Analysis
-
max time kernel
135s -
max time network
138s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 13:33
Static task
static1
Behavioral task
behavioral1
Sample
quote.exe
Resource
win7
Behavioral task
behavioral2
Sample
quote.exe
Resource
win10
General
-
Target
quote.exe
-
Size
434KB
-
MD5
9b8941c3e570a947dc5e959d3723f69a
-
SHA1
93c1c545727d710d2894a08cc120d4ee8fc734cc
-
SHA256
b1769fd194569d73ba865e404e0d6b08ff272397b7b479c153a2edfeac4ebd13
-
SHA512
fe636602bf7603fce6efd9519f01d6f418dbb815dbd8a0d71cccfc35f370bf46e0b5db6c23ed6a364e2ece40a5298881d8e383a7f0f05778d4013f96bdbe3bec
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ociii.net - Port:
587 - Username:
cdiaz@ociii.net - Password:
yearofblockmoney5024
Signatures
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
quote.exedescription pid process target process PID 720 wrote to memory of 3844 720 quote.exe schtasks.exe PID 720 wrote to memory of 3844 720 quote.exe schtasks.exe PID 720 wrote to memory of 3844 720 quote.exe schtasks.exe PID 720 wrote to memory of 3848 720 quote.exe quote.exe PID 720 wrote to memory of 3848 720 quote.exe quote.exe PID 720 wrote to memory of 3848 720 quote.exe quote.exe PID 720 wrote to memory of 3848 720 quote.exe quote.exe PID 720 wrote to memory of 3848 720 quote.exe quote.exe PID 720 wrote to memory of 3848 720 quote.exe quote.exe PID 720 wrote to memory of 3848 720 quote.exe quote.exe PID 720 wrote to memory of 3848 720 quote.exe quote.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
quote.exequote.exepid process 720 quote.exe 3848 quote.exe 3848 quote.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
quote.exedescription pid process target process PID 720 set thread context of 3848 720 quote.exe quote.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
quote.exequote.exedescription pid process Token: SeDebugPrivilege 720 quote.exe Token: SeDebugPrivilege 3848 quote.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\quote.exe"C:\Users\Admin\AppData\Local\Temp\quote.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TjCZaCz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5FDE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\quote.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\quote.exe.log
-
C:\Users\Admin\AppData\Local\Temp\tmp5FDE.tmp
-
memory/3844-0-0x0000000000000000-mapping.dmp
-
memory/3848-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3848-3-0x0000000000446B2E-mapping.dmp