Analysis
-
max time kernel
98s -
max time network
118s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 11:12
Static task
static1
Behavioral task
behavioral1
Sample
NCG207311154.exe
Resource
win7
Behavioral task
behavioral2
Sample
NCG207311154.exe
Resource
win10
General
-
Target
NCG207311154.exe
-
Size
498KB
-
MD5
22fbb2bdcd1308194687c06741b7c115
-
SHA1
a512ba6b3f94f4c28310166db8d29403e9d86f40
-
SHA256
9af4e7302015b6c26100e4119cc6463224adef98a668b459051615d9edc3573a
-
SHA512
44658501a7f2012270ebc0696025b812db9954012e581838fdfb8576801db9d4fa67aac62fdc941340150abf6dd5ba884ad7c9c242be908f8749958005219c53
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
house.mate@yandex.com - Password:
papa1974
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NCG207311154.exeNCG207311154.exedescription pid process Token: SeDebugPrivilege 3684 NCG207311154.exe Token: SeDebugPrivilege 3792 NCG207311154.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NCG207311154.exedescription pid process target process PID 3684 set thread context of 3792 3684 NCG207311154.exe NCG207311154.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NCG207311154.exepid process 3792 NCG207311154.exe -
Processes:
resource yara_rule behavioral2/memory/3792-2-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral2/memory/3792-2-0x0000000000400000-0x000000000044A000-memory.dmp agent_tesla behavioral2/memory/3792-3-0x0000000000445F5E-mapping.dmp agent_tesla -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
NCG207311154.exeNCG207311154.exepid process 3684 NCG207311154.exe 3684 NCG207311154.exe 3684 NCG207311154.exe 3684 NCG207311154.exe 3792 NCG207311154.exe 3792 NCG207311154.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
NCG207311154.exedescription pid process target process PID 3684 wrote to memory of 3836 3684 NCG207311154.exe schtasks.exe PID 3684 wrote to memory of 3836 3684 NCG207311154.exe schtasks.exe PID 3684 wrote to memory of 3836 3684 NCG207311154.exe schtasks.exe PID 3684 wrote to memory of 3792 3684 NCG207311154.exe NCG207311154.exe PID 3684 wrote to memory of 3792 3684 NCG207311154.exe NCG207311154.exe PID 3684 wrote to memory of 3792 3684 NCG207311154.exe NCG207311154.exe PID 3684 wrote to memory of 3792 3684 NCG207311154.exe NCG207311154.exe PID 3684 wrote to memory of 3792 3684 NCG207311154.exe NCG207311154.exe PID 3684 wrote to memory of 3792 3684 NCG207311154.exe NCG207311154.exe PID 3684 wrote to memory of 3792 3684 NCG207311154.exe NCG207311154.exe PID 3684 wrote to memory of 3792 3684 NCG207311154.exe NCG207311154.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NCG207311154.exe"C:\Users\Admin\AppData\Local\Temp\NCG207311154.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8BB0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\NCG207311154.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NCG207311154.exe.log
-
C:\Users\Admin\AppData\Local\Temp\tmp8BB0.tmp
-
memory/3792-2-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/3792-3-0x0000000000445F5E-mapping.dmp
-
memory/3836-0-0x0000000000000000-mapping.dmp