Analysis
-
max time kernel
140s -
max time network
33s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-07-2020 06:46
Static task
static1
Behavioral task
behavioral1
Sample
Request Quotation.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Request Quotation.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Request Quotation.exe
-
Size
811KB
-
MD5
14173aade597e05e15b23a697bd9e798
-
SHA1
15ecda2062500ff87ab716754e36b9f1daf6cb23
-
SHA256
878790fa825f77b1032e1ab3c7649b9e86c0ac2b848d07ed60f69f215ad5b5bb
-
SHA512
498f789b8b3d77783d08b037ac262a5caea76de8938e1c9c13cde68b7ae9d80fff742c67ac704a4a706de6b4de58ea6708ff6106d371e4479b5e4c6cabe14942
Score
1/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Request Quotation.exedescription pid process target process PID 1400 wrote to memory of 1800 1400 Request Quotation.exe schtasks.exe PID 1400 wrote to memory of 1800 1400 Request Quotation.exe schtasks.exe PID 1400 wrote to memory of 1800 1400 Request Quotation.exe schtasks.exe PID 1400 wrote to memory of 1764 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1764 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1764 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1760 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1760 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1760 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1748 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1748 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1748 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1756 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1756 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1756 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1740 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1740 1400 Request Quotation.exe Request Quotation.exe PID 1400 wrote to memory of 1740 1400 Request Quotation.exe Request Quotation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Request Quotation.exedescription pid process Token: SeDebugPrivilege 1400 Request Quotation.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Request Quotation.exepid process 1400 Request Quotation.exe 1400 Request Quotation.exe 1400 Request Quotation.exe 1400 Request Quotation.exe 1400 Request Quotation.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Request Quotation.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1400 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bYbudlV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB173.tmp"2⤵
- Creates scheduled task(s)
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\Request Quotation.exe"{path}"2⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\Request Quotation.exe"{path}"2⤵PID:1760
-
C:\Users\Admin\AppData\Local\Temp\Request Quotation.exe"{path}"2⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\Request Quotation.exe"{path}"2⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\Request Quotation.exe"{path}"2⤵PID:1740