Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:59
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.doc.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Quotation.doc.scr
Resource
win10v20201028
General
-
Target
Quotation.doc.scr
-
Size
560KB
-
MD5
8d09d7e0a4fe465fcc5d52594fc007f9
-
SHA1
d1d99b13dadcb5212b70f5ebef876a22528bbe29
-
SHA256
29ee428b001089c4cb3447b6aeb0534d1fe595ce9246f5c0b52da0996f55b77e
-
SHA512
c5bfbd0d1329a12de1213e7e089fbd2d406cdfeeb376a2fbf55715623acdc436a6e78059d1c973f530e7506282c328371eee9bba19890a11c935b8d9be66c7f1
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1688-4-0x00000000046F0000-0x0000000004740000-memory.dmp rezer0 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation.doc.scrdescription pid process target process PID 1688 set thread context of 1816 1688 Quotation.doc.scr Quotation.doc.scr -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1728 schtasks.exe 1088 schtasks.exe 1756 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation.doc.scrQuotation.doc.scrdescription pid process Token: SeDebugPrivilege 1688 Quotation.doc.scr Token: SeDebugPrivilege 1816 Quotation.doc.scr -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Quotation.doc.scrQuotation.doc.scrpid process 1688 Quotation.doc.scr 1816 Quotation.doc.scr -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Quotation.doc.scrQuotation.doc.scrdescription pid process target process PID 1688 wrote to memory of 1728 1688 Quotation.doc.scr schtasks.exe PID 1688 wrote to memory of 1728 1688 Quotation.doc.scr schtasks.exe PID 1688 wrote to memory of 1728 1688 Quotation.doc.scr schtasks.exe PID 1688 wrote to memory of 1728 1688 Quotation.doc.scr schtasks.exe PID 1688 wrote to memory of 1088 1688 Quotation.doc.scr schtasks.exe PID 1688 wrote to memory of 1088 1688 Quotation.doc.scr schtasks.exe PID 1688 wrote to memory of 1088 1688 Quotation.doc.scr schtasks.exe PID 1688 wrote to memory of 1088 1688 Quotation.doc.scr schtasks.exe PID 1688 wrote to memory of 1816 1688 Quotation.doc.scr Quotation.doc.scr PID 1688 wrote to memory of 1816 1688 Quotation.doc.scr Quotation.doc.scr PID 1688 wrote to memory of 1816 1688 Quotation.doc.scr Quotation.doc.scr PID 1688 wrote to memory of 1816 1688 Quotation.doc.scr Quotation.doc.scr PID 1688 wrote to memory of 1816 1688 Quotation.doc.scr Quotation.doc.scr PID 1688 wrote to memory of 1816 1688 Quotation.doc.scr Quotation.doc.scr PID 1688 wrote to memory of 1816 1688 Quotation.doc.scr Quotation.doc.scr PID 1688 wrote to memory of 1816 1688 Quotation.doc.scr Quotation.doc.scr PID 1688 wrote to memory of 1816 1688 Quotation.doc.scr Quotation.doc.scr PID 1816 wrote to memory of 1756 1816 Quotation.doc.scr schtasks.exe PID 1816 wrote to memory of 1756 1816 Quotation.doc.scr schtasks.exe PID 1816 wrote to memory of 1756 1816 Quotation.doc.scr schtasks.exe PID 1816 wrote to memory of 1756 1816 Quotation.doc.scr schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr"C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SqqQfuBVQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "windows update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "windows update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9F0.tmpMD5
8165eacbc5f9f29993e913d7d5b087fd
SHA1663da22cb44fcbc802b6659164a705303a375ed2
SHA256306254c67bc7240c6ef207e6dc622c4e175353318f17a2a9c3b386b649282f83
SHA51295c637a874f8abe3b9a13cd63db34b4f2079afb434d3e200ed547e7df2990c7c27a812291875c87260bb8e0c71df5f3a03149b0cf30f15a3ea98099c6ec1b5c5
-
C:\Users\Admin\AppData\Roaming\Logs\11-11-2020MD5
42d5576753ce4be3bb303d0f57584859
SHA1ec256a783a07b5c1f2e8bed07e21a829b87c1db0
SHA2562daf8be79193cad18194c01d76377c68eea0c3dbd654298e633f3b28c6e72f08
SHA512cab4dcfd0998c40dacad529efc859d51af90085b8a4d97bed70c5fd9d6539f9907128fa29ade089858a58f5fd9d5cae65a4b29e4912c71b5805bf8807e96471d
-
memory/1088-8-0x0000000000000000-mapping.dmp
-
memory/1688-7-0x0000000004DF0000-0x0000000004E39000-memory.dmpFilesize
292KB
-
memory/1688-4-0x00000000046F0000-0x0000000004740000-memory.dmpFilesize
320KB
-
memory/1688-0-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB
-
memory/1688-3-0x0000000000290000-0x000000000029F000-memory.dmpFilesize
60KB
-
memory/1688-1-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/1728-5-0x0000000000000000-mapping.dmp
-
memory/1756-16-0x0000000000000000-mapping.dmp
-
memory/1816-9-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1816-10-0x000000000044940E-mapping.dmp
-
memory/1816-11-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1816-12-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1816-13-0x0000000074110000-0x00000000747FE000-memory.dmpFilesize
6.9MB