Analysis
-
max time kernel
17s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 16:46
Static task
static1
Behavioral task
behavioral1
Sample
ORDERN.F1676.23.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
ORDERN.F1676.23.exe
Resource
win10v2004-20231130-en
General
-
Target
ORDERN.F1676.23.exe
-
Size
800KB
-
MD5
48f3c7c07b24927689c8de637ee7b567
-
SHA1
47adfbcf07c63668c020c3f0c49a35668ec65a75
-
SHA256
18823ee2c8f0eb332d3519eb7bad50124ddaab05364eaf1f4cbf26efa846f33a
-
SHA512
e23fdc41a5e8ee6e3824ca7e4c338e0f9d6a336b81fc0d594d619ebae3a0a428d6d96557bcbc1e0acbd79e08934f56da836314786d7aa6beb5eafba5ef791ee4
-
SSDEEP
12288:0dKE6jD/62iNG5nF8BZlfr5Syj74fK9UrAfZRqusn9DwqoPLwbVl335kypwbfest:0dKtD/61Ic3FyrABRi9UqBDH5luGC
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.abi0expertise.com - Port:
587 - Username:
[email protected] - Password:
Najwa1949! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ORDERN.F1676.23.exedescription pid process target process PID 2328 wrote to memory of 2964 2328 ORDERN.F1676.23.exe powershell.exe PID 2328 wrote to memory of 2964 2328 ORDERN.F1676.23.exe powershell.exe PID 2328 wrote to memory of 2964 2328 ORDERN.F1676.23.exe powershell.exe PID 2328 wrote to memory of 2964 2328 ORDERN.F1676.23.exe powershell.exe PID 2328 wrote to memory of 2592 2328 ORDERN.F1676.23.exe schtasks.exe PID 2328 wrote to memory of 2592 2328 ORDERN.F1676.23.exe schtasks.exe PID 2328 wrote to memory of 2592 2328 ORDERN.F1676.23.exe schtasks.exe PID 2328 wrote to memory of 2592 2328 ORDERN.F1676.23.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.exe"C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\THfPxk.exe"2⤵PID:2964
-
C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.exe"C:\Users\Admin\AppData\Local\Temp\ORDERN.F1676.23.exe"2⤵PID:2828
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\THfPxk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp52D1.tmp"2⤵
- Creates scheduled task(s)
PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b0eaa09f855df334c2ab7150e6225a6c
SHA157dc4b15cd434db379080110ea7ef6142be13c86
SHA2560a3bbb7db72bd2dcd089477c5d74d1b981e14706c8f4b7db31d7315e25b6f000
SHA5123e54d65bc984093b0b0f561cd5577b568818fe8df40ae13c95b12e08fbf9fa4f0e1aa0f75688a215e00b1989b938e6353b7387cc56edc3cd97816dca405d1b13