new order 00041221.exe

General
Target

new order 00041221.exe

Filesize

729KB

Completed

27-07-2021 20:58

Score
10 /10
MD5

ffe30c4ac40f0e43147b0ffe6ede3e3f

SHA1

bde322fd8135752b32f0301887e25295a08f2b44

SHA256

9f34067bfd42e0ddfff753c0e045a4a1df331d738ec6946ed35531f8cf33440b

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.marcer.com.tr

Port: 587

Username: muhasebe@marcer.com.tr

Password: mar1453

Signatures 14

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2020-126-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral2/memory/2020-127-0x000000000043760E-mapping.dmpfamily_agenttesla
  • Drops file in Drivers directory
    new order 00041221.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsnew order 00041221.exe
  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    TTPs

    Data from Local SystemCredentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    new order 00041221.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe"new order 00041221.exe
  • Suspicious use of SetThreadContext
    new order 00041221.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3920 set thread context of 20203920new order 00041221.exenew order 00041221.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    2836schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    new order 00041221.exenew order 00041221.exe

    Reported IOCs

    pidprocess
    3920new order 00041221.exe
    2020new order 00041221.exe
    2020new order 00041221.exe
  • Suspicious use of AdjustPrivilegeToken
    new order 00041221.exenew order 00041221.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege3920new order 00041221.exe
    Token: SeDebugPrivilege2020new order 00041221.exe
  • Suspicious use of SetWindowsHookEx
    new order 00041221.exe

    Reported IOCs

    pidprocess
    2020new order 00041221.exe
  • Suspicious use of WriteProcessMemory
    new order 00041221.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3920 wrote to memory of 28363920new order 00041221.exeschtasks.exe
    PID 3920 wrote to memory of 28363920new order 00041221.exeschtasks.exe
    PID 3920 wrote to memory of 28363920new order 00041221.exeschtasks.exe
    PID 3920 wrote to memory of 20203920new order 00041221.exenew order 00041221.exe
    PID 3920 wrote to memory of 20203920new order 00041221.exenew order 00041221.exe
    PID 3920 wrote to memory of 20203920new order 00041221.exenew order 00041221.exe
    PID 3920 wrote to memory of 20203920new order 00041221.exenew order 00041221.exe
    PID 3920 wrote to memory of 20203920new order 00041221.exenew order 00041221.exe
    PID 3920 wrote to memory of 20203920new order 00041221.exenew order 00041221.exe
    PID 3920 wrote to memory of 20203920new order 00041221.exenew order 00041221.exe
    PID 3920 wrote to memory of 20203920new order 00041221.exenew order 00041221.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\new order 00041221.exe
    "C:\Users\Admin\AppData\Local\Temp\new order 00041221.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BtDInAbOGLzwJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE516.tmp"
      Creates scheduled task(s)
      PID:2836
    • C:\Users\Admin\AppData\Local\Temp\new order 00041221.exe
      "{path}"
      Drops file in Drivers directory
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2020
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\new order 00041221.exe.log

                  MD5

                  0c2899d7c6746f42d5bbe088c777f94c

                  SHA1

                  622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

                  SHA256

                  5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

                  SHA512

                  ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

                • C:\Users\Admin\AppData\Local\Temp\tmpE516.tmp

                  MD5

                  2a63fd1a0dd8f80fd914921447b3fea5

                  SHA1

                  d6364786afbecf407c838601079c3844069da2ed

                  SHA256

                  c3978d4e8ef505fbecb07176ad7d50ee5b8c0ba1b98526bf8ebb1379f822069e

                  SHA512

                  2f991281aa41eb3374b571ddd32c5d322ba6ff872619c894844d084f5813d29f18d86acbdad6b63ce89871577294af13d6f034b5a70ef2fe6fa50ae59b0e2762

                • memory/2020-134-0x0000000005590000-0x0000000005591000-memory.dmp

                • memory/2020-133-0x0000000002B10000-0x0000000002B11000-memory.dmp

                • memory/2020-127-0x000000000043760E-mapping.dmp

                • memory/2020-126-0x0000000000400000-0x000000000043C000-memory.dmp

                • memory/2020-135-0x0000000005C20000-0x0000000005C21000-memory.dmp

                • memory/2836-124-0x0000000000000000-mapping.dmp

                • memory/3920-123-0x0000000007620000-0x0000000007698000-memory.dmp

                • memory/3920-122-0x0000000007450000-0x000000000750C000-memory.dmp

                • memory/3920-121-0x0000000005220000-0x0000000005222000-memory.dmp

                • memory/3920-120-0x0000000007840000-0x0000000007841000-memory.dmp

                • memory/3920-119-0x0000000005140000-0x0000000005141000-memory.dmp

                • memory/3920-118-0x0000000005150000-0x0000000005151000-memory.dmp

                • memory/3920-117-0x0000000005240000-0x0000000005241000-memory.dmp

                • memory/3920-116-0x00000000056A0000-0x00000000056A1000-memory.dmp

                • memory/3920-114-0x0000000000850000-0x0000000000851000-memory.dmp