Analysis
-
max time kernel
72s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
NPK 202020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NPK 202020.exe
Resource
win10v2004-20220414-en
General
-
Target
NPK 202020.exe
-
Size
816KB
-
MD5
94c64da42cec451a2bd9c6e30d366fa8
-
SHA1
ae5ad76d977bedfaa76632fa32d5678c212daa96
-
SHA256
40b64f01b9da5a5fdafaeae7226eb911ec29c6ecddd24aae32465f0c3b97fac5
-
SHA512
97754440f8ad88d4bc02e57f921461a62176825f615cffbc6ffd35c29404e4301a142e4e4399c835c370e47563c240205ca8985a8f1ef6de1df43dea19dcf86a
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/684-56-0x0000000000380000-0x0000000000388000-memory.dmp coreentity -
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/684-60-0x00000000020C0000-0x000000000210E000-memory.dmp family_agenttesla -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/684-57-0x0000000001E30000-0x0000000001E86000-memory.dmp rezer0 -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
NPK 202020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NPK 202020.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NPK 202020.exe Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NPK 202020.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NPK 202020.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\Windows Update.exe" NPK 202020.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
NPK 202020.exepid process 684 NPK 202020.exe 684 NPK 202020.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NPK 202020.exedescription pid process Token: SeDebugPrivilege 684 NPK 202020.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
NPK 202020.exedescription pid process target process PID 684 wrote to memory of 1540 684 NPK 202020.exe schtasks.exe PID 684 wrote to memory of 1540 684 NPK 202020.exe schtasks.exe PID 684 wrote to memory of 1540 684 NPK 202020.exe schtasks.exe PID 684 wrote to memory of 1540 684 NPK 202020.exe schtasks.exe -
outlook_office_path 1 IoCs
Processes:
NPK 202020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NPK 202020.exe -
outlook_win_path 1 IoCs
Processes:
NPK 202020.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NPK 202020.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NPK 202020.exe"C:\Users\Admin\AppData\Local\Temp\NPK 202020.exe"1⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YHtBDZyNICpYf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1A45.tmpFilesize
1KB
MD5149c536cfb17a9f9a46bc43cf356d389
SHA18847c1ce17590b599138152a0f343c82f7a90f7b
SHA2569d0759530472929db93279e7ee7fa80ad6089d082c88ec4644e3003198f1d7a5
SHA51279205c8099a7177edf54f38a9ccde6c0a6cd7ecb8c9ef8942d494b6aaecf798dba1c873d8ab7556cb832fa44a4528cfd2a1375da76f7df1d81b24e9145441375
-
memory/684-54-0x00000000104C0000-0x0000000010590000-memory.dmpFilesize
832KB
-
memory/684-55-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/684-56-0x0000000000380000-0x0000000000388000-memory.dmpFilesize
32KB
-
memory/684-57-0x0000000001E30000-0x0000000001E86000-memory.dmpFilesize
344KB
-
memory/684-60-0x00000000020C0000-0x000000000210E000-memory.dmpFilesize
312KB
-
memory/1540-58-0x0000000000000000-mapping.dmp