48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901

General

Target

KSP QUOTE_2.exe
Size

527KB
MD5

187a269d103856e0d922e71e26046ac4
SHA1

3b9c201ceff06148739d6c59e3a20c2048e8a9fe
SHA256

48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901
SHA512

9bedef76d5de703b32123c130aa27f0efd5850e395c2601ab030162872b5c06f68e1439282d9cef9a7133416ee23ed657f2da8f3d9e39ab5db39ad6c8c1ad66b

Score

7^/10

evasion trojan

Malware Config

Signatures

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

KSP QUOTE_2.exeKSP QUOTE_2.execolorcpl.exe

description	pid	process	target process
PID 240 wrote to memory of 844	240	KSP QUOTE_2.exe	schtasks.exe
PID 240 wrote to memory of 844	240	KSP QUOTE_2.exe	schtasks.exe
PID 240 wrote to memory of 844	240	KSP QUOTE_2.exe	schtasks.exe
PID 240 wrote to memory of 844	240	KSP QUOTE_2.exe	schtasks.exe
PID 240 wrote to memory of 1532	240	KSP QUOTE_2.exe	KSP QUOTE_2.exe
PID 240 wrote to memory of 1532	240	KSP QUOTE_2.exe	KSP QUOTE_2.exe
PID 240 wrote to memory of 1532	240	KSP QUOTE_2.exe	KSP QUOTE_2.exe
PID 240 wrote to memory of 1532	240	KSP QUOTE_2.exe	KSP QUOTE_2.exe
PID 240 wrote to memory of 1532	240	KSP QUOTE_2.exe	KSP QUOTE_2.exe
PID 240 wrote to memory of 1532	240	KSP QUOTE_2.exe	KSP QUOTE_2.exe
PID 240 wrote to memory of 1532	240	KSP QUOTE_2.exe	KSP QUOTE_2.exe
PID 1532 wrote to memory of 1764	1532	KSP QUOTE_2.exe	colorcpl.exe
PID 1532 wrote to memory of 1764	1532	KSP QUOTE_2.exe	colorcpl.exe
PID 1532 wrote to memory of 1764	1532	KSP QUOTE_2.exe	colorcpl.exe
PID 1532 wrote to memory of 1764	1532	KSP QUOTE_2.exe	colorcpl.exe
PID 1764 wrote to memory of 1396	1764	colorcpl.exe	cmd.exe
PID 1764 wrote to memory of 1396	1764	colorcpl.exe	cmd.exe
PID 1764 wrote to memory of 1396	1764	colorcpl.exe	cmd.exe
PID 1764 wrote to memory of 1396	1764	colorcpl.exe	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

KSP QUOTE_2.exeKSP QUOTE_2.execolorcpl.exe

description	pid	process	target process
PID 240 set thread context of 1532	240	KSP QUOTE_2.exe	KSP QUOTE_2.exe
PID 1532 set thread context of 1208	1532	KSP QUOTE_2.exe	Explorer.EXE
PID 1532 set thread context of 1208	1532	KSP QUOTE_2.exe	Explorer.EXE
PID 1764 set thread context of 1208	1764	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

KSP QUOTE_2.execolorcpl.exe

pid	process
1532	KSP QUOTE_2.exe
1532	KSP QUOTE_2.exe
1532	KSP QUOTE_2.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe
1764	colorcpl.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

KSP QUOTE_2.execolorcpl.exe

pid process

1532 KSP QUOTE_2.exe
1532 KSP QUOTE_2.exe
1532 KSP QUOTE_2.exe
1532 KSP QUOTE_2.exe
1764 colorcpl.exe
1764 colorcpl.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

KSP QUOTE_2.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 1532 KSP QUOTE_2.exe
Token: SeDebugPrivilege 1764 colorcpl.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1396 cmd.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

844 schtasks.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1532	KSP QUOTE_2.exe
Token: SeDebugPrivilege	1764	colorcpl.exe

pid	process
1396	cmd.exe

pid	process
844	schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
PID:1208

C:\Users\Admin\AppData\Local\Temp\KSP QUOTE_2.exe
"C:\Users\Admin\AppData\Local\Temp\KSP QUOTE_2.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:240

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OraVYaLSUiRqmq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA13D.tmp"
3⤵
- Creates scheduled task(s)
PID:844

C:\Users\Admin\AppData\Local\Temp\KSP QUOTE_2.exe
"{path}"
3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\KSP QUOTE_2.exe"
5⤵
- Deletes itself
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA13D.tmp

Download Submit
memory/844-0-0x0000000000000000-mapping.dmp

Download
memory/1396-6-0x0000000000000000-mapping.dmp

Download
memory/1532-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1532-3-0x000000000041E330-mapping.dmp

Download
memory/1764-4-0x0000000000000000-mapping.dmp

Download
memory/1764-5-0x0000000000EF0000-0x0000000000F08000-memory.dmp

Filesize
96KB

Download
memory/1764-7-0x0000000000A50000-0x0000000000B05000-memory.dmp

Filesize
724KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads