Analysis
-
max time kernel
128s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 10:58
Static task
static1
Behavioral task
behavioral1
Sample
sale order.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
sale order.exe
Resource
win10v2004-20240802-en
General
-
Target
sale order.exe
-
Size
607KB
-
MD5
21401a802f9f8e99809f43fc149ef5af
-
SHA1
0ec95019dd88f12ecb11d143cc34049b04e69b8d
-
SHA256
b0f1177e33f69f0f6027cea30afd8b094efe3fe6b26e2ea3d927d4447b11626e
-
SHA512
ed86c15efb4c39eb46d7b2246ee974664a041c35e4bda5237702a7ad316ebb3fbbb756b3fee7e726802aa5ea34316ed913503564cb1a56c1de8f99f97b89d4c2
-
SSDEEP
6144:7RtFgERQ+3HwOzyUHKSJxJwSPhvw1MFHSxcmmmaNLO0PXmY2jnOusTqGPnds43wi:72ESo2sJ95cMkmNBOSWVOjqSs43V
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
sg2plcpnl0023.prod.sin2.secureserver.net - Port:
587 - Username:
[email protected] - Password:
User@40378
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 5 IoCs
resource yara_rule behavioral1/memory/2840-14-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2840-11-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2840-16-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2840-10-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/2840-18-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts sale order.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sale order.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sale order.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sale order.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\NXLun = "C:\\Users\\Admin\\AppData\\Roaming\\NXLun\\NXLun.exe" sale order.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1984 set thread context of 2840 1984 sale order.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sale order.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sale order.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1984 sale order.exe 1984 sale order.exe 1984 sale order.exe 2840 sale order.exe 2840 sale order.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1984 sale order.exe Token: SeDebugPrivilege 2840 sale order.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2840 1984 sale order.exe 31 PID 1984 wrote to memory of 2840 1984 sale order.exe 31 PID 1984 wrote to memory of 2840 1984 sale order.exe 31 PID 1984 wrote to memory of 2840 1984 sale order.exe 31 PID 1984 wrote to memory of 2840 1984 sale order.exe 31 PID 1984 wrote to memory of 2840 1984 sale order.exe 31 PID 1984 wrote to memory of 2840 1984 sale order.exe 31 PID 1984 wrote to memory of 2840 1984 sale order.exe 31 PID 1984 wrote to memory of 2840 1984 sale order.exe 31 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sale order.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 sale order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sale order.exe"C:\Users\Admin\AppData\Local\Temp\sale order.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\sale order.exe"C:\Users\Admin\AppData\Local\Temp\sale order.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2840
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1