Analysis
-
max time kernel
95s -
max time network
75s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 12:54
Static task
static1
Behavioral task
behavioral1
Sample
Quotation 98878.Scan.exe
Resource
win7
Behavioral task
behavioral2
Sample
Quotation 98878.Scan.exe
Resource
win10v200430
General
-
Target
Quotation 98878.Scan.exe
-
Size
634KB
-
MD5
883f310e3695dd1c848ff1fd53d3cd3d
-
SHA1
a870f3ae9d2bc9c5863604f5b714d3421b1b4fce
-
SHA256
6b35aa643ec1006130a3ad1cdebb98e94e7f2f51ba75603e6e5887d4d487fd5a
-
SHA512
38c7d4a7bb0adea89cbbb08d01a986bcb517e2925146fe515ee46f9479d2c2cc73b00ae88ca8a83cd6a1829f2d2d495b752121fe239a3d70a8100c94ddf9d3b8
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Quotation 98878.Scan.exepid process 304 Quotation 98878.Scan.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation 98878.Scan.exeQuotation 98878.Scan.exedescription pid process Token: SeDebugPrivilege 1124 Quotation 98878.Scan.exe Token: SeDebugPrivilege 304 Quotation 98878.Scan.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Quotation 98878.Scan.exeQuotation 98878.Scan.exepid process 1124 Quotation 98878.Scan.exe 304 Quotation 98878.Scan.exe 304 Quotation 98878.Scan.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation 98878.Scan.exedescription pid process target process PID 1124 set thread context of 304 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Quotation 98878.Scan.exedescription pid process target process PID 1124 wrote to memory of 316 1124 Quotation 98878.Scan.exe schtasks.exe PID 1124 wrote to memory of 316 1124 Quotation 98878.Scan.exe schtasks.exe PID 1124 wrote to memory of 316 1124 Quotation 98878.Scan.exe schtasks.exe PID 1124 wrote to memory of 316 1124 Quotation 98878.Scan.exe schtasks.exe PID 1124 wrote to memory of 900 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 900 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 900 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 900 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 304 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 304 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 304 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 304 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 304 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 304 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 304 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 304 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe PID 1124 wrote to memory of 304 1124 Quotation 98878.Scan.exe Quotation 98878.Scan.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation 98878.Scan.exe"C:\Users\Admin\AppData\Local\Temp\Quotation 98878.Scan.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BbcxaIWtqd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA38E.tmp"2⤵
- Creates scheduled task(s)
PID:316 -
C:\Users\Admin\AppData\Local\Temp\Quotation 98878.Scan.exe"{path}"2⤵PID:900
-
C:\Users\Admin\AppData\Local\Temp\Quotation 98878.Scan.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:304