Analysis

  • max time kernel
    148s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    13-07-2020 14:18

General

  • Target

    rectified quote.exe

  • Size

    400KB

  • MD5

    0c6982e8d622d6550a6a170f1c0b9c49

  • SHA1

    489f667a831be85ffd37288ca187d0517fc5d649

  • SHA256

    714e525a436fc97ce8b8e31b63c79e8f13cc0577c80f613f825cafdf7fddeb1f

  • SHA512

    c1b81fdc18fe5ab49b005a2e5847f6007c95baa8a04bd0b3140fc3e8295f05e141f5db2b07478798fcf5293be3f8415ae4d97daee7c926b69e8338c47898cadc

Score
7/10

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1324
    • C:\Users\Admin\AppData\Local\Temp\rectified quote.exe
      "C:\Users\Admin\AppData\Local\Temp\rectified quote.exe"
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      PID:1356
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: EnumeratesProcesses
        PID:1460
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:480
      • C:\Windows\SysWOW64\cmmon32.exe
        "C:\Windows\SysWOW64\cmmon32.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: EnumeratesProcesses
        PID:1548
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
            PID:1000

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1000-4-0x0000000000000000-mapping.dmp

      • memory/1460-0-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

      • memory/1460-1-0x000000000041E380-mapping.dmp

      • memory/1548-2-0x0000000000000000-mapping.dmp

      • memory/1548-3-0x0000000000FF0000-0x0000000000FFD000-memory.dmp

        Filesize

        52KB

      • memory/1548-5-0x0000000000940000-0x0000000000A67000-memory.dmp

        Filesize

        1.2MB