Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 01:56
Static task
static1
Behavioral task
behavioral1
Sample
New Order.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New Order.exe
Resource
win10v2004-20240412-en
General
-
Target
New Order.exe
-
Size
1015KB
-
MD5
2e8fb6768bcfd81ea4c43700ea9089b7
-
SHA1
e093846a0e33b3c2ecc7a0da79c0c7d542547193
-
SHA256
b39896b2b0106b93025d19dbb891f17f9931548406e3702a431991c4beb8b53f
-
SHA512
c50ddfb34b14b7d97b3c6819aa5a67db02aaec197dd8f3a14257107cb1774a73017cfb5d240c83336496b58556bb7fa6a9cb0049a1d8877d25d499cf534e4bd9
-
SSDEEP
24576:tAHnh+eWsN3skA4RV1Hom2KXMmHaJ4EEsPZR5:Mh+ZkldoPK8YaJOsPp
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.italiacanda-it.com - Port:
587 - Username:
[email protected] - Password:
dsrociz1 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 api.ipify.org 26 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New Order.exedescription pid process target process PID 2684 set thread context of 2796 2684 New Order.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2796 RegSvcs.exe 2796 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
New Order.exepid process 2684 New Order.exe 2684 New Order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2796 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
New Order.exepid process 2684 New Order.exe 2684 New Order.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
New Order.exepid process 2684 New Order.exe 2684 New Order.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
New Order.exedescription pid process target process PID 2684 wrote to memory of 2796 2684 New Order.exe RegSvcs.exe PID 2684 wrote to memory of 2796 2684 New Order.exe RegSvcs.exe PID 2684 wrote to memory of 2796 2684 New Order.exe RegSvcs.exe PID 2684 wrote to memory of 2796 2684 New Order.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\New Order.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2684-10-0x00000000044B0000-0x00000000044B4000-memory.dmpFilesize
16KB
-
memory/2796-11-0x0000000000740000-0x0000000000780000-memory.dmpFilesize
256KB
-
memory/2796-12-0x00000000753B0000-0x0000000075B60000-memory.dmpFilesize
7.7MB
-
memory/2796-13-0x0000000005290000-0x0000000005834000-memory.dmpFilesize
5.6MB
-
memory/2796-14-0x0000000004D40000-0x0000000004D50000-memory.dmpFilesize
64KB
-
memory/2796-15-0x0000000004EC0000-0x0000000004F26000-memory.dmpFilesize
408KB
-
memory/2796-16-0x0000000006300000-0x0000000006350000-memory.dmpFilesize
320KB
-
memory/2796-17-0x00000000063F0000-0x0000000006482000-memory.dmpFilesize
584KB
-
memory/2796-18-0x0000000006370000-0x000000000637A000-memory.dmpFilesize
40KB
-
memory/2796-19-0x00000000753B0000-0x0000000075B60000-memory.dmpFilesize
7.7MB
-
memory/2796-20-0x0000000004D40000-0x0000000004D50000-memory.dmpFilesize
64KB