Analysis
-
max time kernel
134s -
max time network
12s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 13:25
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
PURCHASE ORDER.exe
Resource
win10
General
-
Target
PURCHASE ORDER.exe
-
Size
450KB
-
MD5
4c30879733bee6a617162ac01c72e99f
-
SHA1
72198172e29d4c0eb81888397dcae546578ed3d2
-
SHA256
5f40c09b663d4e544cd611c361ca19732f325cbb4310e0f671aa3dffb975eba4
-
SHA512
c7c203d6b3f46d40da1a09011c30e8b10b2351b1d43905c5466093a132f347045e97c9f98e3e54bd4821f21f7d6577ba5270e0aac19bfca957e252a5dfb7b500
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
PURCHASE ORDER.exeRegSvcs.exepid process 108 PURCHASE ORDER.exe 108 PURCHASE ORDER.exe 108 PURCHASE ORDER.exe 1844 RegSvcs.exe 1844 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe PID 108 wrote to memory of 1844 108 PURCHASE ORDER.exe RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 108 set thread context of 1844 108 PURCHASE ORDER.exe RegSvcs.exe -
Processes:
resource yara_rule behavioral1/memory/1844-3-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral1/memory/1844-3-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral1/memory/1844-4-0x0000000000445ECE-mapping.dmp agent_tesla behavioral1/memory/1844-5-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral1/memory/1844-5-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral1/memory/1844-6-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral1/memory/1844-6-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PURCHASE ORDER.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 108 PURCHASE ORDER.exe Token: SeDebugPrivilege 1844 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1844-3-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1844-4-0x0000000000445ECE-mapping.dmp
-
memory/1844-5-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1844-6-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB