Analysis
-
max time kernel
19s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 17:21
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v2004-20231130-en
General
-
Target
Quotation.exe
-
Size
811KB
-
MD5
12ce994a7771f557860a1dd0a6d7fa86
-
SHA1
02fb55374e6fcc35838a86f61be0d1777c5b0ce1
-
SHA256
34cd5a3fe4b96b4fd09ec6ea72ee1cd3924d5a69cd1a27c894c44cc705e6b5f8
-
SHA512
6938c6c7a02b0260fe96563e36b438729b4a0251f59c5a74e1ea0bb845773ec3e6b5c88626984288b84088084c904ffd7f717655d7244bee03449d24b36f6302
-
SSDEEP
24576:o34/up+pJcQ52CON7+xxPBeGVWtbU5N7:o38PJyN7+xWMWtIj
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gimpex-imerys.com - Port:
587 - Username:
[email protected] - Password:
h45ZVRb6(IMF - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Quotation.exepid process 2520 Quotation.exe 2520 Quotation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Quotation.exedescription pid process Token: SeDebugPrivilege 2520 Quotation.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Quotation.exedescription pid process target process PID 2520 wrote to memory of 2764 2520 Quotation.exe powershell.exe PID 2520 wrote to memory of 2764 2520 Quotation.exe powershell.exe PID 2520 wrote to memory of 2764 2520 Quotation.exe powershell.exe PID 2520 wrote to memory of 2764 2520 Quotation.exe powershell.exe PID 2520 wrote to memory of 2824 2520 Quotation.exe schtasks.exe PID 2520 wrote to memory of 2824 2520 Quotation.exe schtasks.exe PID 2520 wrote to memory of 2824 2520 Quotation.exe schtasks.exe PID 2520 wrote to memory of 2824 2520 Quotation.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cUdojGRmEv.exe"2⤵PID:2764
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cUdojGRmEv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp"2⤵
- Creates scheduled task(s)
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵PID:2696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51869af84119fafe1e0ce75278ca82001
SHA17ee76286ce3500ae587cd0d893a36704bbb54805
SHA256522f9a9c70db3b25ff96677a65f13fa1716c6c6fc3128717a89d710f28f01f32
SHA51201a2ba5e3d10e3d01417f3c42e0fb312d7b999da57de197a21f980fda759c18bd37f6e2ee36035607942b5c53421cc00b977e6abdaa5ed974b231b1724aac84b