REQUEST FOR QUOTE FORM.exe

General
Target

REQUEST FOR QUOTE FORM.exe

Filesize

685KB

Completed

27-07-2021 18:36

Score
10 /10
MD5

136d3ff60c17a7e1d4e1b3c755e15d89

SHA1

88b8b2b70252e64bf5599bf0c2fcbca363c06c0a

SHA256

a0ee1d459912946e86b1695a16e4e5c288274959bdfb4d9e57cc83e473a3c10b

Malware Config

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: mail.privateemail.com

Port: 587

Username: chamara.kuruppu@organigram-ca.icu

Password: Neways@123

Signatures 8

Filter: none

Discovery
Persistence
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1068-68-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
    behavioral1/memory/1068-69-0x000000000043747E-mapping.dmpfamily_agenttesla
    behavioral1/memory/1068-70-0x0000000000400000-0x000000000043C000-memory.dmpfamily_agenttesla
  • Suspicious use of SetThreadContext
    REQUEST FOR QUOTE FORM.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2008 set thread context of 10682008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    560schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe

    Reported IOCs

    pidprocess
    2008REQUEST FOR QUOTE FORM.exe
    2008REQUEST FOR QUOTE FORM.exe
    1068REQUEST FOR QUOTE FORM.exe
    1068REQUEST FOR QUOTE FORM.exe
  • Suspicious use of AdjustPrivilegeToken
    REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege2008REQUEST FOR QUOTE FORM.exe
    Token: SeDebugPrivilege1068REQUEST FOR QUOTE FORM.exe
  • Suspicious use of WriteProcessMemory
    REQUEST FOR QUOTE FORM.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2008 wrote to memory of 5602008REQUEST FOR QUOTE FORM.exeschtasks.exe
    PID 2008 wrote to memory of 5602008REQUEST FOR QUOTE FORM.exeschtasks.exe
    PID 2008 wrote to memory of 5602008REQUEST FOR QUOTE FORM.exeschtasks.exe
    PID 2008 wrote to memory of 5602008REQUEST FOR QUOTE FORM.exeschtasks.exe
    PID 2008 wrote to memory of 19562008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 19562008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 19562008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 19562008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 10682008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 10682008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 10682008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 10682008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 10682008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 10682008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 10682008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 10682008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
    PID 2008 wrote to memory of 10682008REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe
    "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe"
    Suspicious use of SetThreadContext
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wfrelrS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9203.tmp"
      Creates scheduled task(s)
      PID:560
    • C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe
      "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe"
      PID:1956
    • C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe
      "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe"
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1068
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\tmp9203.tmp

                        MD5

                        ee08dc3d7a06e8ea93d1fc95eb19cad4

                        SHA1

                        addee981a5a9418dc3f329393efae9b17a57ebc9

                        SHA256

                        5a5dcc9582e2e2a9f7b18bfd9d03c0e7e73652b8cd856acc637965b77e3ef202

                        SHA512

                        13c9e58ae9232c18b858e40abae7d8eb034834e44503d1293e90edec5fea02a607770e40a4a28ede66f05f6fa8a98437be689320aecb92ab1e27d6ac84da6627

                      • memory/560-66-0x0000000000000000-mapping.dmp

                      • memory/1068-68-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/1068-69-0x000000000043747E-mapping.dmp

                      • memory/1068-70-0x0000000000400000-0x000000000043C000-memory.dmp

                      • memory/1068-72-0x00000000048B0000-0x00000000048B1000-memory.dmp

                      • memory/2008-60-0x0000000000300000-0x0000000000301000-memory.dmp

                      • memory/2008-62-0x0000000004E50000-0x0000000004E51000-memory.dmp

                      • memory/2008-63-0x00000000002E0000-0x00000000002FB000-memory.dmp

                      • memory/2008-64-0x00000000056E0000-0x000000000575C000-memory.dmp

                      • memory/2008-65-0x0000000000660000-0x000000000069C000-memory.dmp