Analysis
-
max time kernel
131s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 17:51
Static task
static1
Behavioral task
behavioral1
Sample
Order 4110043899.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Order 4110043899.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
Order 4110043899.exe
-
Size
900KB
-
MD5
825cbb275c093bf072f2aad913868ef8
-
SHA1
4b2416183753e26090d043620894264fdf26f95d
-
SHA256
d67d60c7f4d8fb4d67571d372fc1e6ebd9cf1a12e7c4223b8bb4eb16d4c96e0c
-
SHA512
dd000ff1e7b68a90a058c7fe889bc2a79585d86972eff5a7d5dc6bff0197c662c2f1e2e85fd98ebc68d0ec5983e26d7083c5d6203669137d52d7583deb769e06
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.ndn.edu.lb - Port:
587 - Username:
chefcomptable@ndn.edu.lb - Password:
Lebanon-Achrafieh-39
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1324-125-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/1324-126-0x000000000043762E-mapping.dmp family_agenttesla behavioral2/memory/1324-131-0x0000000005620000-0x0000000005B1E000-memory.dmp family_agenttesla behavioral2/memory/1324-136-0x0000000005620000-0x0000000005B1E000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\NXLun = "C:\\Users\\Admin\\AppData\\Roaming\\NXLun\\NXLun.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order 4110043899.exedescription pid process target process PID 3008 set thread context of 1324 3008 Order 4110043899.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Order 4110043899.exeRegSvcs.exepid process 3008 Order 4110043899.exe 3008 Order 4110043899.exe 3008 Order 4110043899.exe 3008 Order 4110043899.exe 3008 Order 4110043899.exe 3008 Order 4110043899.exe 3008 Order 4110043899.exe 1324 RegSvcs.exe 1324 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order 4110043899.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3008 Order 4110043899.exe Token: SeDebugPrivilege 1324 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Order 4110043899.exedescription pid process target process PID 3008 wrote to memory of 1528 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1528 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1528 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 3576 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 3576 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 3576 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1176 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1176 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1176 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1324 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1324 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1324 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1324 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1324 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1324 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1324 3008 Order 4110043899.exe RegSvcs.exe PID 3008 wrote to memory of 1324 3008 Order 4110043899.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order 4110043899.exe"C:\Users\Admin\AppData\Local\Temp\Order 4110043899.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1324-125-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1324-136-0x0000000005620000-0x0000000005B1E000-memory.dmpFilesize
5.0MB
-
memory/1324-133-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/1324-132-0x0000000006120000-0x0000000006121000-memory.dmpFilesize
4KB
-
memory/1324-131-0x0000000005620000-0x0000000005B1E000-memory.dmpFilesize
5.0MB
-
memory/1324-126-0x000000000043762E-mapping.dmp
-
memory/3008-119-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/3008-122-0x0000000007CA0000-0x0000000007CA1000-memory.dmpFilesize
4KB
-
memory/3008-123-0x0000000005FB0000-0x000000000602B000-memory.dmpFilesize
492KB
-
memory/3008-124-0x0000000005F40000-0x0000000005F78000-memory.dmpFilesize
224KB
-
memory/3008-121-0x0000000005BC0000-0x0000000005BC2000-memory.dmpFilesize
8KB
-
memory/3008-120-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/3008-114-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/3008-118-0x00000000059C0000-0x00000000059C1000-memory.dmpFilesize
4KB
-
memory/3008-117-0x000000000A1A0000-0x000000000A1A1000-memory.dmpFilesize
4KB
-
memory/3008-116-0x00000000056E0000-0x000000000573A000-memory.dmpFilesize
360KB