Analysis
-
max time kernel
122s -
max time network
152s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 15:11
Static task
static1
Behavioral task
behavioral1
Sample
TNT E-Invoice Consignment Delivey Notification_pdf.exe
Resource
win7
Behavioral task
behavioral2
Sample
TNT E-Invoice Consignment Delivey Notification_pdf.exe
Resource
win10v200722
General
-
Target
TNT E-Invoice Consignment Delivey Notification_pdf.exe
-
Size
401KB
-
MD5
bbebe99bf36cb3dc4c3c37a9487468ac
-
SHA1
b3c4734cbc3846304647fbf6854f6cbb3c0ab635
-
SHA256
4524f74c75340e0761a5e4e0f3c070fb96a364de054fead9c96c8ee8f4f81f0a
-
SHA512
64dfec480badbb528b1cc43d90780b7a1600bdb768da047013d5db16ebdf49d003dbc01a43568104c5dba220f54ff95f7c12648ca4cbed8a2098c817e1cf2016
Malware Config
Extracted
Protocol: smtp- Host:
mail.minioninvest.com - Port:
587 - Username:
support@minioninvest.com - Password:
uchegite08
Signatures
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
TNT E-Invoice Consignment Delivey Notification_pdf.exeTNT E-Invoice Consignment Delivey Notification_pdf.exedescription pid process target process PID 1068 wrote to memory of 1312 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 1312 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 1312 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 1312 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 316 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 316 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 316 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 316 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 316 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 316 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 316 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 316 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 1068 wrote to memory of 316 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe PID 316 wrote to memory of 1528 316 TNT E-Invoice Consignment Delivey Notification_pdf.exe netsh.exe PID 316 wrote to memory of 1528 316 TNT E-Invoice Consignment Delivey Notification_pdf.exe netsh.exe PID 316 wrote to memory of 1528 316 TNT E-Invoice Consignment Delivey Notification_pdf.exe netsh.exe PID 316 wrote to memory of 1528 316 TNT E-Invoice Consignment Delivey Notification_pdf.exe netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TNT E-Invoice Consignment Delivey Notification_pdf.exeTNT E-Invoice Consignment Delivey Notification_pdf.exedescription pid process Token: SeDebugPrivilege 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe Token: SeDebugPrivilege 316 TNT E-Invoice Consignment Delivey Notification_pdf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
TNT E-Invoice Consignment Delivey Notification_pdf.exepid process 316 TNT E-Invoice Consignment Delivey Notification_pdf.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
TNT E-Invoice Consignment Delivey Notification_pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TNT E-Invoice Consignment Delivey Notification_pdf.exe\"" TNT E-Invoice Consignment Delivey Notification_pdf.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
TNT E-Invoice Consignment Delivey Notification_pdf.exeTNT E-Invoice Consignment Delivey Notification_pdf.exepid process 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe 316 TNT E-Invoice Consignment Delivey Notification_pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT E-Invoice Consignment Delivey Notification_pdf.exedescription pid process target process PID 1068 set thread context of 316 1068 TNT E-Invoice Consignment Delivey Notification_pdf.exe TNT E-Invoice Consignment Delivey Notification_pdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TNT E-Invoice Consignment Delivey Notification_pdf.exepid process 316 TNT E-Invoice Consignment Delivey Notification_pdf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe"C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Modifies WinLogon for persistence
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe"C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe"C:\Users\Admin\AppData\Local\Temp\TNT E-Invoice Consignment Delivey Notification_pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/316-0-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/316-1-0x000000000046E3CE-mapping.dmp
-
memory/316-2-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/316-3-0x0000000000400000-0x0000000000474000-memory.dmpFilesize
464KB
-
memory/1528-4-0x0000000000000000-mapping.dmp