Analysis
-
max time kernel
123s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:54
General
-
Target
Quotation Reques.exe
-
Size
636KB
-
MD5
c2dbd23d7d1429c00ac1054a2befb929
-
SHA1
20c144e6919f64dad5cff37b29da1030d5044300
-
SHA256
ca00e2766617e6a0d743880ad74f65b035e04192914a938a6610f6fd813c6c0c
-
SHA512
207753698017d2761d4b1e782d8b27fda43c71fe077989f9343c773a1ddbd49bd92a2dc57fc30d30c89e017db0b3be3de614b656137069198034aba43ee0949c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.el-sever.com - Port:
587 - Username:
[email protected] - Password:
admin123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
UAC bypass 3 TTPs
-
AgentTesla Payload 1 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation Reques.exe"C:\Users\Admin\AppData\Local\Temp\Quotation Reques.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gQfXCdarKBRY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp560F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp560F.tmpFilesize
1KB
MD5e4c4a88c7685d56539dd5323cd2fce01
SHA1f14078fcda1d4b5af20bbd9a5344970d5e042875
SHA256b419c5693f4aa3043ae8b08f171cb88ca29960335f3a0cb2510fa7a4a41824b8
SHA5127ca6dfe6080752236dfa342d5dd7b95ce4ed2b3ae902f764b307e6c94289e177841109b18546251cc3541f702a700008ec1eb96631dc0aa9ec2b252c578bd673
-
memory/1320-130-0x0000000000580000-0x0000000000624000-memory.dmpFilesize
656KB
-
memory/1320-131-0x0000000005510000-0x0000000005AB4000-memory.dmpFilesize
5.6MB
-
memory/1320-132-0x0000000005000000-0x0000000005092000-memory.dmpFilesize
584KB
-
memory/1320-133-0x00000000050A0000-0x000000000513C000-memory.dmpFilesize
624KB
-
memory/3436-136-0x0000000000000000-mapping.dmp
-
memory/3436-137-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3436-138-0x0000000005EE0000-0x0000000005F46000-memory.dmpFilesize
408KB
-
memory/3436-139-0x00000000064D0000-0x0000000006520000-memory.dmpFilesize
320KB
-
memory/3436-140-0x00000000065D0000-0x00000000065DA000-memory.dmpFilesize
40KB
-
memory/3736-134-0x0000000000000000-mapping.dmp