Analysis
-
max time kernel
93s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:44
Static task
static1
Behavioral task
behavioral1
Sample
REQUEST FOR QUOTATION.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
REQUEST FOR QUOTATION.exe
Resource
win10v2004-20220414-en
General
-
Target
REQUEST FOR QUOTATION.exe
-
Size
524KB
-
MD5
2d02fc0bb28b135bd28dcd4b66447e3e
-
SHA1
eb509573abe7488ba23a02cb7326fa2f4e3d8c27
-
SHA256
23f73a5c76d3f569e043322817d14f2618301b8ed17db3c52d26813b1a27b298
-
SHA512
a8ac57edce70b775823a2874439f89006ddf9d53de1cc901aad32ccc985d2d8f09f782bf88231cdc69c9e1df0136046012b3bbc4d8bc4a7e10a15626d356a26b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
mullarwhite@yandex.com - Password:
challenge12345@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4340-136-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LKUgjc = "C:\\Users\\Admin\\AppData\\Roaming\\LKUgjc\\LKUgjc.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
REQUEST FOR QUOTATION.exedescription pid process target process PID 3716 set thread context of 4340 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
REQUEST FOR QUOTATION.exeRegSvcs.exepid process 3716 REQUEST FOR QUOTATION.exe 3716 REQUEST FOR QUOTATION.exe 4340 RegSvcs.exe 4340 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
REQUEST FOR QUOTATION.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 3716 REQUEST FOR QUOTATION.exe Token: SeDebugPrivilege 4340 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
REQUEST FOR QUOTATION.exeRegSvcs.exedescription pid process target process PID 3716 wrote to memory of 4304 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe PID 3716 wrote to memory of 4304 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe PID 3716 wrote to memory of 4304 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe PID 3716 wrote to memory of 4340 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe PID 3716 wrote to memory of 4340 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe PID 3716 wrote to memory of 4340 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe PID 3716 wrote to memory of 4340 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe PID 3716 wrote to memory of 4340 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe PID 3716 wrote to memory of 4340 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe PID 3716 wrote to memory of 4340 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe PID 3716 wrote to memory of 4340 3716 REQUEST FOR QUOTATION.exe RegSvcs.exe PID 4340 wrote to memory of 3200 4340 RegSvcs.exe netsh.exe PID 4340 wrote to memory of 3200 4340 RegSvcs.exe netsh.exe PID 4340 wrote to memory of 3200 4340 RegSvcs.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION.exe"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3200-139-0x0000000000000000-mapping.dmp
-
memory/3716-130-0x0000000000500000-0x000000000058A000-memory.dmpFilesize
552KB
-
memory/3716-131-0x0000000005580000-0x0000000005B24000-memory.dmpFilesize
5.6MB
-
memory/3716-132-0x0000000004F10000-0x0000000004FA2000-memory.dmpFilesize
584KB
-
memory/3716-133-0x0000000005070000-0x000000000510C000-memory.dmpFilesize
624KB
-
memory/4304-134-0x0000000000000000-mapping.dmp
-
memory/4340-135-0x0000000000000000-mapping.dmp
-
memory/4340-136-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4340-137-0x0000000005F50000-0x0000000005FB6000-memory.dmpFilesize
408KB
-
memory/4340-138-0x0000000006B10000-0x0000000006B60000-memory.dmpFilesize
320KB
-
memory/4340-140-0x0000000006D50000-0x0000000006D5A000-memory.dmpFilesize
40KB