Analysis
-
max time kernel
19s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:17
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v2004-20231130-en
General
-
Target
Quotation.exe
-
Size
830KB
-
MD5
985225f6ec19a166c50bd5d0e16d330f
-
SHA1
9022950aa9cef1cc010c636a97b229e30d0002b0
-
SHA256
82cb6a221ee2b2c0c0f43139765407c713ff6980d966544f71f351c66928a4da
-
SHA512
a4d5576cc36994ae0d6bfa0545961370f429bd8a4e875a65e77f6f4cf522dbf1fa82fb5491b593f26178a6a27c8c1b54214b06c29b43a6c2e09908ab4361d5a0
-
SSDEEP
24576:koPOk+pJZDI7EeT/ZhOX0IAmQeY14VDjh:nyJ6ZT/Zh3IAmQ5qD
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gimpex-imerys.com - Port:
587 - Username:
[email protected] - Password:
h45ZVRb6(IMF - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Quotation.exepid process 2332 Quotation.exe 2332 Quotation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Quotation.exedescription pid process Token: SeDebugPrivilege 2332 Quotation.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Quotation.exedescription pid process target process PID 2332 wrote to memory of 2296 2332 Quotation.exe powershell.exe PID 2332 wrote to memory of 2296 2332 Quotation.exe powershell.exe PID 2332 wrote to memory of 2296 2332 Quotation.exe powershell.exe PID 2332 wrote to memory of 2296 2332 Quotation.exe powershell.exe PID 2332 wrote to memory of 2316 2332 Quotation.exe schtasks.exe PID 2332 wrote to memory of 2316 2332 Quotation.exe schtasks.exe PID 2332 wrote to memory of 2316 2332 Quotation.exe schtasks.exe PID 2332 wrote to memory of 2316 2332 Quotation.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vaTUux" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5293.tmp"2⤵
- Creates scheduled task(s)
PID:2316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vaTUux.exe"2⤵PID:2296
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵PID:2760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56406b41d7aa867306a49c35cb9a810d6
SHA155e9854b94cfa021615980cfe9aac8171d4f2cf0
SHA256dd75a58d85d02f95e1b02cb8786d593569d7bec21022198610ffda6a16eff19a
SHA512813ffbcc44fe02c44cb8bf6c01f62ecf49617da1cfc69b8c3825bc371fb2c249d0e6b1dc17193918fc76f6f6de6168d1fc9c2328e2c2d424cb76c1156bb78a67