Analysis
-
max time kernel
132s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 18:33
Static task
static1
Behavioral task
behavioral1
Sample
REQUEST FOR QUOTE FORM.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
REQUEST FOR QUOTE FORM.exe
Resource
win10v20210410
General
-
Target
REQUEST FOR QUOTE FORM.exe
-
Size
685KB
-
MD5
136d3ff60c17a7e1d4e1b3c755e15d89
-
SHA1
88b8b2b70252e64bf5599bf0c2fcbca363c06c0a
-
SHA256
a0ee1d459912946e86b1695a16e4e5c288274959bdfb4d9e57cc83e473a3c10b
-
SHA512
86ab7db4097b895ab890b9b471ec22aca1eee701d9dd711873e9790a3453bcc6d5c9a1cdbd7415620c1df732e07760bf0abf96874c450d5ba6f7f6508b7551be
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
chamara.kuruppu@organigram-ca.icu - Password:
Neways@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2452-127-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral2/memory/2452-128-0x000000000043747E-mapping.dmp family_agenttesla behavioral2/memory/2452-134-0x0000000005790000-0x0000000005C8E000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
REQUEST FOR QUOTE FORM.exedescription pid process target process PID 3164 set thread context of 2452 3164 REQUEST FOR QUOTE FORM.exe REQUEST FOR QUOTE FORM.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exepid process 3164 REQUEST FOR QUOTE FORM.exe 2452 REQUEST FOR QUOTE FORM.exe 2452 REQUEST FOR QUOTE FORM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
REQUEST FOR QUOTE FORM.exeREQUEST FOR QUOTE FORM.exedescription pid process Token: SeDebugPrivilege 3164 REQUEST FOR QUOTE FORM.exe Token: SeDebugPrivilege 2452 REQUEST FOR QUOTE FORM.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
REQUEST FOR QUOTE FORM.exedescription pid process target process PID 3164 wrote to memory of 808 3164 REQUEST FOR QUOTE FORM.exe schtasks.exe PID 3164 wrote to memory of 808 3164 REQUEST FOR QUOTE FORM.exe schtasks.exe PID 3164 wrote to memory of 808 3164 REQUEST FOR QUOTE FORM.exe schtasks.exe PID 3164 wrote to memory of 2452 3164 REQUEST FOR QUOTE FORM.exe REQUEST FOR QUOTE FORM.exe PID 3164 wrote to memory of 2452 3164 REQUEST FOR QUOTE FORM.exe REQUEST FOR QUOTE FORM.exe PID 3164 wrote to memory of 2452 3164 REQUEST FOR QUOTE FORM.exe REQUEST FOR QUOTE FORM.exe PID 3164 wrote to memory of 2452 3164 REQUEST FOR QUOTE FORM.exe REQUEST FOR QUOTE FORM.exe PID 3164 wrote to memory of 2452 3164 REQUEST FOR QUOTE FORM.exe REQUEST FOR QUOTE FORM.exe PID 3164 wrote to memory of 2452 3164 REQUEST FOR QUOTE FORM.exe REQUEST FOR QUOTE FORM.exe PID 3164 wrote to memory of 2452 3164 REQUEST FOR QUOTE FORM.exe REQUEST FOR QUOTE FORM.exe PID 3164 wrote to memory of 2452 3164 REQUEST FOR QUOTE FORM.exe REQUEST FOR QUOTE FORM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wfrelrS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5777.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTE FORM.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REQUEST FOR QUOTE FORM.exe.logMD5
90acfd72f14a512712b1a7380c0faf60
SHA140ba4accb8faa75887e84fb8e38d598dc8cf0f12
SHA25620806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86
SHA51229dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9
-
C:\Users\Admin\AppData\Local\Temp\tmp5777.tmpMD5
b1bc41a0e96aad184b4adad30f12c632
SHA17995f3972265ce0d55b777288ecde61c92a8a71a
SHA256a09de950ad127c38ebd160fa6eccde425eab1786376d06ae3351ca22764d62ff
SHA51268cc3e4626ffb41830d75fa5d9e5447c317bf0446e24c453f46b793b66775b77a72a8e4bf5682f6558ebb364023482dd0a26acf89701f189fede5a67d38ba4d4
-
memory/808-125-0x0000000000000000-mapping.dmp
-
memory/2452-136-0x00000000064F0000-0x00000000064F1000-memory.dmpFilesize
4KB
-
memory/2452-135-0x0000000005C40000-0x0000000005C41000-memory.dmpFilesize
4KB
-
memory/2452-134-0x0000000005790000-0x0000000005C8E000-memory.dmpFilesize
5.0MB
-
memory/2452-128-0x000000000043747E-mapping.dmp
-
memory/2452-127-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/3164-119-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/3164-124-0x00000000076C0000-0x00000000076FC000-memory.dmpFilesize
240KB
-
memory/3164-123-0x0000000007640000-0x00000000076BC000-memory.dmpFilesize
496KB
-
memory/3164-122-0x00000000053A0000-0x00000000053BB000-memory.dmpFilesize
108KB
-
memory/3164-121-0x0000000005090000-0x000000000558E000-memory.dmpFilesize
5.0MB
-
memory/3164-120-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/3164-114-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/3164-118-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/3164-117-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/3164-116-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB