Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
04-12-2023 09:26
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-20231127-en
General
-
Target
New Order.exe
-
Size
640KB
-
MD5
bca932f9df0a984231fd9855747b4dfb
-
SHA1
fa0b4ce1a7e659e397566da2325229a5203953fd
-
SHA256
9cadda8241bb7393ed10e4e3e58b0cafddb31b01334afe38ebb3f94e73190c2c
-
SHA512
7b989799f329b5c779792cdd6197b8a64c379b1d6c79afc68d70666026b68ede9e91f374dde0c7e33c418072f5bb4035268768ad5c1b50e4c6157a7c4d6f68c5
-
SSDEEP
12288:3uPm4WVKFOVclXp0pd/EUC/fzbxha6MOnvVYQazzq4Cp158SA:im1VKX50X/EUa7apYdEzVSYS
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
zqamcx.com - Port:
587 - Username:
[email protected] - Password:
Anambraeast@2023 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
New Order.exedescription pid process target process PID 2568 set thread context of 2416 2568 New Order.exe New Order.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
New Order.exeNew Order.exepowershell.exepowershell.exepid process 2568 New Order.exe 2568 New Order.exe 2568 New Order.exe 2568 New Order.exe 2568 New Order.exe 2568 New Order.exe 2568 New Order.exe 2568 New Order.exe 2568 New Order.exe 2568 New Order.exe 2568 New Order.exe 2568 New Order.exe 2416 New Order.exe 2416 New Order.exe 2648 powershell.exe 2756 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
New Order.exeNew Order.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2568 New Order.exe Token: SeDebugPrivilege 2416 New Order.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 2756 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
New Order.exepid process 2416 New Order.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
New Order.exedescription pid process target process PID 2568 wrote to memory of 2756 2568 New Order.exe powershell.exe PID 2568 wrote to memory of 2756 2568 New Order.exe powershell.exe PID 2568 wrote to memory of 2756 2568 New Order.exe powershell.exe PID 2568 wrote to memory of 2756 2568 New Order.exe powershell.exe PID 2568 wrote to memory of 2648 2568 New Order.exe powershell.exe PID 2568 wrote to memory of 2648 2568 New Order.exe powershell.exe PID 2568 wrote to memory of 2648 2568 New Order.exe powershell.exe PID 2568 wrote to memory of 2648 2568 New Order.exe powershell.exe PID 2568 wrote to memory of 2880 2568 New Order.exe schtasks.exe PID 2568 wrote to memory of 2880 2568 New Order.exe schtasks.exe PID 2568 wrote to memory of 2880 2568 New Order.exe schtasks.exe PID 2568 wrote to memory of 2880 2568 New Order.exe schtasks.exe PID 2568 wrote to memory of 2416 2568 New Order.exe New Order.exe PID 2568 wrote to memory of 2416 2568 New Order.exe New Order.exe PID 2568 wrote to memory of 2416 2568 New Order.exe New Order.exe PID 2568 wrote to memory of 2416 2568 New Order.exe New Order.exe PID 2568 wrote to memory of 2416 2568 New Order.exe New Order.exe PID 2568 wrote to memory of 2416 2568 New Order.exe New Order.exe PID 2568 wrote to memory of 2416 2568 New Order.exe New Order.exe PID 2568 wrote to memory of 2416 2568 New Order.exe New Order.exe PID 2568 wrote to memory of 2416 2568 New Order.exe New Order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jXjQOf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jXjQOf" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE753.tmp"2⤵
- Creates scheduled task(s)
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD511648fb29bf2486cab7034fc89227106
SHA1f3e6b6d090b02e72d575095c1808b172467caa35
SHA25655ab41941d25d886bf5a7d7344691a8657b0c1f22f554fb535de917321d6d168
SHA512c3c5e3c83dd70fa2b11b12d2f7bfe6416356ec0cf10f68e2d6759f4fbc3c9287e0f1eae987333d5bce642b572b281c12bfc333fac63272b96d5886091360d8b6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QE5BIBE1AUBLHQWSOJAO.temp
Filesize7KB
MD565743e8a6916478b93c8ccfe3c64fd24
SHA193da50728d2c46449bd372b8796da89657488116
SHA256c46915cc256b243e418f7af0793f24287e90e5453d7104c0207aff5881075268
SHA512786fd82cce70c1406b173d83ddacb21c47b1808a8149f23fe751f49c971318f953f09deb6f1d7c03d5fe50fc2adf4161211278056a2a214eb8324ecc3e963e11
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD565743e8a6916478b93c8ccfe3c64fd24
SHA193da50728d2c46449bd372b8796da89657488116
SHA256c46915cc256b243e418f7af0793f24287e90e5453d7104c0207aff5881075268
SHA512786fd82cce70c1406b173d83ddacb21c47b1808a8149f23fe751f49c971318f953f09deb6f1d7c03d5fe50fc2adf4161211278056a2a214eb8324ecc3e963e11