Analysis
-
max time kernel
92s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2023 12:29
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
QUOTATION.exe
Resource
win10v2004-20230220-en
General
-
Target
QUOTATION.exe
-
Size
268KB
-
MD5
1b71cb032f4f8a2ca0004c0d57553974
-
SHA1
5738e00ef9f37a76c1416cec3af4427e28d07ff3
-
SHA256
89a0e99ef4a97ea1ad4212d7f539c9e851b97108f93a6ff64bbb0b5a5e8997d7
-
SHA512
ea6aa1d7dd80d0b85bc6a66ef66d3d6280c53fb2cf9aa167019d4df609bb697a325959b9a5bef46484fd62c01d1833cac8bca87fa5d79e8e95c612e82052e543
-
SSDEEP
6144:/Ya6tqbIlkemg8GoGhG+D8KwTKMU4vOzriVFzZ2EaRhcM576kf0:/YXoN2oHzKwDKrWFzoRhC
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
pid Process 796 nnjqndae.exe 4632 nnjqndae.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nnjqndae.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nnjqndae.exe Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nnjqndae.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xtdirnwfbkgpyu = "C:\\Users\\Admin\\AppData\\Roaming\\nsbwgpluq\\ajfo.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\nnjqndae.exe\" C:\\Users\\Admin\\AppData\\Local\\Te" nnjqndae.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 796 set thread context of 4632 796 nnjqndae.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 796 nnjqndae.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4632 nnjqndae.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2676 wrote to memory of 796 2676 QUOTATION.exe 83 PID 2676 wrote to memory of 796 2676 QUOTATION.exe 83 PID 2676 wrote to memory of 796 2676 QUOTATION.exe 83 PID 796 wrote to memory of 4632 796 nnjqndae.exe 84 PID 796 wrote to memory of 4632 796 nnjqndae.exe 84 PID 796 wrote to memory of 4632 796 nnjqndae.exe 84 PID 796 wrote to memory of 4632 796 nnjqndae.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nnjqndae.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 nnjqndae.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATION.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\nnjqndae.exe"C:\Users\Admin\AppData\Local\Temp\nnjqndae.exe" C:\Users\Admin\AppData\Local\Temp\pktckj.lr2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Users\Admin\AppData\Local\Temp\nnjqndae.exe"C:\Users\Admin\AppData\Local\Temp\nnjqndae.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4632
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5345c29e106f71d9a547e28aa64980db2
SHA1d74cc8147902b5ae1d798f04710afd3ccc3a2cfe
SHA25651d95acae4522f3a8df0810c490be9f21fb25d7177928bb97800c2e27a9c2057
SHA512c16654b694062271c90873b611c7b4692d106a11e24cec3ee6c4ef7baf56159895fd24dd9011b77f3194a5ad0aaa04fc53977a0d8f9cb1b236dd88a3c24f96c4
-
Filesize
6KB
MD5345c29e106f71d9a547e28aa64980db2
SHA1d74cc8147902b5ae1d798f04710afd3ccc3a2cfe
SHA25651d95acae4522f3a8df0810c490be9f21fb25d7177928bb97800c2e27a9c2057
SHA512c16654b694062271c90873b611c7b4692d106a11e24cec3ee6c4ef7baf56159895fd24dd9011b77f3194a5ad0aaa04fc53977a0d8f9cb1b236dd88a3c24f96c4
-
Filesize
6KB
MD5345c29e106f71d9a547e28aa64980db2
SHA1d74cc8147902b5ae1d798f04710afd3ccc3a2cfe
SHA25651d95acae4522f3a8df0810c490be9f21fb25d7177928bb97800c2e27a9c2057
SHA512c16654b694062271c90873b611c7b4692d106a11e24cec3ee6c4ef7baf56159895fd24dd9011b77f3194a5ad0aaa04fc53977a0d8f9cb1b236dd88a3c24f96c4
-
Filesize
7KB
MD5c3d8350137528d72c70bf2f3b2dc59ac
SHA1b49be064996f833a861b040d312cebbabafd7a1d
SHA2560f8c2b669f897b90a4f385722edcc61a257a1bc32f22a5141c11933fbcb13212
SHA5121ad904a858362d20514501e9d0e950d10f1e287836a5ee2c2d0fbe761aeb10a1460f00baf70bde984472c348a57d76aa513b905b928c3316fc8beae69941dbea
-
Filesize
262KB
MD55afc372dc8fa1a9a43b8cc725770b25e
SHA1d20db3899a01c683b0bf2458c9cdd9f611a3bab6
SHA25682ac6118dc28a8b54ae0ac47442bd8b205635a88ca1a1d0136d4f014bd32df0d
SHA512863838d739417e91e6a7815f54342bfd151da00b9a67c4d7a34c216d77f571d3f22cf180fbd9ddcee0e2e3db7b0a3a361c8e3793dcc39c469e1c4443f831a84e