Analysis
-
max time kernel
131s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 21:02
Static task
static1
Behavioral task
behavioral1
Sample
new order 00041221.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
new order 00041221.exe
Resource
win10v20210408
General
-
Target
new order 00041221.exe
-
Size
729KB
-
MD5
ffe30c4ac40f0e43147b0ffe6ede3e3f
-
SHA1
bde322fd8135752b32f0301887e25295a08f2b44
-
SHA256
9f34067bfd42e0ddfff753c0e045a4a1df331d738ec6946ed35531f8cf33440b
-
SHA512
1e70a0a0fb23c88f49fc702127e4d826454d4406ebee05d07ef341283c57fb1e12094ce3c4fa54e328771366dadc0935bf15d20a0d585783c0afe0002c1d7b2c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.marcer.com.tr - Port:
587 - Username:
muhasebe@marcer.com.tr - Password:
mar1453
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/860-68-0x000000000043760E-mapping.dmp family_agenttesla behavioral1/memory/860-67-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/860-69-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
new order 00041221.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts new order 00041221.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
new order 00041221.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" new order 00041221.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
new order 00041221.exedescription pid process target process PID 1084 set thread context of 860 1084 new order 00041221.exe new order 00041221.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
new order 00041221.exenew order 00041221.exepid process 1084 new order 00041221.exe 860 new order 00041221.exe 860 new order 00041221.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
new order 00041221.exenew order 00041221.exedescription pid process Token: SeDebugPrivilege 1084 new order 00041221.exe Token: SeDebugPrivilege 860 new order 00041221.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
new order 00041221.exepid process 860 new order 00041221.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
new order 00041221.exedescription pid process target process PID 1084 wrote to memory of 672 1084 new order 00041221.exe schtasks.exe PID 1084 wrote to memory of 672 1084 new order 00041221.exe schtasks.exe PID 1084 wrote to memory of 672 1084 new order 00041221.exe schtasks.exe PID 1084 wrote to memory of 672 1084 new order 00041221.exe schtasks.exe PID 1084 wrote to memory of 860 1084 new order 00041221.exe new order 00041221.exe PID 1084 wrote to memory of 860 1084 new order 00041221.exe new order 00041221.exe PID 1084 wrote to memory of 860 1084 new order 00041221.exe new order 00041221.exe PID 1084 wrote to memory of 860 1084 new order 00041221.exe new order 00041221.exe PID 1084 wrote to memory of 860 1084 new order 00041221.exe new order 00041221.exe PID 1084 wrote to memory of 860 1084 new order 00041221.exe new order 00041221.exe PID 1084 wrote to memory of 860 1084 new order 00041221.exe new order 00041221.exe PID 1084 wrote to memory of 860 1084 new order 00041221.exe new order 00041221.exe PID 1084 wrote to memory of 860 1084 new order 00041221.exe new order 00041221.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new order 00041221.exe"C:\Users\Admin\AppData\Local\Temp\new order 00041221.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BtDInAbOGLzwJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp92FC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\new order 00041221.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp92FC.tmpMD5
62ac87e1997075ef393383e35249e210
SHA1a1c2384011f53976118c893b1512a415a93d0ef2
SHA256e9308414c674470d9a09cb3a1e8b4eea21977cf00ff1de5b2c26b8b1a5789917
SHA5120944459b3cd22f09ada60e8838944186312024fd0177c814915896bd963fe0fb4e9c33fea1f923b89cfe84275798f9678f84e24c4c4285532b8cb0df76da91f0
-
memory/672-65-0x0000000000000000-mapping.dmp
-
memory/860-68-0x000000000043760E-mapping.dmp
-
memory/860-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/860-69-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/860-71-0x0000000004790000-0x0000000004791000-memory.dmpFilesize
4KB
-
memory/860-72-0x0000000004791000-0x0000000004792000-memory.dmpFilesize
4KB
-
memory/1084-59-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB
-
memory/1084-61-0x0000000004BE0000-0x0000000004BE1000-memory.dmpFilesize
4KB
-
memory/1084-62-0x00000000005E0000-0x00000000005E2000-memory.dmpFilesize
8KB
-
memory/1084-63-0x0000000004B10000-0x0000000004BCC000-memory.dmpFilesize
752KB
-
memory/1084-64-0x0000000004F00000-0x0000000004F78000-memory.dmpFilesize
480KB