Analysis
-
max time kernel
43s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 11:17
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10
General
-
Target
New Order.exe
-
Size
950KB
-
MD5
f6322a4b7fd5bc7a3ba41034f69e84b3
-
SHA1
fc18e16938986b31d12c5ed51ed48f2764cf181c
-
SHA256
f49917c2ce68563710e7d801c8a5793a592cc03a7cf803740195acf55ea11ae6
-
SHA512
97964d1e7faf0ecdf4f4ccc6893d130898ad6d3f05d51518116e6d9a45084acde3648763aca1e8990cd6338eec7a9b67fb8f8ce1f8fab43719433c1848237926
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
New Order.exeNew Order.exepid process 1388 New Order.exe 1444 New Order.exe 1444 New Order.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
New Order.exepid process 1388 New Order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New Order.exedescription pid process Token: SeDebugPrivilege 1444 New Order.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Modifies service 2 TTPs 5 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
New Order.exeNew Order.exedescription pid process target process PID 1388 wrote to memory of 1444 1388 New Order.exe New Order.exe PID 1388 wrote to memory of 1444 1388 New Order.exe New Order.exe PID 1388 wrote to memory of 1444 1388 New Order.exe New Order.exe PID 1388 wrote to memory of 1444 1388 New Order.exe New Order.exe PID 1444 wrote to memory of 1656 1444 New Order.exe netsh.exe PID 1444 wrote to memory of 1656 1444 New Order.exe netsh.exe PID 1444 wrote to memory of 1656 1444 New Order.exe netsh.exe PID 1444 wrote to memory of 1656 1444 New Order.exe netsh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New Order.exedescription pid process target process PID 1388 set thread context of 1444 1388 New Order.exe New Order.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1444-0-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral1/memory/1444-2-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral1/memory/1444-3-0x0000000000400000-0x00000000004B0000-memory.dmp upx -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
- Modifies service
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1444-0-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1444-1-0x00000000004AEE50-mapping.dmp
-
memory/1444-2-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1444-3-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/1444-4-0x0000000000390000-0x00000000003E2000-memory.dmpFilesize
328KB
-
memory/1444-5-0x0000000000382000-0x0000000000383000-memory.dmpFilesize
4KB
-
memory/1444-6-0x0000000000230000-0x000000000027B000-memory.dmpFilesize
300KB
-
memory/1656-8-0x0000000000000000-mapping.dmp