Analysis
-
max time kernel
119s -
max time network
137s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 13:55
Static task
static1
Behavioral task
behavioral1
Sample
REVISED NEW ORDER.exe
Resource
win7
Behavioral task
behavioral2
Sample
REVISED NEW ORDER.exe
Resource
win10
General
-
Target
REVISED NEW ORDER.exe
-
Size
589KB
-
MD5
9b37d3dd9ff4036b3132873292a2e672
-
SHA1
79b74ebaa8da63b409eaf6d5b6e13076b25734a3
-
SHA256
ac817954a4511d2a0ffca7832b48d137db1b299d7ff055709eda1d12460e81c0
-
SHA512
3d973e02189d47458355faa6018381140383219cf1783e90c6a54aa1f3d5191b1ef69d09b1d86a0c79d519575d50f0569a285bfd0c31547fd77058779d62a307
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
nednwokoro@jakartta.xyz - Password:
nwaotu65
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3848-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/3848-3-0x0000000000446E3E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
REVISED NEW ORDER.exedescription pid process target process PID 720 set thread context of 3848 720 REVISED NEW ORDER.exe REVISED NEW ORDER.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
REVISED NEW ORDER.exepid process 3848 REVISED NEW ORDER.exe 3848 REVISED NEW ORDER.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
REVISED NEW ORDER.exedescription pid process Token: SeDebugPrivilege 3848 REVISED NEW ORDER.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
REVISED NEW ORDER.exepid process 3848 REVISED NEW ORDER.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
REVISED NEW ORDER.exedescription pid process target process PID 720 wrote to memory of 3844 720 REVISED NEW ORDER.exe schtasks.exe PID 720 wrote to memory of 3844 720 REVISED NEW ORDER.exe schtasks.exe PID 720 wrote to memory of 3844 720 REVISED NEW ORDER.exe schtasks.exe PID 720 wrote to memory of 3848 720 REVISED NEW ORDER.exe REVISED NEW ORDER.exe PID 720 wrote to memory of 3848 720 REVISED NEW ORDER.exe REVISED NEW ORDER.exe PID 720 wrote to memory of 3848 720 REVISED NEW ORDER.exe REVISED NEW ORDER.exe PID 720 wrote to memory of 3848 720 REVISED NEW ORDER.exe REVISED NEW ORDER.exe PID 720 wrote to memory of 3848 720 REVISED NEW ORDER.exe REVISED NEW ORDER.exe PID 720 wrote to memory of 3848 720 REVISED NEW ORDER.exe REVISED NEW ORDER.exe PID 720 wrote to memory of 3848 720 REVISED NEW ORDER.exe REVISED NEW ORDER.exe PID 720 wrote to memory of 3848 720 REVISED NEW ORDER.exe REVISED NEW ORDER.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REVISED NEW ORDER.exe"C:\Users\Admin\AppData\Local\Temp\REVISED NEW ORDER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fGHYflhqCW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD1A3.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\REVISED NEW ORDER.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\REVISED NEW ORDER.exe.logMD5
3753b01eddc20f64178eaf3d55b5c146
SHA1ca50665940eb8519e1df0c1f185fb72a271c2a66
SHA25699096651b1d9b4a7562f56c8e42c06d1166f7f22a93816e2862317ada8154b37
SHA512566366e651e94fab25454fb0199508cd62a64723137b32fbd5bee531110403d9194b9a4fc053740c571a69e820c1c72e48d65fc3a5410a22b6ae9d2e55508bf3
-
C:\Users\Admin\AppData\Local\Temp\tmpD1A3.tmpMD5
029bc302feeaf1ff91e09356ab581a18
SHA1ba59fe7436b5f8fa7c9d4a3c777fa16efc4cce3e
SHA2564055d8cb5432699da5a95fc4b74a129fa4e9b705bf4a795150f9a88bfa1e87c4
SHA5127259404ed1aed31dd35d1e81f2b845ee97ed179d7d7af2ac2cf749c0f9a3c57fba1cf6a1f083a057cb41eeb1e143a533c444b505cc8828791810cd2873ae6f4a
-
memory/3844-0-0x0000000000000000-mapping.dmp
-
memory/3848-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3848-3-0x0000000000446E3E-mapping.dmp