Analysis
-
max time kernel
154s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Quote.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Quote.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
Quote.exe
-
Size
1.5MB
-
MD5
ad8a5b35629e4b23a1f1a52e491ec6be
-
SHA1
fde1e20b6dfe29a364cb24a257d71f2f80f5179e
-
SHA256
2f64c5edddb9b9bf16ff026a1ecd5a06fd5f3cc324434364944b4349130abb37
-
SHA512
ce13a9741abb7c1e704c6be374068b5aa9675697f750fe165c9be0e6e95baab4adc821fbcdfc1f7ee5d1aaa522a2292bfb5cd4473d08b3fb3596019a96f72eee
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.dubaisafariplus.com - Port:
587 - Username:
[email protected] - Password:
GtgZF07gXQbX
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.dubaisafariplus.com - Port:
587 - Username:
[email protected] - Password:
GtgZF07gXQbX
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3040-133-0x0000000000740000-0x0000000000792000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
Quote.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FaceFodUninstaller.url Quote.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quote.exedescription pid process target process PID 2952 set thread context of 3040 2952 Quote.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
MSBuild.exeQuote.exepid process 3040 MSBuild.exe 3040 MSBuild.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3040 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Quote.exepid process 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Quote.exepid process 2952 Quote.exe 2952 Quote.exe 2952 Quote.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Quote.exeMSBuild.exedescription pid process target process PID 2952 wrote to memory of 3040 2952 Quote.exe MSBuild.exe PID 2952 wrote to memory of 3040 2952 Quote.exe MSBuild.exe PID 2952 wrote to memory of 3040 2952 Quote.exe MSBuild.exe PID 2952 wrote to memory of 3040 2952 Quote.exe MSBuild.exe PID 2952 wrote to memory of 3040 2952 Quote.exe MSBuild.exe PID 3040 wrote to memory of 3712 3040 MSBuild.exe netsh.exe PID 3040 wrote to memory of 3712 3040 MSBuild.exe netsh.exe PID 3040 wrote to memory of 3712 3040 MSBuild.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quote.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2952-130-0x0000000004AC0000-0x0000000004B57000-memory.dmpFilesize
604KB
-
memory/2952-131-0x0000000004B60000-0x0000000004BF7000-memory.dmpFilesize
604KB
-
memory/3040-132-0x0000000000000000-mapping.dmp
-
memory/3040-133-0x0000000000740000-0x0000000000792000-memory.dmpFilesize
328KB
-
memory/3040-138-0x0000000073AE0000-0x0000000074091000-memory.dmpFilesize
5.7MB
-
memory/3712-139-0x0000000000000000-mapping.dmp