Overview

overview

10

Static

static

3

New order.exe

windows7-x64

10

New order.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2024, 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New order.exe

  • Size

    1.5MB

  • MD5

    180ad8fe3294d5cbf1508f3576c70f1c

  • SHA1

    831c8ef7b3efedae003526a87139e806c713ed24

  • SHA256

    13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e

  • SHA512

    d5a7ece40082978640d886b33729255c4b47a3bac6fac1973eb475599bf3c79795b2314dd4ae6c87685c56a0c9f9990a42a61d0ba9482be81489fae48900933c

  • SSDEEP

    24576:qIgqdRkAM4OF+PMwrSVlbmfDYkhDvGtjXtGUAF9kJ7MqudghfEuCj0hThiHHxlhg:qIeMw6kbQlYSRUT7ofIlohsgm

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New order.exe
    "C:\Users\Admin\AppData\Local\Temp\New order.exe"
    1⤵
    • Drops startup file
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 40 > nul && copy "C:\Users\Admin\AppData\Local\Temp\New order.exe" "C:\Users\Admin\AppData\Roaming\EXE.exe" && ping 127.0.0.1 -n 40 > nul && "C:\Users\Admin\AppData\Roaming\EXE.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 40
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2752
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 40
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2672
      • C:\Users\Admin\AppData\Roaming\EXE.exe
        "C:\Users\Admin\AppData\Roaming\EXE.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
          4⤵
            PID:768
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            4⤵
              PID:984

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Roaming\EXE.exe
        Filesize

        1.5MB

        MD5

        180ad8fe3294d5cbf1508f3576c70f1c

        SHA1

        831c8ef7b3efedae003526a87139e806c713ed24

        SHA256

        13ca93f984b156e05041ddb9d172ddfd9b14456a243e432b1efbbe5f623b722e

        SHA512

        d5a7ece40082978640d886b33729255c4b47a3bac6fac1973eb475599bf3c79795b2314dd4ae6c87685c56a0c9f9990a42a61d0ba9482be81489fae48900933c

        Download Submit

      • memory/768-16-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/768-20-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/768-18-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/768-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/768-22-0x0000000000090000-0x00000000000D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2088-0-0x00000000000A0000-0x0000000000222000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2088-1-0x0000000005290000-0x000000000532E000-memory.dmp

        Filesize

        632KB

        Download

      • memory/2696-13-0x0000000000360000-0x00000000004E2000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/2696-14-0x0000000000670000-0x000000000068A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2696-15-0x00000000006A0000-0x00000000006A6000-memory.dmp

        Filesize

        24KB

        Download