Overview

overview

10

Static

static

3

Order Conf...ns.exe

windows7-x64

10

Order Conf...ns.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    17/04/2024, 13:22

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Order Confirmations.exe

  • Size

    647KB

  • MD5

    bfd203d85d6aeb94071e2897b02739aa

  • SHA1

    6d811b83bdaa7c1b5e6dba4aab03c5bc35c4e57a

  • SHA256

    5dda5302383b5a1677891f2bcb1da4876634f20c6cbecd2ec9a5e63a24fd5cdd

  • SHA512

    ea29e969cd86b3f5e439d45b21414f3b27aaea9474a7aa7428c5352717e44318c10542079cb31261cafed4375e68d2ff267a803509c9a7e9a88935153e03c1ec

  • SSDEEP

    12288:WUHs33hhOvt5Q6BSdN9/yaqv2omAvAbOET4h2cWjoIR:Pq/Ovtcur+ojv8OEirA

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order Confirmations.exe
    "C:\Users\Admin\AppData\Local\Temp\Order Confirmations.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Order Confirmations.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FEjoSFtwHmn.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FEjoSFtwHmn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp87C6.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2488
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:2300

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmp87C6.tmp
            Filesize

            1KB

            MD5

            1730b18c75e2cfef8e49aa03d8505414

            SHA1

            f793eb4e7ebc2d338395a2f76500298287e79ded

            SHA256

            a71337d0a66619528bc91da91157d3ac9b3b0e3fb47ba44d444b65e3e674db66

            SHA512

            9e07f29203f01264abf5d2af148324b47aa51aba1ecafc6c1838074573ae8759b4ff891b559db498ad207f83af919188c96725c6ee11f6523c6abf07c10754af

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            25c5a879f306ab24d7c42ef693edb993

            SHA1

            d5ffee230a6795fd0eb445924a58138b1221c10c

            SHA256

            5a124f860454a071ed9e4e59c6cab86ffd46f46cca31177e1ab7108bd9a5d7c1

            SHA512

            12cfc21d9cebff8b1418de7ab6ecaadca26b784bcec8d70cb1ae6f73f75d03a8fdefcfabc7532fa7741e6a3d5c0c96a2b8af497763dc081f94d280e5b207b665

            Download Submit

          • memory/2300-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2300-29-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2300-27-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2300-24-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2300-21-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2520-32-0x000000006FA30000-0x000000006FFDB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2520-23-0x000000006FA30000-0x000000006FFDB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2652-20-0x000000006FA30000-0x000000006FFDB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2652-31-0x000000006FA30000-0x000000006FFDB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2652-26-0x000000006FA30000-0x000000006FFDB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3044-5-0x0000000000980000-0x0000000000994000-memory.dmp

            Filesize

            80KB

            Download

          • memory/3044-19-0x0000000074B90000-0x000000007527E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3044-6-0x000000000A1D0000-0x000000000A252000-memory.dmp

            Filesize

            520KB

            Download

          • memory/3044-28-0x0000000004F60000-0x0000000004FA0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/3044-0-0x0000000074B90000-0x000000007527E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/3044-4-0x0000000000910000-0x000000000091E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3044-3-0x0000000000960000-0x0000000000978000-memory.dmp

            Filesize

            96KB

            Download

          • memory/3044-2-0x0000000004F60000-0x0000000004FA0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/3044-1-0x0000000000AA0000-0x0000000000B48000-memory.dmp

            Filesize

            672KB

            Download