Analysis
-
max time kernel
114s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 02:28
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v2004-20220414-en
General
-
Target
Quotation.exe
-
Size
774KB
-
MD5
6dd7542b5145cc3367062c8de480350c
-
SHA1
d04897139836b9492a3c5036eacac7fc41160dcf
-
SHA256
10167fec5a00f7ee3805a502684ca59887be73bc350946a0f7989080e06859d8
-
SHA512
c6c05d1be62e093ef8e5c61e034752e863b322fd546331081769809e5d24c23aa2984960ae48cd6a1f68749535063553ca57606fb27d43a28d28b3af5921e35f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.pengteh.com - Port:
587 - Username:
[email protected] - Password:
am%pjs@8
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4908-139-0x0000000000400000-0x000000000045A000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Quotation.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Quotation.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Quotation.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JcoGam = "C:\\Users\\Admin\\AppData\\Roaming\\JcoGam\\JcoGam.exe" Quotation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation.exedescription pid process target process PID 4628 set thread context of 4908 4628 Quotation.exe Quotation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Quotation.exeQuotation.exepid process 4628 Quotation.exe 4908 Quotation.exe 4908 Quotation.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation.exeQuotation.exedescription pid process Token: SeDebugPrivilege 4628 Quotation.exe Token: SeDebugPrivilege 4908 Quotation.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Quotation.exedescription pid process target process PID 4628 wrote to memory of 4820 4628 Quotation.exe schtasks.exe PID 4628 wrote to memory of 4820 4628 Quotation.exe schtasks.exe PID 4628 wrote to memory of 4820 4628 Quotation.exe schtasks.exe PID 4628 wrote to memory of 4908 4628 Quotation.exe Quotation.exe PID 4628 wrote to memory of 4908 4628 Quotation.exe Quotation.exe PID 4628 wrote to memory of 4908 4628 Quotation.exe Quotation.exe PID 4628 wrote to memory of 4908 4628 Quotation.exe Quotation.exe PID 4628 wrote to memory of 4908 4628 Quotation.exe Quotation.exe PID 4628 wrote to memory of 4908 4628 Quotation.exe Quotation.exe PID 4628 wrote to memory of 4908 4628 Quotation.exe Quotation.exe PID 4628 wrote to memory of 4908 4628 Quotation.exe Quotation.exe -
outlook_office_path 1 IoCs
Processes:
Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation.exe -
outlook_win_path 1 IoCs
Processes:
Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DqsjlyXdLYiYQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8C42.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation.exe.logFilesize
1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
C:\Users\Admin\AppData\Local\Temp\tmp8C42.tmpFilesize
1KB
MD5af64c7c713db67ff320a97d9103eac32
SHA1c70ad840b9026eb599cfd39611a5d152216f1bd2
SHA2561f5ee5ec2932521ace6e2672188b7b3078c9e23905e11953d529b51b0ea24400
SHA512ed8832ce342ac6e808f2b33cba7c367e7c5c5d057118dbff30d5ca6f76b3abe83aca7a6e26c15e8b099a09fa8cadb01668c9c680af8711bc36972514ddd67c1e
-
memory/4628-131-0x0000000007550000-0x00000000075EC000-memory.dmpFilesize
624KB
-
memory/4628-132-0x0000000007BA0000-0x0000000008144000-memory.dmpFilesize
5.6MB
-
memory/4628-133-0x0000000007690000-0x0000000007722000-memory.dmpFilesize
584KB
-
memory/4628-134-0x00000000075F0000-0x00000000075FA000-memory.dmpFilesize
40KB
-
memory/4628-135-0x0000000007730000-0x0000000007786000-memory.dmpFilesize
344KB
-
memory/4628-130-0x0000000000610000-0x00000000006D8000-memory.dmpFilesize
800KB
-
memory/4820-136-0x0000000000000000-mapping.dmp
-
memory/4908-139-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/4908-138-0x0000000000000000-mapping.dmp
-
memory/4908-141-0x0000000005E00000-0x0000000005E66000-memory.dmpFilesize
408KB
-
memory/4908-142-0x0000000006610000-0x0000000006660000-memory.dmpFilesize
320KB