Analysis
-
max time kernel
157s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:05
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Request for Quotation.exe
Resource
win10v2004-20220414-en
General
-
Target
Request for Quotation.exe
-
Size
522KB
-
MD5
90868ea38ee67574c75f0b44bc23f240
-
SHA1
6d59b6b66e6a57cbfd4bb8211c8a988d1ab68c7f
-
SHA256
8c2e223633dad17b0830a0efc0a1a3edfd835e176c5a502d36bb0021dfdbf2dc
-
SHA512
718380e06d37cfbde6e1dde2ef0c7f5e1846c34baba1234be2cf11717d7b0e55b8ea3405a49eff43fd5728ada9468d54f10f5eb9dcc8458b2038ae4931c694d9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
admin@slboercleaning.com - Password:
WS!jmys8
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/748-56-0x0000000000360000-0x0000000000368000-memory.dmp coreentity -
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1700-63-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1700-64-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1700-68-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1700-65-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1700-70-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1700-66-0x000000000044B6AE-mapping.dmp family_agenttesla -
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
Processes:
resource yara_rule behavioral1/memory/748-54-0x00000000013C0000-0x0000000001448000-memory.dmp coreccc -
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/748-57-0x0000000000B00000-0x0000000000B58000-memory.dmp rezer0 -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Request for Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Request for Quotation.exedescription pid process target process PID 748 set thread context of 1700 748 Request for Quotation.exe Request for Quotation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Request for Quotation.exeRequest for Quotation.exepid process 748 Request for Quotation.exe 1700 Request for Quotation.exe 1700 Request for Quotation.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Request for Quotation.exeRequest for Quotation.exedescription pid process Token: SeDebugPrivilege 748 Request for Quotation.exe Token: SeDebugPrivilege 1700 Request for Quotation.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Request for Quotation.exedescription pid process target process PID 748 wrote to memory of 960 748 Request for Quotation.exe schtasks.exe PID 748 wrote to memory of 960 748 Request for Quotation.exe schtasks.exe PID 748 wrote to memory of 960 748 Request for Quotation.exe schtasks.exe PID 748 wrote to memory of 960 748 Request for Quotation.exe schtasks.exe PID 748 wrote to memory of 1700 748 Request for Quotation.exe Request for Quotation.exe PID 748 wrote to memory of 1700 748 Request for Quotation.exe Request for Quotation.exe PID 748 wrote to memory of 1700 748 Request for Quotation.exe Request for Quotation.exe PID 748 wrote to memory of 1700 748 Request for Quotation.exe Request for Quotation.exe PID 748 wrote to memory of 1700 748 Request for Quotation.exe Request for Quotation.exe PID 748 wrote to memory of 1700 748 Request for Quotation.exe Request for Quotation.exe PID 748 wrote to memory of 1700 748 Request for Quotation.exe Request for Quotation.exe PID 748 wrote to memory of 1700 748 Request for Quotation.exe Request for Quotation.exe PID 748 wrote to memory of 1700 748 Request for Quotation.exe Request for Quotation.exe -
outlook_office_path 1 IoCs
Processes:
Request for Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe -
outlook_win_path 1 IoCs
Processes:
Request for Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Request for Quotation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UvAFCP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB4C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCB4C.tmpFilesize
1KB
MD520680d6067b560cd7bcb9dd0d6ac7a21
SHA12e2b2f059c86bda9bfae103eb193cab5ec1e4802
SHA25625114e0dc37a0b86847a931a9ac67aec770ebd6ae568f0a0a6584d53c76321ca
SHA5128013e2e0f1e23b91c6a325730cfd8930c0273e2e3535ca14252262e6f2dd7c4657088c83d3e7b816834033e2f905a1e432b2026e9d69e751484430e5ba365736
-
memory/748-54-0x00000000013C0000-0x0000000001448000-memory.dmpFilesize
544KB
-
memory/748-55-0x0000000075541000-0x0000000075543000-memory.dmpFilesize
8KB
-
memory/748-56-0x0000000000360000-0x0000000000368000-memory.dmpFilesize
32KB
-
memory/748-57-0x0000000000B00000-0x0000000000B58000-memory.dmpFilesize
352KB
-
memory/960-58-0x0000000000000000-mapping.dmp
-
memory/1700-60-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1700-61-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1700-63-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1700-64-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1700-68-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1700-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1700-70-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1700-66-0x000000000044B6AE-mapping.dmp