Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:46
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
NEW ORDER.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
NEW ORDER.exe
-
Size
744KB
-
MD5
90e57ec2ce41a356068ce22d4849b5b0
-
SHA1
8b4ed2dc6506d578a037c2cb50a3562794f6fa19
-
SHA256
2ef6391d206ccd92009a213f15947d713e25340ec9ad6d402e5c47beb49558c3
-
SHA512
a5e72c2c88e65cb83140d80924ef59fefe199480232231b10f0f292d92a914b8fa2d2084b5dff09dc310415788488ece45bb045ba6c117bcf3d50d0f7d925a32
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.deepakengineers.co.in - Port:
587 - Username:
[email protected] - Password:
rubina@@123*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1416-136-0x0000000000400000-0x000000000045C000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEW ORDER.exedescription pid process target process PID 3068 set thread context of 1416 3068 NEW ORDER.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
NEW ORDER.exeRegSvcs.exepid process 3068 NEW ORDER.exe 3068 NEW ORDER.exe 3068 NEW ORDER.exe 3068 NEW ORDER.exe 3068 NEW ORDER.exe 3068 NEW ORDER.exe 3068 NEW ORDER.exe 1416 RegSvcs.exe 1416 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEW ORDER.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3068 NEW ORDER.exe Token: SeDebugPrivilege 1416 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1416 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
NEW ORDER.exedescription pid process target process PID 3068 wrote to memory of 1416 3068 NEW ORDER.exe RegSvcs.exe PID 3068 wrote to memory of 1416 3068 NEW ORDER.exe RegSvcs.exe PID 3068 wrote to memory of 1416 3068 NEW ORDER.exe RegSvcs.exe PID 3068 wrote to memory of 1416 3068 NEW ORDER.exe RegSvcs.exe PID 3068 wrote to memory of 1416 3068 NEW ORDER.exe RegSvcs.exe PID 3068 wrote to memory of 1416 3068 NEW ORDER.exe RegSvcs.exe PID 3068 wrote to memory of 1416 3068 NEW ORDER.exe RegSvcs.exe PID 3068 wrote to memory of 1416 3068 NEW ORDER.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1416-135-0x0000000000000000-mapping.dmp
-
memory/1416-136-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/1416-137-0x0000000005D40000-0x0000000005DA6000-memory.dmpFilesize
408KB
-
memory/1416-138-0x0000000006A30000-0x0000000006A80000-memory.dmpFilesize
320KB
-
memory/3068-130-0x0000000000A20000-0x0000000000ADE000-memory.dmpFilesize
760KB
-
memory/3068-131-0x0000000005D70000-0x0000000006314000-memory.dmpFilesize
5.6MB
-
memory/3068-132-0x0000000005610000-0x00000000056A2000-memory.dmpFilesize
584KB
-
memory/3068-133-0x00000000059B0000-0x00000000059BA000-memory.dmpFilesize
40KB
-
memory/3068-134-0x000000000D8C0000-0x000000000D95C000-memory.dmpFilesize
624KB