Analysis
-
max time kernel
91s -
max time network
53s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 12:50
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10
General
-
Target
Quotation.exe
-
Size
431KB
-
MD5
4e6d23f65ea014d6f39b6382a2818abf
-
SHA1
15e2c5629388e45437ff60fdb1cdb958351755cc
-
SHA256
2686990e01b4d89572990a34ea3ca265a5fec074276972d5fdb4543eb7357cc9
-
SHA512
95941a7caa71fc0cd1f85e038b8e898451a93e2f00ea75d4828daf6f6462e08d8c0e92d50220df89fff3fb5bffd8e8f8508ad64e44d21e283f2dbaa9e1044338
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation.exeQuotation.exedescription pid process Token: SeDebugPrivilege 1388 Quotation.exe Token: SeDebugPrivilege 1840 Quotation.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Quotation.exeQuotation.exepid process 1388 Quotation.exe 1840 Quotation.exe 1840 Quotation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation.exedescription pid process target process PID 1388 set thread context of 1840 1388 Quotation.exe Quotation.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Quotation.exedescription pid process target process PID 1388 wrote to memory of 1048 1388 Quotation.exe schtasks.exe PID 1388 wrote to memory of 1048 1388 Quotation.exe schtasks.exe PID 1388 wrote to memory of 1048 1388 Quotation.exe schtasks.exe PID 1388 wrote to memory of 1048 1388 Quotation.exe schtasks.exe PID 1388 wrote to memory of 1328 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1328 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1328 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1328 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1840 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1840 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1840 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1840 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1840 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1840 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1840 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1840 1388 Quotation.exe Quotation.exe PID 1388 wrote to memory of 1840 1388 Quotation.exe Quotation.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\galygJm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF1E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEF1E.tmp
-
memory/1048-2-0x0000000000000000-mapping.dmp
-
memory/1388-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1840-4-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1840-5-0x000000000044B6AE-mapping.dmp
-
memory/1840-6-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1840-7-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB