12b43ed89fe65ad92c68c63b0dffa2d821ef5d1e506762f9a1c281ca624fd964

General

Target

Quotation for RC outdoor project.exe
Size

1021KB
MD5

c1cffa07ef23947b7a8684350afe040f
SHA1

7281d1fdaee8ec77d52c4ba4dab4e005e5e4559d
SHA256

12b43ed89fe65ad92c68c63b0dffa2d821ef5d1e506762f9a1c281ca624fd964
SHA512

d48928df68b8fb8065dc4d2238266335b142ed57cc02cda423013060e0b36780e20a761434cfb9884b62fb2ce637fbeab5f11a3d0ba9b35efce1b76251ce7cfc

Score

7^/10

Malware Config

Signatures

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	Quotation for RC outdoor project.exe
Token: SeDebugPrivilege	372	Quotation for RC outdoor project.exe
Token: SeDebugPrivilege	1124	colorcpl.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 372	1448	Quotation for RC outdoor project.exe	25
PID 372 set thread context of 1312	372	Quotation for RC outdoor project.exe	20
PID 372 set thread context of 1312	372	Quotation for RC outdoor project.exe	20
PID 1124 set thread context of 1312	1124	colorcpl.exe	20

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
372	Quotation for RC outdoor project.exe
372	Quotation for RC outdoor project.exe
372	Quotation for RC outdoor project.exe
372	Quotation for RC outdoor project.exe
1124	colorcpl.exe
1124	colorcpl.exe

Deletes itself 1 IoCs

pid	Process
1528	cmd.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 756	1448	Quotation for RC outdoor project.exe	24
PID 1448 wrote to memory of 756	1448	Quotation for RC outdoor project.exe	24
PID 1448 wrote to memory of 756	1448	Quotation for RC outdoor project.exe	24
PID 1448 wrote to memory of 756	1448	Quotation for RC outdoor project.exe	24
PID 1448 wrote to memory of 372	1448	Quotation for RC outdoor project.exe	25
PID 1448 wrote to memory of 372	1448	Quotation for RC outdoor project.exe	25
PID 1448 wrote to memory of 372	1448	Quotation for RC outdoor project.exe	25
PID 1448 wrote to memory of 372	1448	Quotation for RC outdoor project.exe	25
PID 1448 wrote to memory of 372	1448	Quotation for RC outdoor project.exe	25
PID 1448 wrote to memory of 372	1448	Quotation for RC outdoor project.exe	25
PID 1448 wrote to memory of 372	1448	Quotation for RC outdoor project.exe	25
PID 1312 wrote to memory of 1124	1312	Explorer.EXE	26
PID 1312 wrote to memory of 1124	1312	Explorer.EXE	26
PID 1312 wrote to memory of 1124	1312	Explorer.EXE	26
PID 1312 wrote to memory of 1124	1312	Explorer.EXE	26
PID 1124 wrote to memory of 1528	1124	colorcpl.exe	27
PID 1124 wrote to memory of 1528	1124	colorcpl.exe	27
PID 1124 wrote to memory of 1528	1124	colorcpl.exe	27
PID 1124 wrote to memory of 1528	1124	colorcpl.exe	27

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1448	Quotation for RC outdoor project.exe
372	Quotation for RC outdoor project.exe
372	Quotation for RC outdoor project.exe
372	Quotation for RC outdoor project.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe
1124	colorcpl.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\Quotation for RC outdoor project.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation for RC outdoor project.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- - C:\Users\Admin\AppData\Local\Temp\Quotation for RC outdoor project.exe
    "{path}"
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\Quotation for RC outdoor project.exe
    "{path}"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious behavior: EnumeratesProcesses
    PID:372
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: EnumeratesProcesses
  PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Quotation for RC outdoor project.exe"
    3⤵
    - Deletes itself
    PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1124-5-0x00000000002C0000-0x00000000002D8000-memory.dmp

Filesize
96KB

Download
memory/1124-7-0x0000000001EC0000-0x0000000001FAD000-memory.dmp

Filesize
948KB

Download

Analysis

Sharing