Analysis
-
max time kernel
131s -
max time network
169s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 11:58
Static task
static1
Behavioral task
behavioral1
Sample
Released Order.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Released Order.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Released Order.exe
-
Size
894KB
-
MD5
99d846bbf242277134ba3b6cb92ab2eb
-
SHA1
96dcb922a1213c55bce5edeada748112b760d9db
-
SHA256
1988aecd504c91c63584f0ee4aa3d1a9d6f0f879763e7fc695230ec2703cb07b
-
SHA512
2adddeb4c73b6591c1659a5d0e22b7cf57468ff85e58f1332609b7b9fd62a9da1be4218e76168804a99a1386959cc23222b3a2a7a1575a2e4210a8c534d5df13
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.saitools.com - Port:
587 - Username:
[email protected] - Password:
ecotanksystems$0912
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/876-66-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/876-67-0x000000000043761E-mapping.dmp family_agenttesla behavioral1/memory/876-68-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Released Order.exedescription pid process target process PID 2020 set thread context of 876 2020 Released Order.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 876 RegSvcs.exe 876 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Released Order.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2020 Released Order.exe Token: SeDebugPrivilege 876 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 876 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Released Order.exedescription pid process target process PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe PID 2020 wrote to memory of 876 2020 Released Order.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Released Order.exe"C:\Users\Admin\AppData\Local\Temp\Released Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/876-66-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/876-67-0x000000000043761E-mapping.dmp
-
memory/876-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/876-70-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/876-71-0x0000000000A61000-0x0000000000A62000-memory.dmpFilesize
4KB
-
memory/2020-59-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2020-61-0x0000000004160000-0x00000000041B9000-memory.dmpFilesize
356KB
-
memory/2020-62-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/2020-63-0x0000000000390000-0x0000000000392000-memory.dmpFilesize
8KB
-
memory/2020-64-0x0000000005E80000-0x0000000005EFA000-memory.dmpFilesize
488KB
-
memory/2020-65-0x0000000000BE0000-0x0000000000C18000-memory.dmpFilesize
224KB