new order 00041221.exe

General
Target

new order 00041221.exe

Filesize

729KB

Completed

27-07-2021 20:58

Score
10 /10
MD5

ffe30c4ac40f0e43147b0ffe6ede3e3f

SHA1

bde322fd8135752b32f0301887e25295a08f2b44

SHA256

9f34067bfd42e0ddfff753c0e045a4a1df331d738ec6946ed35531f8cf33440b

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.marcer.com.tr

Port: 587

Username: muhasebe@marcer.com.tr

Password: mar1453

Signatures 14

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1112-68-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1112-69-0x000000000043760E-mapping.dmpfamily_agenttesla
    behavioral1/memory/1112-70-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Drops file in Drivers directory
    new order 00041221.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsnew order 00041221.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    new order 00041221.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe"new order 00041221.exe
  • Suspicious use of SetThreadContext
    new order 00041221.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1200 set thread context of 11121200new order 00041221.exenew order 00041221.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    904schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    new order 00041221.exe

    Reported IOCs

    pidprocess
    1112new order 00041221.exe
    1112new order 00041221.exe
  • Suspicious use of AdjustPrivilegeToken
    new order 00041221.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1112new order 00041221.exe
  • Suspicious use of SetWindowsHookEx
    new order 00041221.exe

    Reported IOCs

    pidprocess
    1112new order 00041221.exe
  • Suspicious use of WriteProcessMemory
    new order 00041221.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1200 wrote to memory of 9041200new order 00041221.exeschtasks.exe
    PID 1200 wrote to memory of 9041200new order 00041221.exeschtasks.exe
    PID 1200 wrote to memory of 9041200new order 00041221.exeschtasks.exe
    PID 1200 wrote to memory of 9041200new order 00041221.exeschtasks.exe
    PID 1200 wrote to memory of 11121200new order 00041221.exenew order 00041221.exe
    PID 1200 wrote to memory of 11121200new order 00041221.exenew order 00041221.exe
    PID 1200 wrote to memory of 11121200new order 00041221.exenew order 00041221.exe
    PID 1200 wrote to memory of 11121200new order 00041221.exenew order 00041221.exe
    PID 1200 wrote to memory of 11121200new order 00041221.exenew order 00041221.exe
    PID 1200 wrote to memory of 11121200new order 00041221.exenew order 00041221.exe
    PID 1200 wrote to memory of 11121200new order 00041221.exenew order 00041221.exe
    PID 1200 wrote to memory of 11121200new order 00041221.exenew order 00041221.exe
    PID 1200 wrote to memory of 11121200new order 00041221.exenew order 00041221.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\new order 00041221.exe
    "C:\Users\Admin\AppData\Local\Temp\new order 00041221.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BtDInAbOGLzwJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C77.tmp"
      Creates scheduled task(s)
      PID:904
    • C:\Users\Admin\AppData\Local\Temp\new order 00041221.exe
      "{path}"
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1112
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\tmp8C77.tmp

                  MD5

                  62ac87e1997075ef393383e35249e210

                  SHA1

                  a1c2384011f53976118c893b1512a415a93d0ef2

                  SHA256

                  e9308414c674470d9a09cb3a1e8b4eea21977cf00ff1de5b2c26b8b1a5789917

                  SHA512

                  0944459b3cd22f09ada60e8838944186312024fd0177c814915896bd963fe0fb4e9c33fea1f923b89cfe84275798f9678f84e24c4c4285532b8cb0df76da91f0

                • memory/904-66-0x0000000000000000-mapping.dmp

                • memory/1112-68-0x0000000000400000-0x000000000043C000-memory.dmp

                • memory/1112-69-0x000000000043760E-mapping.dmp

                • memory/1112-70-0x0000000000400000-0x000000000043C000-memory.dmp

                • memory/1112-72-0x0000000004950000-0x0000000004951000-memory.dmp

                • memory/1112-73-0x0000000004951000-0x0000000004952000-memory.dmp

                • memory/1200-60-0x00000000013A0000-0x00000000013A1000-memory.dmp

                • memory/1200-62-0x00000000012C0000-0x00000000012C1000-memory.dmp

                • memory/1200-63-0x0000000000960000-0x0000000000962000-memory.dmp

                • memory/1200-64-0x0000000005730000-0x00000000057EC000-memory.dmp

                • memory/1200-65-0x0000000005300000-0x0000000005378000-memory.dmp