Analysis
-
max time kernel
74s -
max time network
77s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 13:33
Static task
static1
Behavioral task
behavioral1
Sample
quote.exe
Resource
win7
Behavioral task
behavioral2
Sample
quote.exe
Resource
win10
General
-
Target
quote.exe
-
Size
434KB
-
MD5
9b8941c3e570a947dc5e959d3723f69a
-
SHA1
93c1c545727d710d2894a08cc120d4ee8fc734cc
-
SHA256
b1769fd194569d73ba865e404e0d6b08ff272397b7b479c153a2edfeac4ebd13
-
SHA512
fe636602bf7603fce6efd9519f01d6f418dbb815dbd8a0d71cccfc35f370bf46e0b5db6c23ed6a364e2ece40a5298881d8e383a7f0f05778d4013f96bdbe3bec
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
quote.exedescription pid process target process PID 1124 wrote to memory of 1468 1124 quote.exe schtasks.exe PID 1124 wrote to memory of 1468 1124 quote.exe schtasks.exe PID 1124 wrote to memory of 1468 1124 quote.exe schtasks.exe PID 1124 wrote to memory of 1468 1124 quote.exe schtasks.exe PID 1124 wrote to memory of 536 1124 quote.exe quote.exe PID 1124 wrote to memory of 536 1124 quote.exe quote.exe PID 1124 wrote to memory of 536 1124 quote.exe quote.exe PID 1124 wrote to memory of 536 1124 quote.exe quote.exe PID 1124 wrote to memory of 536 1124 quote.exe quote.exe PID 1124 wrote to memory of 536 1124 quote.exe quote.exe PID 1124 wrote to memory of 536 1124 quote.exe quote.exe PID 1124 wrote to memory of 536 1124 quote.exe quote.exe PID 1124 wrote to memory of 536 1124 quote.exe quote.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
quote.exedescription pid process target process PID 1124 set thread context of 536 1124 quote.exe quote.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
quote.exequote.exedescription pid process Token: SeDebugPrivilege 1124 quote.exe Token: SeDebugPrivilege 536 quote.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
quote.exequote.exepid process 1124 quote.exe 536 quote.exe 536 quote.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
Processes
-
C:\Users\Admin\AppData\Local\Temp\quote.exe"C:\Users\Admin\AppData\Local\Temp\quote.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TjCZaCz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp84C8.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\quote.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp84C8.tmp
-
memory/536-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/536-3-0x0000000000446B2E-mapping.dmp
-
memory/536-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/536-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1468-0-0x0000000000000000-mapping.dmp