Overview

overview

10

Static

static

Inv.exe

windows7_x64

10

Inv.exe

windows10-2004_x64

10

New Order.exe

windows7_x64

10

New Order.exe

windows10-2004_x64

10

Quotation.exe

windows7_x64

10

Quotation.exe

windows10-2004_x64

10

pictures and logo.exe

windows7_x64

10

pictures and logo.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    171s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    08-02-2022 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.exe

  • Size

    440KB

  • MD5

    0547c6fd5e4d632b87d2f9a3dbc88587

  • SHA1

    022d3a644567f960a1fa692ed576a4aaf5ca72a0

  • SHA256

    e25588ef7f6dc061277b4380dc1f9ad034f1eb74c254cd778fea2ab7fe1783ab

  • SHA512

    bed9caa917ff25a5168017952b401f4688f0f04c0075442bcb95d891017293b403c42a1e6f43cea4fc6ee5e2e80ae90d4c19afc293283eb4e840bc8871878129

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MARYolanmauluogwo@ever

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 45 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Quotation.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3980
    • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:320
  • C:\Windows\system32\MusNotifyIcon.exe
    %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
    1⤵
    • Checks processor information in registry
    PID:360
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    PID:2692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation.exe.log
    MD5

    553cfcb8247e9e828eef0474e2134fac

    SHA1

    362c3f93dccc66f3bbfaf5ef681a11a0c7bc7316

    SHA256

    a753cbd5f89b034eaeeb02fa8f0924bab30e84d86d02686fdf7c0228d8a00d54

    SHA512

    18b4174286f47b41f47e964c5368b453eba4a23331958e7b982017f965a434aa80c0d3504d13521a9f0550bba4c2b7a62543553d4ddfdf6e1f0c39c6ef542dc4

    Download Submit
  • memory/320-150-0x0000000004D90000-0x0000000005334000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/320-149-0x0000000074500000-0x0000000074CB0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/320-145-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1208-131-0x0000000000600000-0x0000000000674000-memory.dmp
    Filesize

    464KB

    Download
  • memory/1208-132-0x00000000051A0000-0x00000000051B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1208-133-0x0000000005680000-0x0000000005B4C000-memory.dmp
    Filesize

    4.8MB

    Download
  • memory/1208-134-0x0000000005290000-0x0000000005322000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1208-135-0x0000000006100000-0x00000000066A4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1208-136-0x00000000054B0000-0x000000000554C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1208-130-0x0000000074500000-0x0000000074CB0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3980-143-0x0000000007110000-0x0000000007150000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3980-144-0x0000000007780000-0x00000000077A2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3980-146-0x0000000008060000-0x00000000080C6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3980-142-0x0000000007110000-0x0000000007150000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3980-147-0x00000000080D0000-0x0000000008136000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3980-141-0x0000000074500000-0x0000000074CB0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3980-140-0x0000000007800000-0x0000000007E28000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/3980-139-0x0000000007190000-0x00000000071C6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3980-151-0x0000000008760000-0x000000000877E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3980-152-0x0000000008CD0000-0x0000000008D66000-memory.dmp
    Filesize

    600KB

    Download
  • memory/3980-153-0x0000000008C50000-0x0000000008C6A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3980-154-0x0000000008CA0000-0x0000000008CC2000-memory.dmp
    Filesize

    136KB

    Download