Analysis
-
max time kernel
97s -
max time network
96s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 13:25
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
PURCHASE ORDER.exe
Resource
win10
General
-
Target
PURCHASE ORDER.exe
-
Size
450KB
-
MD5
4c30879733bee6a617162ac01c72e99f
-
SHA1
72198172e29d4c0eb81888397dcae546578ed3d2
-
SHA256
5f40c09b663d4e544cd611c361ca19732f325cbb4310e0f671aa3dffb975eba4
-
SHA512
c7c203d6b3f46d40da1a09011c30e8b10b2351b1d43905c5466093a132f347045e97c9f98e3e54bd4821f21f7d6577ba5270e0aac19bfca957e252a5dfb7b500
Malware Config
Extracted
Protocol: smtp- Host:
mail.nilgirisfoods.com - Port:
587 - Username:
info@nilgirisfoods.com - Password:
Nil@GiriS1092
Signatures
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
PURCHASE ORDER.exeRegSvcs.exepid process 4048 PURCHASE ORDER.exe 4048 PURCHASE ORDER.exe 4048 PURCHASE ORDER.exe 4048 PURCHASE ORDER.exe 3924 RegSvcs.exe 3924 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 4048 wrote to memory of 3924 4048 PURCHASE ORDER.exe RegSvcs.exe PID 4048 wrote to memory of 3924 4048 PURCHASE ORDER.exe RegSvcs.exe PID 4048 wrote to memory of 3924 4048 PURCHASE ORDER.exe RegSvcs.exe PID 4048 wrote to memory of 3924 4048 PURCHASE ORDER.exe RegSvcs.exe PID 4048 wrote to memory of 3924 4048 PURCHASE ORDER.exe RegSvcs.exe PID 4048 wrote to memory of 3924 4048 PURCHASE ORDER.exe RegSvcs.exe PID 4048 wrote to memory of 3924 4048 PURCHASE ORDER.exe RegSvcs.exe PID 4048 wrote to memory of 3924 4048 PURCHASE ORDER.exe RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 4048 set thread context of 3924 4048 PURCHASE ORDER.exe RegSvcs.exe -
Processes:
resource yara_rule behavioral2/memory/3924-1-0x0000000000445ECE-mapping.dmp agent_tesla behavioral2/memory/3924-0-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral2/memory/3924-0-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PURCHASE ORDER.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4048 PURCHASE ORDER.exe Token: SeDebugPrivilege 3924 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken