e8417d6ac9d0ab