4524f74c75340e0761a5e4e0f3c070fb96a364de054fead9c96c8ee8f4f81f0a

General

Target

TNT E-Invoice Consignment Delivey Notification_pdf.exe
Size

401KB
MD5

bbebe99bf36cb3dc4c3c37a9487468ac
SHA1

b3c4734cbc3846304647fbf6854f6cbb3c0ab635
SHA256

4524f74c75340e0761a5e4e0f3c070fb96a364de054fead9c96c8ee8f4f81f0a
SHA512

64dfec480badbb528b1cc43d90780b7a1600bdb768da047013d5db16ebdf49d003dbc01a43568104c5dba220f54ff95f7c12648ca4cbed8a2098c817e1cf2016

Score

10^/10

persistence spyware

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.minioninvest.com
Port:
587
Username:
support@minioninvest.com
Password:
uchegite08

Signatures

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

TNT E-Invoice Consignment Delivey Notification_pdf.exeTNT E-Invoice Consignment Delivey Notification_pdf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

TNT E-Invoice Consignment Delivey Notification_pdf.exeTNT E-Invoice Consignment Delivey Notification_pdf.exe

description	pid	process
Token: SeDebugPrivilege	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe
Token: SeDebugPrivilege	316	TNT E-Invoice Consignment Delivey Notification_pdf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TNT E-Invoice Consignment Delivey Notification_pdf.exe

pid process

316 TNT E-Invoice Consignment Delivey Notification_pdf.exe

pid	process
316	TNT E-Invoice Consignment Delivey Notification_pdf.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

TNT E-Invoice Consignment Delivey Notification_pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TNT E-Invoice Consignment Delivey Notification_pdf.exe\""	TNT E-Invoice Consignment Delivey Notification_pdf.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 checkip.dyndns.org
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

TNT E-Invoice Consignment Delivey Notification_pdf.exeTNT E-Invoice Consignment Delivey Notification_pdf.exe

pid process

1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe
316 TNT E-Invoice Consignment Delivey Notification_pdf.exe

flow	ioc
3	checkip.dyndns.org

pid	process
1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe
316	TNT E-Invoice Consignment Delivey Notification_pdf.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

TNT E-Invoice Consignment Delivey Notification_pdf.exe

description	pid	process	target process
PID 1068 set thread context of 316	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

TNT E-Invoice Consignment Delivey Notification_pdf.exe

pid process

316 TNT E-Invoice Consignment Delivey Notification_pdf.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
316	TNT E-Invoice Consignment Delivey Notification_pdf.exe

Modifies service 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1068

C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe"
2⤵
PID:1312

C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:316

C:\Windows\SysWOW64\netsh.exe
"netsh" wlan show profile
3⤵
- Modifies service
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-0-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/316-1-0x000000000046E3CE-mapping.dmp

Download
memory/316-2-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/316-3-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1528-4-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1068 wrote to memory of 1312	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 1312	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 1312	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 1312	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 316	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 316	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 316	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 316	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 316	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 316	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 316	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 316	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 1068 wrote to memory of 316	1068	TNT E-Invoice Consignment Delivey Notification_pdf.exe	TNT E-Invoice Consignment Delivey Notification_pdf.exe
PID 316 wrote to memory of 1528	316	TNT E-Invoice Consignment Delivey Notification_pdf.exe	netsh.exe
PID 316 wrote to memory of 1528	316	TNT E-Invoice Consignment Delivey Notification_pdf.exe	netsh.exe
PID 316 wrote to memory of 1528	316	TNT E-Invoice Consignment Delivey Notification_pdf.exe	netsh.exe
PID 316 wrote to memory of 1528	316	TNT E-Invoice Consignment Delivey Notification_pdf.exe	netsh.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads