Analysis
-
max time kernel
113s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 10:01
Static task
static1
Behavioral task
behavioral1
Sample
newanyiorigin.exe
Resource
win7
General
-
Target
newanyiorigin.exe
-
Size
465KB
-
MD5
93993f994aa01d44877418064b35a6bd
-
SHA1
12892d6641fd748331d7aede80b660701e0d45a1
-
SHA256
82cc4887e303142d81ec7d606de24bfe9d14d3fd2d867759b4c150f502d456ed
-
SHA512
b6b701e8ff658c86937fc696f04aff41cc6d3fef7346b2e62a6465dbcb37e52f693173d45265925b81a5811b651288f632018619c487e3ce03e3adcb63e2f861
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1416-4-0x0000000000000000-mapping.dmp family_agenttesla -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 844 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 844 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 844 rundll32.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
newanyiorigin.exerundll32.exedescription pid process target process PID 1164 wrote to memory of 844 1164 newanyiorigin.exe rundll32.exe PID 1164 wrote to memory of 844 1164 newanyiorigin.exe rundll32.exe PID 1164 wrote to memory of 844 1164 newanyiorigin.exe rundll32.exe PID 1164 wrote to memory of 844 1164 newanyiorigin.exe rundll32.exe PID 1164 wrote to memory of 844 1164 newanyiorigin.exe rundll32.exe PID 1164 wrote to memory of 844 1164 newanyiorigin.exe rundll32.exe PID 1164 wrote to memory of 844 1164 newanyiorigin.exe rundll32.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe PID 844 wrote to memory of 1416 844 rundll32.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\newanyiorigin.exe"C:\Users\Admin\AppData\Local\Temp\newanyiorigin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe BicornGasohol,Sunhats2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BicornGasohol.DLLMD5
ea2f9af237cf9f119f68498727701ae0
SHA12e714699ef5e6e766aa91d3b74a254e28c0af48b
SHA256a743db5c06b9b3bb9a9183d9ef9c7fbf14f3938c3e6785a7bae943c14579b830
SHA51214c5e2935fc1ab68b4b99656c74fb374017514fab5a7248b958f0990c404d230efd9dcd5bb7eed2351a766d2fbfb078e00adaaa9484c61c37319d87b5c97c4e0
-
C:\Users\Admin\AppData\Local\Temp\DynastMD5
eebb7cc18e6f3f58c587c132e3086850
SHA162bcf6e0012e9a70d0e38b74f39a64bf543a3bf7
SHA2561e48956974b342a00658ea5c3e0a66f3fe458e2fa54f2231d728a0f1d446a9c0
SHA51235f0d3987c56c63c6dda7eab198a6f8324d1b34a98729fe66ea98b432be045d8699c3f105912d76ac4fa5a3c123bc318d40767b837e7f38db1db0c98e1179eb7
-
\Users\Admin\AppData\Local\Temp\BicornGasohol.dllMD5
ea2f9af237cf9f119f68498727701ae0
SHA12e714699ef5e6e766aa91d3b74a254e28c0af48b
SHA256a743db5c06b9b3bb9a9183d9ef9c7fbf14f3938c3e6785a7bae943c14579b830
SHA51214c5e2935fc1ab68b4b99656c74fb374017514fab5a7248b958f0990c404d230efd9dcd5bb7eed2351a766d2fbfb078e00adaaa9484c61c37319d87b5c97c4e0
-
memory/844-0-0x0000000000000000-mapping.dmp
-
memory/1416-4-0x0000000000000000-mapping.dmp