Analysis
-
max time kernel
16s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:14
Static task
static1
Behavioral task
behavioral1
Sample
quote.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
quote.exe
Resource
win10v2004-20231130-en
General
-
Target
quote.exe
-
Size
740KB
-
MD5
b8544d8facfb793edab9d38921933728
-
SHA1
5ab5b9c19dd1cf189b49be90233e32dacd32e9e6
-
SHA256
a81e919be20c26807dc7d775ccdc026d4a9daf0116661dff5e3fbdaf29effe19
-
SHA512
f59aee69180a55f43c35ee32cb0a3a4b58994fd25a195d7557719a0f7b6c482fe561fd13a239772e32a04512391ffaed520ab85399eb0dbff75356585e88ac6f
-
SSDEEP
12288:DWVretW8G34/uK45+po2ys7l/yOKRXDGz5aTbFQG1uJ073ZCeg/:4x34/up+pJyoaOMTGz5atQZJ0r
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
kV$bSqJ1 daniel - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
quote.exepid process 3060 quote.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
quote.exedescription pid process Token: SeDebugPrivilege 3060 quote.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
quote.exedescription pid process target process PID 3060 wrote to memory of 2076 3060 quote.exe powershell.exe PID 3060 wrote to memory of 2076 3060 quote.exe powershell.exe PID 3060 wrote to memory of 2076 3060 quote.exe powershell.exe PID 3060 wrote to memory of 2076 3060 quote.exe powershell.exe PID 3060 wrote to memory of 3032 3060 quote.exe schtasks.exe PID 3060 wrote to memory of 3032 3060 quote.exe schtasks.exe PID 3060 wrote to memory of 3032 3060 quote.exe schtasks.exe PID 3060 wrote to memory of 3032 3060 quote.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\quote.exe"C:\Users\Admin\AppData\Local\Temp\quote.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\quote.exe"C:\Users\Admin\AppData\Local\Temp\quote.exe"2⤵PID:2664
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WLJIUp" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B72.tmp"2⤵
- Creates scheduled task(s)
PID:3032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WLJIUp.exe"2⤵PID:2076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD580ad8e486132866f5d3145a9ab1baa39
SHA19c6439d4f2436d068ea932464b91be3f5bd96c61
SHA256ee2ebc415fbee31dfc7706006b734e2550e8e02371f36cc1be400e925a09416d
SHA512289268d0a496b9b8ef37d5d0bc3c981a49a685568dc7d9bdadec7ca7da556a0444f692d0786188d0f8212dffd9bbbed0e37cea920d05eaf0cbaee9c111b4cf87