Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
105s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
08/07/2024, 15:23
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER.exe
Resource
win7-20240708-en
General
-
Target
NEW ORDER.exe
-
Size
740KB
-
MD5
161eb73b1e04a20bad1b9f47716abe8d
-
SHA1
0fc916438fb79d83b1232a9c6913a599ffa5c641
-
SHA256
5ae71498e3b1d2707c84bcd6f43566b8834f310dccafd64ef81e54cbe7ac4b01
-
SHA512
1b27317105bf51911ad5e355bea51278dbf49d72365171eba914bfd612a40839490d073be4bd9974a9d51330c869b8aa18b88c860e19869249a533df18498d50
-
SSDEEP
12288:ADX3jNNQniCpB5A+W6nRHDWcVYuhi1xaDjuY+wuzaLWUrm9Osd:ADnjNNwrAU5DWcVZPDjuY+fznjH
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.fakly-cambodia.com - Port:
587 - Username:
[email protected] - Password:
Mmhh#2014
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
resource yara_rule behavioral2/memory/4388-18-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions NEW ORDER.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools NEW ORDER.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NEW ORDER.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NEW ORDER.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation NEW ORDER.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum NEW ORDER.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 NEW ORDER.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4252 set thread context of 4388 4252 NEW ORDER.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5104 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4388 NEW ORDER.exe 4388 NEW ORDER.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4388 NEW ORDER.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4252 wrote to memory of 5104 4252 NEW ORDER.exe 88 PID 4252 wrote to memory of 5104 4252 NEW ORDER.exe 88 PID 4252 wrote to memory of 5104 4252 NEW ORDER.exe 88 PID 4252 wrote to memory of 4388 4252 NEW ORDER.exe 90 PID 4252 wrote to memory of 4388 4252 NEW ORDER.exe 90 PID 4252 wrote to memory of 4388 4252 NEW ORDER.exe 90 PID 4252 wrote to memory of 4388 4252 NEW ORDER.exe 90 PID 4252 wrote to memory of 4388 4252 NEW ORDER.exe 90 PID 4252 wrote to memory of 4388 4252 NEW ORDER.exe 90 PID 4252 wrote to memory of 4388 4252 NEW ORDER.exe 90 PID 4252 wrote to memory of 4388 4252 NEW ORDER.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ACopspA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp826A.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:5104
-
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55200da2e50f24d5d543c3f10674acdcb
SHA1b574a3336839882d799c0a7f635ea238efb934ee
SHA256d2d81c1c9d35bc66149beaa77029bee68664d8512fc1efe373180bab77d61026
SHA51224722a7de3250a6027a411c8b79d0720554c4efd59553f54b94ab77dc21efbf3191e0912901db475f08a6e9c1855d9e9594504d80d27300097418f4384a9d9cb
-
Filesize
1KB
MD530a6be11e461713897c58abbafaf788a
SHA1e03116eecaecd5089de2d7952a5d717391a64700
SHA2562cda5abc5f736c943acc744a98d3d52014962ccd989af192325c99ab9919b42e
SHA5124a35343c6d40fd7dd4d821fc08916849779dc49874b4cbac234649ad32eae5998394631da305bb014e28dc5572feff24e2519f60149dc0fd215e3ef43eecaef0