Overview

overview

10

Static

static

3

Quotation ...01.exe

windows7-x64

10

Quotation ...01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation specifications draft20001.exe

  • Size

    844KB

  • MD5

    e4aaca7e0fe69ced3fc467506885a9d9

  • SHA1

    dd9554514cba10808aa3e0f32c9f5f22c37e6995

  • SHA256

    db6e594697d85074a16f8ce893649435b356c1ae31724203df7e5463bb97d1fc

  • SHA512

    8254f7c3844db4e95f98431a00c7795650b5c9720670aac178b87c2ac444c86e34bc84f53ffd59fda16781aab6fcc86fcf81850f007189ca65db2c61dfbdbbc5

  • SSDEEP

    24576:Vw4bjw4bajqV8d707FhxVROXXaeSA+oafS7:Vw4bjw4bajN0xPOCBfk

Score
10/10
agentteslaexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.bethesdakindergarten.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kindy6014587474

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation specifications draft20001.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation specifications draft20001.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Quotation specifications draft20001.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eRkUBYSG.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2720
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eRkUBYSG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A49.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2624
    • C:\Users\Admin\AppData\Local\Temp\Quotation specifications draft20001.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation specifications draft20001.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4A49.tmp
    Filesize

    1KB

    MD5

    dadf7b766fac6a859d23c50789887216

    SHA1

    0cc0089371a0047de87efe693191fad0b5189abd

    SHA256

    cd675d75084693d85d512fe72797f302eee6961e1fe7f3daca68123e2883956b

    SHA512

    5123a94435cb8b4e78f7f463f720fed4bab4dfdebbfefd233a875e7368bbe95a3827532fa9c52362399272c49d093ba2fe31f0217fb9b988965a96777d52de7f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    7fdfda67fa23547666a70c0bffe9362f

    SHA1

    c73d4435c75d0929b21fb94418133e0180c5f8e7

    SHA256

    d4c8926658fa631693da44de0c005b7142de36b4c2224b08b3edfa27f7bd88ea

    SHA512

    0165530cde5809336d1a125eedbfb55bfc947e3821197782fdf3f9e6b4d26539b2258394c90640080acef6dc11e9169282e4e9edb29e7a6e0361d2ab599e4e70

    Download Submit

  • memory/2568-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-20-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-22-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-24-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-18-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3068-2-0x0000000074560000-0x0000000074C4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3068-1-0x0000000000E70000-0x0000000000F46000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3068-0-0x000000007456E000-0x000000007456F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3068-3-0x00000000002F0000-0x000000000030A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3068-5-0x0000000005530000-0x00000000055B4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3068-4-0x0000000000270000-0x0000000000280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3068-31-0x0000000074560000-0x0000000074C4E000-memory.dmp

    Filesize

    6.9MB

    Download