Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 08:13
Static task
static1
Behavioral task
behavioral1
Sample
Quotation specifications draft20001.exe
Resource
win7-20240508-en
General
-
Target
Quotation specifications draft20001.exe
-
Size
844KB
-
MD5
e4aaca7e0fe69ced3fc467506885a9d9
-
SHA1
dd9554514cba10808aa3e0f32c9f5f22c37e6995
-
SHA256
db6e594697d85074a16f8ce893649435b356c1ae31724203df7e5463bb97d1fc
-
SHA512
8254f7c3844db4e95f98431a00c7795650b5c9720670aac178b87c2ac444c86e34bc84f53ffd59fda16781aab6fcc86fcf81850f007189ca65db2c61dfbdbbc5
-
SSDEEP
24576:Vw4bjw4bajqV8d707FhxVROXXaeSA+oafS7:Vw4bjw4bajN0xPOCBfk
Malware Config
Extracted
Protocol: smtp- Host:
mail.bethesdakindergarten.com - Port:
587 - Username:
[email protected] - Password:
kindy6014587474
Extracted
agenttesla
Protocol: smtp- Host:
mail.bethesdakindergarten.com - Port:
587 - Username:
[email protected] - Password:
kindy6014587474 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2668 powershell.exe 2720 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation specifications draft20001.exedescription pid process target process PID 3068 set thread context of 2568 3068 Quotation specifications draft20001.exe Quotation specifications draft20001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Quotation specifications draft20001.exeQuotation specifications draft20001.exepowershell.exepowershell.exepid process 3068 Quotation specifications draft20001.exe 3068 Quotation specifications draft20001.exe 2568 Quotation specifications draft20001.exe 2568 Quotation specifications draft20001.exe 2668 powershell.exe 2720 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Quotation specifications draft20001.exeQuotation specifications draft20001.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3068 Quotation specifications draft20001.exe Token: SeDebugPrivilege 2568 Quotation specifications draft20001.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Quotation specifications draft20001.exedescription pid process target process PID 3068 wrote to memory of 2668 3068 Quotation specifications draft20001.exe powershell.exe PID 3068 wrote to memory of 2668 3068 Quotation specifications draft20001.exe powershell.exe PID 3068 wrote to memory of 2668 3068 Quotation specifications draft20001.exe powershell.exe PID 3068 wrote to memory of 2668 3068 Quotation specifications draft20001.exe powershell.exe PID 3068 wrote to memory of 2720 3068 Quotation specifications draft20001.exe powershell.exe PID 3068 wrote to memory of 2720 3068 Quotation specifications draft20001.exe powershell.exe PID 3068 wrote to memory of 2720 3068 Quotation specifications draft20001.exe powershell.exe PID 3068 wrote to memory of 2720 3068 Quotation specifications draft20001.exe powershell.exe PID 3068 wrote to memory of 2624 3068 Quotation specifications draft20001.exe schtasks.exe PID 3068 wrote to memory of 2624 3068 Quotation specifications draft20001.exe schtasks.exe PID 3068 wrote to memory of 2624 3068 Quotation specifications draft20001.exe schtasks.exe PID 3068 wrote to memory of 2624 3068 Quotation specifications draft20001.exe schtasks.exe PID 3068 wrote to memory of 2568 3068 Quotation specifications draft20001.exe Quotation specifications draft20001.exe PID 3068 wrote to memory of 2568 3068 Quotation specifications draft20001.exe Quotation specifications draft20001.exe PID 3068 wrote to memory of 2568 3068 Quotation specifications draft20001.exe Quotation specifications draft20001.exe PID 3068 wrote to memory of 2568 3068 Quotation specifications draft20001.exe Quotation specifications draft20001.exe PID 3068 wrote to memory of 2568 3068 Quotation specifications draft20001.exe Quotation specifications draft20001.exe PID 3068 wrote to memory of 2568 3068 Quotation specifications draft20001.exe Quotation specifications draft20001.exe PID 3068 wrote to memory of 2568 3068 Quotation specifications draft20001.exe Quotation specifications draft20001.exe PID 3068 wrote to memory of 2568 3068 Quotation specifications draft20001.exe Quotation specifications draft20001.exe PID 3068 wrote to memory of 2568 3068 Quotation specifications draft20001.exe Quotation specifications draft20001.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation specifications draft20001.exe"C:\Users\Admin\AppData\Local\Temp\Quotation specifications draft20001.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Quotation specifications draft20001.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eRkUBYSG.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eRkUBYSG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A49.tmp"2⤵
- Creates scheduled task(s)
PID:2624
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation specifications draft20001.exe"C:\Users\Admin\AppData\Local\Temp\Quotation specifications draft20001.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5dadf7b766fac6a859d23c50789887216
SHA10cc0089371a0047de87efe693191fad0b5189abd
SHA256cd675d75084693d85d512fe72797f302eee6961e1fe7f3daca68123e2883956b
SHA5125123a94435cb8b4e78f7f463f720fed4bab4dfdebbfefd233a875e7368bbe95a3827532fa9c52362399272c49d093ba2fe31f0217fb9b988965a96777d52de7f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57fdfda67fa23547666a70c0bffe9362f
SHA1c73d4435c75d0929b21fb94418133e0180c5f8e7
SHA256d4c8926658fa631693da44de0c005b7142de36b4c2224b08b3edfa27f7bd88ea
SHA5120165530cde5809336d1a125eedbfb55bfc947e3821197782fdf3f9e6b4d26539b2258394c90640080acef6dc11e9169282e4e9edb29e7a6e0361d2ab599e4e70