Analysis
-
max time kernel
138s -
max time network
31s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 12:41
Static task
static1
Behavioral task
behavioral1
Sample
Paid Invoice.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Paid Invoice.exe
Resource
win10
General
-
Target
Paid Invoice.exe
-
Size
940KB
-
MD5
bde63b59d82e03cea80de443c6738c6f
-
SHA1
34e77df4e37a23a8c45f9b9a62a938d756add173
-
SHA256
b3bf1c568dfbb2a1af09b07eb0a7aff6e2d7addbf3c51e4c6850ebc96afd103e
-
SHA512
f1e68b492747884786996bec97214fb4a126444dc4928803cecfa7f0a716fa29c822f76eeff41d7b7ca164cde4b24a70e45aecdf8c8b9ff1d1cabd3800b6850d
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Paid Invoice.exedescription pid process target process PID 1032 wrote to memory of 1004 1032 Paid Invoice.exe Paid Invoice.exe PID 1032 wrote to memory of 1004 1032 Paid Invoice.exe Paid Invoice.exe PID 1032 wrote to memory of 1004 1032 Paid Invoice.exe Paid Invoice.exe PID 1032 wrote to memory of 1004 1032 Paid Invoice.exe Paid Invoice.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1004-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1004-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1004-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Paid Invoice.exePaid Invoice.exepid process 1032 Paid Invoice.exe 1004 Paid Invoice.exe 1004 Paid Invoice.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Paid Invoice.exepid process 1032 Paid Invoice.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Paid Invoice.exedescription pid process target process PID 1032 set thread context of 1004 1032 Paid Invoice.exe Paid Invoice.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Paid Invoice.exedescription pid process Token: SeDebugPrivilege 1004 Paid Invoice.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Paid Invoice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1004-0-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1004-1-0x00000000004A2760-mapping.dmp
-
memory/1004-2-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1004-3-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1004-4-0x0000000001D20000-0x0000000001D6C000-memory.dmpFilesize
304KB
-
memory/1004-5-0x0000000001DE2000-0x0000000001DE3000-memory.dmpFilesize
4KB
-
memory/1004-6-0x0000000001C20000-0x0000000001C66000-memory.dmpFilesize
280KB