Overview

overview

10

Static

static

3

Quotation.exe

windows7-x64

10

Quotation.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231201-en
  • resource tags

    arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 17:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.exe

  • Size

    811KB

  • MD5

    12ce994a7771f557860a1dd0a6d7fa86

  • SHA1

    02fb55374e6fcc35838a86f61be0d1777c5b0ce1

  • SHA256

    34cd5a3fe4b96b4fd09ec6ea72ee1cd3924d5a69cd1a27c894c44cc705e6b5f8

  • SHA512

    6938c6c7a02b0260fe96563e36b438729b4a0251f59c5a74e1ea0bb845773ec3e6b5c88626984288b84088084c904ffd7f717655d7244bee03449d24b36f6302

  • SSDEEP

    24576:o34/up+pJcQ52CON7+xxPBeGVWtbU5N7:o38PJyN7+xWMWtIj

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\cUdojGRmEv.exe"
      2⤵
        PID:2764
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\cUdojGRmEv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:2824
      • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        2⤵
          PID:2696

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp5EB3.tmp
        Filesize

        1KB

        MD5

        1869af84119fafe1e0ce75278ca82001

        SHA1

        7ee76286ce3500ae587cd0d893a36704bbb54805

        SHA256

        522f9a9c70db3b25ff96677a65f13fa1716c6c6fc3128717a89d710f28f01f32

        SHA512

        01a2ba5e3d10e3d01417f3c42e0fb312d7b999da57de197a21f980fda759c18bd37f6e2ee36035607942b5c53421cc00b977e6abdaa5ed974b231b1724aac84b

        Download Submit

      • memory/2520-27-0x0000000074BD0000-0x00000000752BE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2520-0-0x0000000000DE0000-0x0000000000EB2000-memory.dmp

        Filesize

        840KB

        Download

      • memory/2520-2-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2520-3-0x0000000000400000-0x0000000000418000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2520-4-0x00000000003E0000-0x00000000003E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2520-5-0x0000000000420000-0x000000000042A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2520-6-0x0000000005460000-0x00000000054DA000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2520-1-0x0000000074BD0000-0x00000000752BE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2696-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2696-32-0x0000000004A70000-0x0000000004AB0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2696-24-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2696-20-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2696-17-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2696-16-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2696-14-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2696-12-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2696-28-0x0000000074BD0000-0x00000000752BE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2696-36-0x0000000004A70000-0x0000000004AB0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2696-35-0x0000000074BD0000-0x00000000752BE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2696-26-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2764-33-0x0000000002060000-0x00000000020A0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2764-31-0x000000006F050000-0x000000006F5FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2764-34-0x000000006F050000-0x000000006F5FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2764-29-0x000000006F050000-0x000000006F5FB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2764-30-0x0000000002060000-0x00000000020A0000-memory.dmp

        Filesize

        256KB

        Download