Analysis
-
max time kernel
143s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:24
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-20220414-en
General
-
Target
New Order.exe
-
Size
458KB
-
MD5
7c738d899a5d3acd90f21482a70b0db6
-
SHA1
53a3c9043c87111373499800e7dffb5c67359d8d
-
SHA256
28e39a753f7723de8723f5b5fe26b57b18342c869a8a8e86e138728d343d6b79
-
SHA512
70e9957a87f25deb76e2948bc40540de63a1cb5d338b3036e2629a72ed75e6653f5a05f738b4e949a61655b7e89c5574d44d303aa12b13afa39a13aec7846a1b
Malware Config
Extracted
Protocol: smtp- Host:
mail.ametropolis.com - Port:
587 - Username:
rpalma@ametropolis.com - Password:
Gera5956
Extracted
agenttesla
Protocol: smtp- Host:
mail.ametropolis.com - Port:
587 - Username:
rpalma@ametropolis.com - Password:
Gera5956
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4228-138-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
New Order.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion New Order.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion New Order.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
New Order.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation New Order.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
New Order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order.exe Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
New Order.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 New Order.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum New Order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New Order.exedescription pid process target process PID 3152 set thread context of 4228 3152 New Order.exe New Order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
New Order.exepid process 4228 New Order.exe 4228 New Order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New Order.exedescription pid process Token: SeDebugPrivilege 4228 New Order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
New Order.exepid process 4228 New Order.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
New Order.exeNew Order.exedescription pid process target process PID 3152 wrote to memory of 452 3152 New Order.exe schtasks.exe PID 3152 wrote to memory of 452 3152 New Order.exe schtasks.exe PID 3152 wrote to memory of 452 3152 New Order.exe schtasks.exe PID 3152 wrote to memory of 4228 3152 New Order.exe New Order.exe PID 3152 wrote to memory of 4228 3152 New Order.exe New Order.exe PID 3152 wrote to memory of 4228 3152 New Order.exe New Order.exe PID 3152 wrote to memory of 4228 3152 New Order.exe New Order.exe PID 3152 wrote to memory of 4228 3152 New Order.exe New Order.exe PID 3152 wrote to memory of 4228 3152 New Order.exe New Order.exe PID 3152 wrote to memory of 4228 3152 New Order.exe New Order.exe PID 3152 wrote to memory of 4228 3152 New Order.exe New Order.exe PID 4228 wrote to memory of 2196 4228 New Order.exe netsh.exe PID 4228 wrote to memory of 2196 4228 New Order.exe netsh.exe PID 4228 wrote to memory of 2196 4228 New Order.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
New Order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order.exe -
outlook_win_path 1 IoCs
Processes:
New Order.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 New Order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IBLDlf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp40D2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New Order.exe.logFilesize
599B
MD5aafc627f91117039190bb80d5076e958
SHA13e2b20456921ec6c2f49d4aee04096fd915d325b
SHA256fcc0ab0ea241330be2583468f17f974fccb9a239214e7854e18f587d0ec3b87a
SHA5125d27b432f27973691b7c7f61487d308c4b8e1c6a8b3db59e47e2de20c6d0ff12367e5b2dacaa3e6b6eb9b8192bb078b732162f803bb74ccad0391ff0d97107fb
-
C:\Users\Admin\AppData\Local\Temp\tmp40D2.tmpFilesize
1KB
MD5738a8b3de5336736af7aca3aa76e71a8
SHA177bc3ef5c64401fdcc4ba9bea9e83c8085b1bd59
SHA25628fe89cc8c4320112625546d75d941bb6e0c14fbbd97b12d14f0bd3e5a60d321
SHA5124e2c3a085ce3a4c0eda568c0976597c1dc0af30b8aad217b811bdcdba62d2dbf85000c6609adbe29e09d04ef981b10f64270eba86ab95e93889c88c3df962cfa
-
memory/452-135-0x0000000000000000-mapping.dmp
-
memory/2196-141-0x0000000000000000-mapping.dmp
-
memory/3152-132-0x0000000005380000-0x000000000541C000-memory.dmpFilesize
624KB
-
memory/3152-133-0x0000000006230000-0x00000000067D4000-memory.dmpFilesize
5.6MB
-
memory/3152-134-0x0000000005D40000-0x0000000005DA6000-memory.dmpFilesize
408KB
-
memory/3152-130-0x0000000000900000-0x0000000000978000-memory.dmpFilesize
480KB
-
memory/3152-131-0x00000000052E0000-0x0000000005372000-memory.dmpFilesize
584KB
-
memory/4228-137-0x0000000000000000-mapping.dmp
-
memory/4228-138-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4228-140-0x0000000006D60000-0x0000000006DB0000-memory.dmpFilesize
320KB
-
memory/4228-142-0x00000000070D0000-0x00000000070DA000-memory.dmpFilesize
40KB