Analysis
-
max time kernel
122s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
29-05-2020 19:54
Static task
static1
Behavioral task
behavioral1
Sample
new order.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
new order.exe
Resource
win10v200430
General
-
Target
new order.exe
-
Size
497KB
-
MD5
d0e301c9c9892ff14f1a5fdd7b94d840
-
SHA1
1764dfe3ff7917388032b34c378d30c2fd81fb15
-
SHA256
0c630248507337f2835d5ff76bcadd48aca15cc50c4b334eabea3a93bac8a6cb
-
SHA512
ed63a440aa1c7e617c0c8013b781bf1fed6b970fa0ec602b5b9522bd3d9a6f522627dd4d432c0a3382b77c8e3cef9328e36fe75766e1236455bdd2de73492662
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.tandempakistan.com - Port:
587 - Username:
mngacct@tandempakistan.com - Password:
fayyazrml
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2492-4-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
new order.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion new order.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion new order.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
new order.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\zQalIQ = "C:\\Users\\Admin\\AppData\\Roaming\\zQalIQ\\zQalIQ.exe" new order.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
new order.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum new order.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 new order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
new order.exedescription pid process target process PID 972 set thread context of 2492 972 new order.exe new order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
new order.exenew order.exepid process 972 new order.exe 972 new order.exe 2492 new order.exe 2492 new order.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
new order.exenew order.exedescription pid process Token: SeDebugPrivilege 972 new order.exe Token: SeDebugPrivilege 2492 new order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
new order.exepid process 2492 new order.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
new order.exenew order.exedescription pid process target process PID 972 wrote to memory of 2128 972 new order.exe schtasks.exe PID 972 wrote to memory of 2128 972 new order.exe schtasks.exe PID 972 wrote to memory of 2128 972 new order.exe schtasks.exe PID 972 wrote to memory of 2312 972 new order.exe new order.exe PID 972 wrote to memory of 2312 972 new order.exe new order.exe PID 972 wrote to memory of 2312 972 new order.exe new order.exe PID 972 wrote to memory of 2492 972 new order.exe new order.exe PID 972 wrote to memory of 2492 972 new order.exe new order.exe PID 972 wrote to memory of 2492 972 new order.exe new order.exe PID 972 wrote to memory of 2492 972 new order.exe new order.exe PID 972 wrote to memory of 2492 972 new order.exe new order.exe PID 972 wrote to memory of 2492 972 new order.exe new order.exe PID 972 wrote to memory of 2492 972 new order.exe new order.exe PID 972 wrote to memory of 2492 972 new order.exe new order.exe PID 2492 wrote to memory of 1608 2492 new order.exe netsh.exe PID 2492 wrote to memory of 1608 2492 new order.exe netsh.exe PID 2492 wrote to memory of 1608 2492 new order.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VuEpwRV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3435.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\new order.exe.logMD5
65acc9d020cbc5cdd5a4d651573cba40
SHA14c70793f89351648ac6cf9f1bd97a7f26fe9ddb1
SHA25615518826c9a08a9d53c944cb4818627e9022a838e40483756b08b0d7df3ac8e4
SHA51295bc86a09c97adcc7eb1971ac4e31c62210d4bab654082b6263b401e9197a925cd82b4bb0dc994ab2aa70bac466770e0e307f1b3979b2e128a6a0701362f32cb
-
C:\Users\Admin\AppData\Local\Temp\tmp3435.tmpMD5
c81c702daa8004e143d8ebab195226e9
SHA1037df6b0fb3da6b382127be4f0193848d51b4a0a
SHA256a468a3f6d2e04635997b47a76aae791069275d9d805f3ba07f2655f969d6cb13
SHA512ae3e25eb6bb95fa0ceda90ef96186e75b4c7df636a7ce513588250045ed833f0ef6b2b3995e5f36831d29c7fcde64ed99553e9723d8a3a356227ad740a687529
-
memory/2492-4-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB