Analysis
-
max time kernel
121s -
max time network
117s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 06:42
Static task
static1
Behavioral task
behavioral1
Sample
invoice 20SMX0701006N20SMX0701007N.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
invoice 20SMX0701006N20SMX0701007N.exe
Resource
win10
General
-
Target
invoice 20SMX0701006N20SMX0701007N.exe
-
Size
738KB
-
MD5
f19e6a2e94a9e8df79bba2be0f615382
-
SHA1
11392f28bb332471e769a262f7e75cdbe618e939
-
SHA256
21ae6a2cb858073f8ef1089c949f36fd890f79a9b5f2385f945b1bc7a8a4da76
-
SHA512
a14bbb3ee0d4ac3f76ca500e9fadbfcd8d4eeaf18db52b8ad00143b1956e0b4f580b2e25b0ad98679d7ad4777beae21d5fd0ab1fde169d37117c975e7b9d18d7
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
chibuikelightwork1
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
invoice 20SMX0701006N20SMX0701007N.exedescription pid process target process PID 344 wrote to memory of 3896 344 invoice 20SMX0701006N20SMX0701007N.exe invoice 20SMX0701006N20SMX0701007N.exe PID 344 wrote to memory of 3896 344 invoice 20SMX0701006N20SMX0701007N.exe invoice 20SMX0701006N20SMX0701007N.exe PID 344 wrote to memory of 3896 344 invoice 20SMX0701006N20SMX0701007N.exe invoice 20SMX0701006N20SMX0701007N.exe PID 344 wrote to memory of 3896 344 invoice 20SMX0701006N20SMX0701007N.exe invoice 20SMX0701006N20SMX0701007N.exe PID 344 wrote to memory of 3896 344 invoice 20SMX0701006N20SMX0701007N.exe invoice 20SMX0701006N20SMX0701007N.exe PID 344 wrote to memory of 3896 344 invoice 20SMX0701006N20SMX0701007N.exe invoice 20SMX0701006N20SMX0701007N.exe PID 344 wrote to memory of 3896 344 invoice 20SMX0701006N20SMX0701007N.exe invoice 20SMX0701006N20SMX0701007N.exe PID 344 wrote to memory of 3896 344 invoice 20SMX0701006N20SMX0701007N.exe invoice 20SMX0701006N20SMX0701007N.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice 20SMX0701006N20SMX0701007N.exedescription pid process target process PID 344 set thread context of 3896 344 invoice 20SMX0701006N20SMX0701007N.exe invoice 20SMX0701006N20SMX0701007N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
invoice 20SMX0701006N20SMX0701007N.exedescription pid process Token: SeDebugPrivilege 3896 invoice 20SMX0701006N20SMX0701007N.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
invoice 20SMX0701006N20SMX0701007N.exepid process 3896 invoice 20SMX0701006N20SMX0701007N.exe 3896 invoice 20SMX0701006N20SMX0701007N.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
invoice 20SMX0701006N20SMX0701007N.exepid process 3896 invoice 20SMX0701006N20SMX0701007N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice 20SMX0701006N20SMX0701007N.exe"C:\Users\Admin\AppData\Local\Temp\invoice 20SMX0701006N20SMX0701007N.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:344 -
C:\Users\Admin\AppData\Local\Temp\invoice 20SMX0701006N20SMX0701007N.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3896