Analysis
-
max time kernel
148s -
max time network
107s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 14:18
Static task
static1
Behavioral task
behavioral1
Sample
rectified quote.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
rectified quote.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
rectified quote.exe
-
Size
400KB
-
MD5
0c6982e8d622d6550a6a170f1c0b9c49
-
SHA1
489f667a831be85ffd37288ca187d0517fc5d649
-
SHA256
714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f
-
SHA512
c1b81fdc18fe5ab49b005a2e5847f6007c95baa8a04bd0b3140fc3e8295f05e141f5db2b07478798fcf5293be3f8415ae4d97daee7c926b69e8338c47898cadc
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
rectified quote.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe rectified quote.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rectified quote.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1356 wrote to memory of 1460 1356 rectified quote.exe RegAsm.exe PID 1356 wrote to memory of 1460 1356 rectified quote.exe RegAsm.exe PID 1356 wrote to memory of 1460 1356 rectified quote.exe RegAsm.exe PID 1356 wrote to memory of 1460 1356 rectified quote.exe RegAsm.exe PID 1356 wrote to memory of 1460 1356 rectified quote.exe RegAsm.exe PID 1356 wrote to memory of 1460 1356 rectified quote.exe RegAsm.exe PID 1356 wrote to memory of 1460 1356 rectified quote.exe RegAsm.exe PID 1356 wrote to memory of 1460 1356 rectified quote.exe RegAsm.exe PID 1324 wrote to memory of 1548 1324 Explorer.EXE cmmon32.exe PID 1324 wrote to memory of 1548 1324 Explorer.EXE cmmon32.exe PID 1324 wrote to memory of 1548 1324 Explorer.EXE cmmon32.exe PID 1324 wrote to memory of 1548 1324 Explorer.EXE cmmon32.exe PID 1548 wrote to memory of 1000 1548 cmmon32.exe cmd.exe PID 1548 wrote to memory of 1000 1548 cmmon32.exe cmd.exe PID 1548 wrote to memory of 1000 1548 cmmon32.exe cmd.exe PID 1548 wrote to memory of 1000 1548 cmmon32.exe cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
rectified quote.exeRegAsm.execmmon32.exedescription pid process target process PID 1356 set thread context of 1460 1356 rectified quote.exe RegAsm.exe PID 1460 set thread context of 1324 1460 RegAsm.exe Explorer.EXE PID 1460 set thread context of 1324 1460 RegAsm.exe Explorer.EXE PID 1548 set thread context of 1324 1548 cmmon32.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.execmmon32.exedescription pid process Token: SeDebugPrivilege 1460 RegAsm.exe Token: SeDebugPrivilege 1548 cmmon32.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
rectified quote.exeRegAsm.execmmon32.exepid process 1356 rectified quote.exe 1460 RegAsm.exe 1460 RegAsm.exe 1460 RegAsm.exe 1460 RegAsm.exe 1548 cmmon32.exe 1548 cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
RegAsm.execmmon32.exepid process 1460 RegAsm.exe 1460 RegAsm.exe 1460 RegAsm.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\rectified quote.exe"C:\Users\Admin\AppData\Local\Temp\rectified quote.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1356 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:1460 -
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:480
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:1548 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:1000