Analysis
-
max time kernel
123s -
max time network
112s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:54
Static task
static1
Behavioral task
behavioral1
Sample
Quotation Reques.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Quotation Reques.exe
Resource
win10v2004-20220414-en
General
-
Target
Quotation Reques.exe
-
Size
636KB
-
MD5
c2dbd23d7d1429c00ac1054a2befb929
-
SHA1
20c144e6919f64dad5cff37b29da1030d5044300
-
SHA256
ca00e2766617e6a0d743880ad74f65b035e04192914a938a6610f6fd813c6c0c
-
SHA512
207753698017d2761d4b1e782d8b27fda43c71fe077989f9343c773a1ddbd49bd92a2dc57fc30d30c89e017db0b3be3de614b656137069198034aba43ee0949c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.el-sever.com - Port:
587 - Username:
[email protected] - Password:
admin123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3436-137-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Quotation Reques.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Quotation Reques.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CJzRAE = "C:\\Users\\Admin\\AppData\\Roaming\\CJzRAE\\CJzRAE.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation Reques.exedescription pid process target process PID 1320 set thread context of 3436 1320 Quotation Reques.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 3436 RegSvcs.exe 3436 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3436 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Quotation Reques.exedescription pid process target process PID 1320 wrote to memory of 3736 1320 Quotation Reques.exe schtasks.exe PID 1320 wrote to memory of 3736 1320 Quotation Reques.exe schtasks.exe PID 1320 wrote to memory of 3736 1320 Quotation Reques.exe schtasks.exe PID 1320 wrote to memory of 3436 1320 Quotation Reques.exe RegSvcs.exe PID 1320 wrote to memory of 3436 1320 Quotation Reques.exe RegSvcs.exe PID 1320 wrote to memory of 3436 1320 Quotation Reques.exe RegSvcs.exe PID 1320 wrote to memory of 3436 1320 Quotation Reques.exe RegSvcs.exe PID 1320 wrote to memory of 3436 1320 Quotation Reques.exe RegSvcs.exe PID 1320 wrote to memory of 3436 1320 Quotation Reques.exe RegSvcs.exe PID 1320 wrote to memory of 3436 1320 Quotation Reques.exe RegSvcs.exe PID 1320 wrote to memory of 3436 1320 Quotation Reques.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation Reques.exe"C:\Users\Admin\AppData\Local\Temp\Quotation Reques.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gQfXCdarKBRY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp560F.tmp"2⤵
- Creates scheduled task(s)
PID:3736 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3436
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp560F.tmpFilesize
1KB
MD5e4c4a88c7685d56539dd5323cd2fce01
SHA1f14078fcda1d4b5af20bbd9a5344970d5e042875
SHA256b419c5693f4aa3043ae8b08f171cb88ca29960335f3a0cb2510fa7a4a41824b8
SHA5127ca6dfe6080752236dfa342d5dd7b95ce4ed2b3ae902f764b307e6c94289e177841109b18546251cc3541f702a700008ec1eb96631dc0aa9ec2b252c578bd673
-
memory/1320-130-0x0000000000580000-0x0000000000624000-memory.dmpFilesize
656KB
-
memory/1320-131-0x0000000005510000-0x0000000005AB4000-memory.dmpFilesize
5.6MB
-
memory/1320-132-0x0000000005000000-0x0000000005092000-memory.dmpFilesize
584KB
-
memory/1320-133-0x00000000050A0000-0x000000000513C000-memory.dmpFilesize
624KB
-
memory/3436-136-0x0000000000000000-mapping.dmp
-
memory/3436-137-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3436-138-0x0000000005EE0000-0x0000000005F46000-memory.dmpFilesize
408KB
-
memory/3436-139-0x00000000064D0000-0x0000000006520000-memory.dmpFilesize
320KB
-
memory/3436-140-0x00000000065D0000-0x00000000065DA000-memory.dmpFilesize
40KB
-
memory/3736-134-0x0000000000000000-mapping.dmp