Analysis
-
max time kernel
89s -
max time network
52s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 11:12
Static task
static1
Behavioral task
behavioral1
Sample
NCG207311154.exe
Resource
win7
Behavioral task
behavioral2
Sample
NCG207311154.exe
Resource
win10
General
-
Target
NCG207311154.exe
-
Size
498KB
-
MD5
22fbb2bdcd1308194687c06741b7c115
-
SHA1
a512ba6b3f94f4c28310166db8d29403e9d86f40
-
SHA256
9af4e7302015b6c26100e4119cc6463224adef98a668b459051615d9edc3573a
-
SHA512
44658501a7f2012270ebc0696025b812db9954012e581838fdfb8576801db9d4fa67aac62fdc941340150abf6dd5ba884ad7c9c242be908f8749958005219c53
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
NCG207311154.exedescription pid process target process PID 1100 wrote to memory of 1604 1100 NCG207311154.exe schtasks.exe PID 1100 wrote to memory of 1604 1100 NCG207311154.exe schtasks.exe PID 1100 wrote to memory of 1604 1100 NCG207311154.exe schtasks.exe PID 1100 wrote to memory of 1604 1100 NCG207311154.exe schtasks.exe PID 1100 wrote to memory of 1048 1100 NCG207311154.exe NCG207311154.exe PID 1100 wrote to memory of 1048 1100 NCG207311154.exe NCG207311154.exe PID 1100 wrote to memory of 1048 1100 NCG207311154.exe NCG207311154.exe PID 1100 wrote to memory of 1048 1100 NCG207311154.exe NCG207311154.exe PID 1100 wrote to memory of 1048 1100 NCG207311154.exe NCG207311154.exe PID 1100 wrote to memory of 1048 1100 NCG207311154.exe NCG207311154.exe PID 1100 wrote to memory of 1048 1100 NCG207311154.exe NCG207311154.exe PID 1100 wrote to memory of 1048 1100 NCG207311154.exe NCG207311154.exe PID 1100 wrote to memory of 1048 1100 NCG207311154.exe NCG207311154.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NCG207311154.exedescription pid process target process PID 1100 set thread context of 1048 1100 NCG207311154.exe NCG207311154.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NCG207311154.exeNCG207311154.exedescription pid process Token: SeDebugPrivilege 1100 NCG207311154.exe Token: SeDebugPrivilege 1048 NCG207311154.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
NCG207311154.exeNCG207311154.exepid process 1100 NCG207311154.exe 1100 NCG207311154.exe 1100 NCG207311154.exe 1048 NCG207311154.exe 1048 NCG207311154.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NCG207311154.exepid process 1048 NCG207311154.exe -
Processes:
resource yara_rule behavioral1/memory/1048-4-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral1/memory/1048-4-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral1/memory/1048-5-0x0000000000445F5E-mapping.dmp agent_tesla behavioral1/memory/1048-6-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral1/memory/1048-6-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral1/memory/1048-7-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral1/memory/1048-7-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla
Processes
-
C:\Users\Admin\AppData\Local\Temp\NCG207311154.exe"C:\Users\Admin\AppData\Local\Temp\NCG207311154.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD3C2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\NCG207311154.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD3C2.tmp
-
memory/1048-4-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1048-5-0x0000000000445F5E-mapping.dmp
-
memory/1048-6-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1048-7-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1100-2-0x0000000008B20000-0x0000000008B22000-memory.dmpFilesize
8KB
-
memory/1604-0-0x0000000000000000-mapping.dmp