Overview

overview

10

Static

static

new order.exe

windows7_x64

10

new order.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    29-05-2020 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new order.exe

  • Size

    497KB

  • MD5

    d0e301c9c9892ff14f1a5fdd7b94d840

  • SHA1

    1764dfe3ff7917388032b34c378d30c2fd81fb15

  • SHA256

    0c630248507337f2835d5ff76bcadd48aca15cc50c4b334eabea3a93bac8a6cb

  • SHA512

    ed63a440aa1c7e617c0c8013b781bf1fed6b970fa0ec602b5b9522bd3d9a6f522627dd4d432c0a3382b77c8e3cef9328e36fe75766e1236455bdd2de73492662

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.tandempakistan.com
  • Port:
    587
  • Username:
    mngacct@tandempakistan.com
  • Password:
    fayyazrml

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\new order.exe
    "C:\Users\Admin\AppData\Local\Temp\new order.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VuEpwRV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3435.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2128
    • C:\Users\Admin\AppData\Local\Temp\new order.exe
      "{path}"
      2⤵
        PID:2312
      • C:\Users\Admin\AppData\Local\Temp\new order.exe
        "{path}"
        2⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2492
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" wlan show profile
          3⤵
            PID:1608

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      3
      T1081

      Discovery

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Data from Local System

      3
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\new order.exe.log
        MD5

        65acc9d020cbc5cdd5a4d651573cba40

        SHA1

        4c70793f89351648ac6cf9f1bd97a7f26fe9ddb1

        SHA256

        15518826c9a08a9d53c944cb4818627e9022a838e40483756b08b0d7df3ac8e4

        SHA512

        95bc86a09c97adcc7eb1971ac4e31c62210d4bab654082b6263b401e9197a925cd82b4bb0dc994ab2aa70bac466770e0e307f1b3979b2e128a6a0701362f32cb

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp3435.tmp
        MD5

        c81c702daa8004e143d8ebab195226e9

        SHA1

        037df6b0fb3da6b382127be4f0193848d51b4a0a

        SHA256

        a468a3f6d2e04635997b47a76aae791069275d9d805f3ba07f2655f969d6cb13

        SHA512

        ae3e25eb6bb95fa0ceda90ef96186e75b4c7df636a7ce513588250045ed833f0ef6b2b3995e5f36831d29c7fcde64ed99553e9723d8a3a356227ad740a687529

        Download Submit
      • memory/2492-4-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download