Analysis
-
max time kernel
143s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-01-2021 06:24
Static task
static1
Behavioral task
behavioral1
Sample
Delivery Order.gz.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Delivery Order.gz.exe
Resource
win10v20201028
General
-
Target
Delivery Order.gz.exe
-
Size
947KB
-
MD5
f74303c9d68e259794bff9aa16accc6c
-
SHA1
86278bc1da358e23bc309f1f0856bb5dcaa4498c
-
SHA256
38328233c3257c33f13ed27c11ac0ce699433901e4cfdc5c5eb78fb823e85c7a
-
SHA512
965bd616cf68a9374efc9b91b66978c00961aaa4476274bbc0abf8ee930852c1a9ec327102343fbf70f428024d9790d62e2bcc98e4b8ead6277753c1d49bca4d
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.omfoods.in - Port:
587 - Username:
[email protected] - Password:
Om@food11D
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3236-15-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/3236-16-0x00000000004377FE-mapping.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Delivery Order.gz.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Delivery Order.gz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Delivery Order.gz.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Delivery Order.gz.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\nAhOJe = "C:\\Users\\Admin\\AppData\\Roaming\\nAhOJe\\nAhOJe.exe" Delivery Order.gz.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Delivery Order.gz.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Delivery Order.gz.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 Delivery Order.gz.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Delivery Order.gz.exedescription pid process target process PID 4048 set thread context of 3236 4048 Delivery Order.gz.exe Delivery Order.gz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Delivery Order.gz.exeDelivery Order.gz.exepid process 4048 Delivery Order.gz.exe 4048 Delivery Order.gz.exe 4048 Delivery Order.gz.exe 4048 Delivery Order.gz.exe 4048 Delivery Order.gz.exe 3236 Delivery Order.gz.exe 3236 Delivery Order.gz.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Delivery Order.gz.exeDelivery Order.gz.exedescription pid process Token: SeDebugPrivilege 4048 Delivery Order.gz.exe Token: SeDebugPrivilege 3236 Delivery Order.gz.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Delivery Order.gz.exepid process 3236 Delivery Order.gz.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Delivery Order.gz.exedescription pid process target process PID 4048 wrote to memory of 1332 4048 Delivery Order.gz.exe schtasks.exe PID 4048 wrote to memory of 1332 4048 Delivery Order.gz.exe schtasks.exe PID 4048 wrote to memory of 1332 4048 Delivery Order.gz.exe schtasks.exe PID 4048 wrote to memory of 2876 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 2876 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 2876 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 3132 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 3132 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 3132 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 3236 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 3236 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 3236 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 3236 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 3236 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 3236 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 3236 4048 Delivery Order.gz.exe Delivery Order.gz.exe PID 4048 wrote to memory of 3236 4048 Delivery Order.gz.exe Delivery Order.gz.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Delivery Order.gz.exe"C:\Users\Admin\AppData\Local\Temp\Delivery Order.gz.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DQuHmmSWD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDAB6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Delivery Order.gz.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Delivery Order.gz.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Delivery Order.gz.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Delivery Order.gz.exe.logMD5
ca0f5a97e99b64cce46421d178db03d0
SHA1dc14bbb3304f311a8970fd16d7fd45b11fa9075f
SHA256335bca3539bd41893cecddf8d4f5a6bf10b276687267e46fc1801a73e1170866
SHA512db07fd19802353811e1c0da40233e8fe10abdbb7904beb69fe44106fe2822d98b571f5cf6e8c3a8e61dcca1b10048c5e102de478da47301b4f75fe6dcf434900
-
C:\Users\Admin\AppData\Local\Temp\tmpDAB6.tmpMD5
f85c88c776736ee084685c7b86686a3c
SHA14d7ff66954a365e8cd0eec04ffc0467f088d1f01
SHA256cfa50ad40b9c8f0d456eb6200772203c2ab3f5fd8efc6a30797b933e1a4bf0a3
SHA5123028021b7fd3fa2deeaf01e8dd3d3ad3232350d7e0c88848452d64231a1463968583a3f91b0b7ef13d6bc01c12959b16139dbae2fcf3e44650a65620655d8b43
-
memory/1332-13-0x0000000000000000-mapping.dmp
-
memory/3236-24-0x0000000005540000-0x0000000005541000-memory.dmpFilesize
4KB
-
memory/3236-23-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/3236-18-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/3236-16-0x00000000004377FE-mapping.dmp
-
memory/3236-15-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4048-7-0x0000000005350000-0x0000000005351000-memory.dmpFilesize
4KB
-
memory/4048-12-0x0000000009BF0000-0x0000000009BF1000-memory.dmpFilesize
4KB
-
memory/4048-11-0x0000000009C60000-0x0000000009C61000-memory.dmpFilesize
4KB
-
memory/4048-10-0x0000000009650000-0x00000000096AE000-memory.dmpFilesize
376KB
-
memory/4048-9-0x0000000007CC0000-0x0000000007CC4000-memory.dmpFilesize
16KB
-
memory/4048-8-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/4048-2-0x0000000073820000-0x0000000073F0E000-memory.dmpFilesize
6.9MB
-
memory/4048-6-0x0000000007830000-0x0000000007831000-memory.dmpFilesize
4KB
-
memory/4048-5-0x0000000007D30000-0x0000000007D31000-memory.dmpFilesize
4KB
-
memory/4048-3-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB