Analysis
-
max time kernel
125s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
NEW ORDER.exe
Resource
win10v2004-20240508-en
General
-
Target
NEW ORDER.exe
-
Size
1.2MB
-
MD5
8cd947a7a778cc3ddfcf24afe58e3472
-
SHA1
a6f8d0b06fac90b33a9c4af8c4a32eec0b0fb713
-
SHA256
81eb8aa9b2226312d76e1bf196178ffd3bf4fa20f02de820451d4f654179655c
-
SHA512
59e1bc3225cd23e74b08a685ba8c7671182875fc52683a36d6b76b7a033ab3c484d0a5c83d5244b2874635696366cebc2560e13fe61ff4dc99c48d333e46205b
-
SSDEEP
24576:9AHnh+eWsN3skA4RV1Hom2KXMmHabkY7tSO9jl9pgJa8q+In5:ch+ZkldoPK8YabktO9jka84
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 api.ipify.org 16 ip-api.com 14 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEW ORDER.exedescription pid process target process PID 4948 set thread context of 3792 4948 NEW ORDER.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5036 4948 WerFault.exe NEW ORDER.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 3792 RegSvcs.exe 3792 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
NEW ORDER.exeNEW ORDER.exepid process 1044 NEW ORDER.exe 4948 NEW ORDER.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3792 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
NEW ORDER.exeNEW ORDER.exepid process 1044 NEW ORDER.exe 1044 NEW ORDER.exe 4948 NEW ORDER.exe 4948 NEW ORDER.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
NEW ORDER.exeNEW ORDER.exepid process 1044 NEW ORDER.exe 1044 NEW ORDER.exe 4948 NEW ORDER.exe 4948 NEW ORDER.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
NEW ORDER.exeNEW ORDER.exedescription pid process target process PID 1044 wrote to memory of 4116 1044 NEW ORDER.exe RegSvcs.exe PID 1044 wrote to memory of 4116 1044 NEW ORDER.exe RegSvcs.exe PID 1044 wrote to memory of 4116 1044 NEW ORDER.exe RegSvcs.exe PID 1044 wrote to memory of 4948 1044 NEW ORDER.exe NEW ORDER.exe PID 1044 wrote to memory of 4948 1044 NEW ORDER.exe NEW ORDER.exe PID 1044 wrote to memory of 4948 1044 NEW ORDER.exe NEW ORDER.exe PID 4948 wrote to memory of 3792 4948 NEW ORDER.exe RegSvcs.exe PID 4948 wrote to memory of 3792 4948 NEW ORDER.exe RegSvcs.exe PID 4948 wrote to memory of 3792 4948 NEW ORDER.exe RegSvcs.exe PID 4948 wrote to memory of 3792 4948 NEW ORDER.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"2⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 7443⤵
- Program crash
PID:5036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4948 -ip 49481⤵PID:4500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4176,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:81⤵PID:5144
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD56a3dfef400ee0b4d9aa9b37d210c15fb
SHA139e3f081a8ffc5e419e0561f99cf473c858dae3a
SHA25601fe853871c2a572efbc0e4ca8376a9479cc1d7f431517549b3cbb1485102a6d
SHA512c62dc1e831ed5e3ad9302fd423d068ea13e343dd45eb390dbb94a6bf24f31f501f7bf0ca53fb220043d61745ce07b881f05d8384cbbbc836dda23eb923578fbb
-
Filesize
263KB
MD505a4846c30eb2e60c5967487b4b26924
SHA1d4512e8c470c99bc17a4d2016175f712e723000e
SHA2560c5911981123e3ae935b93612ffbe858c59ded97430337dd6ccfc9c790f44e1a
SHA512db1cc559093ce3ba6b1ce2439b4b6c5145b8c2d29788ddff2015809573790fe32a25cc68fb33366e7dec98b3ec354055e41144563c46c6f534da10a79f038536