Analysis
-
max time kernel
109s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:47
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v2004-20220414-en
General
-
Target
Quotation.exe
-
Size
858KB
-
MD5
78832f031eac50fc85ad33b10ab20c84
-
SHA1
3c33ff149fd9fdbdea22abb85bd84e6ba99e0a32
-
SHA256
8f29462204ac0f3027f813dc6203a09864d9e54c2de340dfcc2b47d9969bda5d
-
SHA512
f17de17e828c7aacd7418a214bf679be9604d06ae0ee7af8a2a595dcdb3bfb8ca260b5c22cd02c8be42cadf33c978377f59ae1736b9ffadaec7c46c2c142f9f0
Malware Config
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
maka@wanchuangda.pw - Password:
mmm777
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
maka@wanchuangda.pw - Password:
mmm777
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/452-139-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
Quotation.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts Quotation.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Quotation.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation Quotation.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation.exedescription pid process target process PID 4528 set thread context of 452 4528 Quotation.exe Quotation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Quotation.exepid process 452 Quotation.exe 452 Quotation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Quotation.exedescription pid process Token: SeDebugPrivilege 452 Quotation.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Quotation.exepid process 452 Quotation.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Quotation.exedescription pid process target process PID 4528 wrote to memory of 4460 4528 Quotation.exe schtasks.exe PID 4528 wrote to memory of 4460 4528 Quotation.exe schtasks.exe PID 4528 wrote to memory of 4460 4528 Quotation.exe schtasks.exe PID 4528 wrote to memory of 452 4528 Quotation.exe Quotation.exe PID 4528 wrote to memory of 452 4528 Quotation.exe Quotation.exe PID 4528 wrote to memory of 452 4528 Quotation.exe Quotation.exe PID 4528 wrote to memory of 452 4528 Quotation.exe Quotation.exe PID 4528 wrote to memory of 452 4528 Quotation.exe Quotation.exe PID 4528 wrote to memory of 452 4528 Quotation.exe Quotation.exe PID 4528 wrote to memory of 452 4528 Quotation.exe Quotation.exe PID 4528 wrote to memory of 452 4528 Quotation.exe Quotation.exe -
outlook_office_path 1 IoCs
Processes:
Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation.exe -
outlook_win_path 1 IoCs
Processes:
Quotation.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Quotation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QThDafzEJYx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65EE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp65EE.tmpFilesize
1KB
MD518860cbedce3643d6e75403f1f2f22a4
SHA121fdc0f69fbeff4df8ff988ad94700e271c83538
SHA256c54074542376bee334c9ce02e53d53a1b216b9548f08a0e9e4ea5f2c2f8a0bdb
SHA5129ef0584de0f438b8a7d8ba2e9c1514bc359b11d4b238c263bef6a625abe60c4362163149ee78869b6b877d47b7894cc4011efe57ef2fa8a6201a6a96435b9c18
-
memory/452-138-0x0000000000000000-mapping.dmp
-
memory/452-139-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/452-140-0x0000000005EC0000-0x0000000005F26000-memory.dmpFilesize
408KB
-
memory/452-141-0x0000000006650000-0x00000000066A0000-memory.dmpFilesize
320KB
-
memory/4460-136-0x0000000000000000-mapping.dmp
-
memory/4528-130-0x0000000000A80000-0x0000000000B5C000-memory.dmpFilesize
880KB
-
memory/4528-131-0x0000000005530000-0x00000000055CC000-memory.dmpFilesize
624KB
-
memory/4528-132-0x0000000005B80000-0x0000000006124000-memory.dmpFilesize
5.6MB
-
memory/4528-133-0x00000000055D0000-0x0000000005662000-memory.dmpFilesize
584KB
-
memory/4528-134-0x00000000054E0000-0x00000000054EA000-memory.dmpFilesize
40KB
-
memory/4528-135-0x00000000056D0000-0x0000000005726000-memory.dmpFilesize
344KB