Analysis
-
max time kernel
142s -
max time network
35s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 14:58
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION.exe
Resource
win7
Behavioral task
behavioral2
Sample
QUOTATION.exe
Resource
win10v200430
General
-
Target
QUOTATION.exe
-
Size
1.3MB
-
MD5
6c2e11f32932cc245e2c4707a07bd292
-
SHA1
cd4bfad529114d8e9a5dbc9b4f6fd0d43ee52965
-
SHA256
f773cd5390003e190f79f0ce0f26b95513f2f4d78d4e5f6334515c44631e0a07
-
SHA512
33f67b77ab04a5dc26ef58ab18e602f5f44f4125417006fb0b0335b2067b934e00f8a118be0de06c57f0ab29f93e4abb62da3b14f11004b0350bf1ff451a8547
Malware Config
Signatures
-
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
QUOTATION.exepid process 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 1 IoCs
Processes:
QUOTATION.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdbinst.url QUOTATION.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
QUOTATION.exeMSBuild.exepid process 1088 QUOTATION.exe 1144 MSBuild.exe 1144 MSBuild.exe 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1144 MSBuild.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
QUOTATION.exepid process 1088 QUOTATION.exe 1088 QUOTATION.exe 1088 QUOTATION.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
QUOTATION.exedescription pid process target process PID 1088 wrote to memory of 1144 1088 QUOTATION.exe MSBuild.exe PID 1088 wrote to memory of 1144 1088 QUOTATION.exe MSBuild.exe PID 1088 wrote to memory of 1144 1088 QUOTATION.exe MSBuild.exe PID 1088 wrote to memory of 1144 1088 QUOTATION.exe MSBuild.exe PID 1088 wrote to memory of 1144 1088 QUOTATION.exe MSBuild.exe PID 1088 wrote to memory of 1144 1088 QUOTATION.exe MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
QUOTATION.exedescription pid process target process PID 1088 set thread context of 1144 1088 QUOTATION.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"1⤵
- Suspicious use of SendNotifyMessage
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken