Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 06:55
Static task
static1
Behavioral task
behavioral1
Sample
invoice copy.pdf.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
invoice copy.pdf.exe
Resource
win10
General
-
Target
invoice copy.pdf.exe
-
Size
951KB
-
MD5
3e6acec29c526b5546a5cb38d16c8d04
-
SHA1
3953b813d92a30446487b02fd1ef1fe96bece8e3
-
SHA256
b774c08d6cd60de0b59191fe1102105eec3cde3ffab89daeb4faa8a88747e9e5
-
SHA512
a9e3d6f9cc90aee7119facec54d4fddf52e6eb9a5fe12d13f1f3d01ce6dc8803e0dff62f5f7b3a229bcf6db55cc170ce74bb856d945b9971ec78e477012b85e4
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
chibuikelightwork1
Signatures
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral2/memory/3884-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3884-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3884-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
invoice copy.pdf.exedescription pid process target process PID 976 wrote to memory of 3884 976 invoice copy.pdf.exe invoice copy.pdf.exe PID 976 wrote to memory of 3884 976 invoice copy.pdf.exe invoice copy.pdf.exe PID 976 wrote to memory of 3884 976 invoice copy.pdf.exe invoice copy.pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
invoice copy.pdf.exepid process 976 invoice copy.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
invoice copy.pdf.exedescription pid process target process PID 976 set thread context of 3884 976 invoice copy.pdf.exe invoice copy.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
invoice copy.pdf.exedescription pid process Token: SeDebugPrivilege 3884 invoice copy.pdf.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
invoice copy.pdf.exeinvoice copy.pdf.exepid process 976 invoice copy.pdf.exe 976 invoice copy.pdf.exe 3884 invoice copy.pdf.exe 3884 invoice copy.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3884-0-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3884-1-0x00000000004A2410-mapping.dmp
-
memory/3884-2-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3884-3-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3884-4-0x00000000009B0000-0x00000000009FC000-memory.dmpFilesize
304KB
-
memory/3884-5-0x0000000002322000-0x0000000002323000-memory.dmpFilesize
4KB