Analysis
-
max time kernel
135s -
max time network
33s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 06:55
Static task
static1
Behavioral task
behavioral1
Sample
invoice copy.pdf.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
invoice copy.pdf.exe
Resource
win10
General
-
Target
invoice copy.pdf.exe
-
Size
951KB
-
MD5
3e6acec29c526b5546a5cb38d16c8d04
-
SHA1
3953b813d92a30446487b02fd1ef1fe96bece8e3
-
SHA256
b774c08d6cd60de0b59191fe1102105eec3cde3ffab89daeb4faa8a88747e9e5
-
SHA512
a9e3d6f9cc90aee7119facec54d4fddf52e6eb9a5fe12d13f1f3d01ce6dc8803e0dff62f5f7b3a229bcf6db55cc170ce74bb856d945b9971ec78e477012b85e4
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
invoice copy.pdf.exepid process 1492 invoice copy.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice copy.pdf.exedescription pid process target process PID 1492 set thread context of 744 1492 invoice copy.pdf.exe invoice copy.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
invoice copy.pdf.exedescription pid process Token: SeDebugPrivilege 744 invoice copy.pdf.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/744-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/744-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/744-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
invoice copy.pdf.exedescription pid process target process PID 1492 wrote to memory of 744 1492 invoice copy.pdf.exe invoice copy.pdf.exe PID 1492 wrote to memory of 744 1492 invoice copy.pdf.exe invoice copy.pdf.exe PID 1492 wrote to memory of 744 1492 invoice copy.pdf.exe invoice copy.pdf.exe PID 1492 wrote to memory of 744 1492 invoice copy.pdf.exe invoice copy.pdf.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
invoice copy.pdf.exeinvoice copy.pdf.exepid process 1492 invoice copy.pdf.exe 744 invoice copy.pdf.exe 744 invoice copy.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/744-0-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/744-1-0x00000000004A2410-mapping.dmp
-
memory/744-2-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/744-3-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/744-4-0x0000000000340000-0x000000000038C000-memory.dmpFilesize
304KB
-
memory/744-5-0x0000000001FF2000-0x0000000001FF3000-memory.dmpFilesize
4KB
-
memory/744-6-0x0000000000220000-0x0000000000266000-memory.dmpFilesize
280KB