Analysis
-
max time kernel
112s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:04
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10
General
-
Target
New Order.exe
-
Size
389KB
-
MD5
971b524b2a3ae1adf97deb2456c8a15e
-
SHA1
355a9fae7eb5042e02680d4d9138f55681e3d203
-
SHA256
d4f365f9895e6d8dc8975922386052ec3727a9f24ff147559f54d529e447c0b4
-
SHA512
63b8f28d66acef1168167a2b6788530524d79dfaa519c0de0284c8aad62b967a3b5ffc8148531d451cf2c3ee0b9668d3674bec0d86c9296719d605c586c3314a
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
New Order.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion New Order.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion New Order.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
New Order.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 New Order.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum New Order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
New Order.exepid process 1124 New Order.exe 1124 New Order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New Order.exedescription pid process Token: SeDebugPrivilege 1124 New Order.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
New Order.exedescription pid process target process PID 1124 wrote to memory of 340 1124 New Order.exe schtasks.exe PID 1124 wrote to memory of 340 1124 New Order.exe schtasks.exe PID 1124 wrote to memory of 340 1124 New Order.exe schtasks.exe PID 1124 wrote to memory of 340 1124 New Order.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wRyCQByggAE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8610.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8610.tmpMD5
cea23ac73b4222fef28968d51a87b28b
SHA1aeb6e61d21b8f95ccd988e919a9a1c0220a8883e
SHA256c38b3334b3297bfa9d77b5a0593a60085c3e79cf65cd113b0357f26a8fbcd87a
SHA51263a333a7b3774730b2a714725368e0cae43d2bc63faa670257a665e38f7312a4b1d74e9eb44eb8d6f55837261d3f5115783ee629a18ce21110f2614906b63326
-
memory/340-2-0x0000000000000000-mapping.dmp
-
memory/1124-1-0x0000000000000000-0x0000000000000000-disk.dmp