Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:59
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.doc.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Quotation.doc.scr
Resource
win10v20201028
General
-
Target
Quotation.doc.scr
-
Size
560KB
-
MD5
8d09d7e0a4fe465fcc5d52594fc007f9
-
SHA1
d1d99b13dadcb5212b70f5ebef876a22528bbe29
-
SHA256
29ee428b001089c4cb3447b6aeb0534d1fe595ce9246f5c0b52da0996f55b77e
-
SHA512
c5bfbd0d1329a12de1213e7e089fbd2d406cdfeeb376a2fbf55715623acdc436a6e78059d1c973f530e7506282c328371eee9bba19890a11c935b8d9be66c7f1
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral2/memory/4772-6-0x0000000005310000-0x0000000005360000-memory.dmp rezer0 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Quotation.doc.scrdescription pid process Token: SeDebugPrivilege 4772 Quotation.doc.scr -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Quotation.doc.scrpid process 4772 Quotation.doc.scr -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Quotation.doc.scrdescription pid process target process PID 4772 wrote to memory of 584 4772 Quotation.doc.scr schtasks.exe PID 4772 wrote to memory of 584 4772 Quotation.doc.scr schtasks.exe PID 4772 wrote to memory of 584 4772 Quotation.doc.scr schtasks.exe PID 4772 wrote to memory of 1180 4772 Quotation.doc.scr schtasks.exe PID 4772 wrote to memory of 1180 4772 Quotation.doc.scr schtasks.exe PID 4772 wrote to memory of 1180 4772 Quotation.doc.scr schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr"C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr" /S1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SqqQfuBVQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC98.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "windows update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Quotation.doc.scr" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEC98.tmpMD5
8d7ae8072e3325acfdae0cff121d05b7
SHA10b00e60d9c64a04adce0b51f40b9571a8f52b99a
SHA256a25129ecca4051611a48a52732613e5748affefb4f0ed26f2947c0f75f8de2ec
SHA512a789f2d21445d04f2b329486744d367b9def167177cc49b97c45bc3ee57bc08e5abe937945c799e34d568794176b10b1abdc388770fd8734f5273b753ea66a25
-
memory/584-8-0x0000000000000000-mapping.dmp
-
memory/1180-14-0x0000000000000000-mapping.dmp
-
memory/4772-7-0x0000000005980000-0x0000000005981000-memory.dmpFilesize
4KB
-
memory/4772-5-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/4772-6-0x0000000005310000-0x0000000005360000-memory.dmpFilesize
320KB
-
memory/4772-0-0x0000000073150000-0x000000007383E000-memory.dmpFilesize
6.9MB
-
memory/4772-4-0x0000000004BE0000-0x0000000004BEF000-memory.dmpFilesize
60KB
-
memory/4772-3-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/4772-10-0x00000000055C0000-0x0000000005609000-memory.dmpFilesize
292KB
-
memory/4772-11-0x0000000006630000-0x0000000006631000-memory.dmpFilesize
4KB
-
memory/4772-12-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/4772-13-0x0000000006960000-0x0000000006961000-memory.dmpFilesize
4KB
-
memory/4772-1-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/4772-15-0x0000000006950000-0x0000000006951000-memory.dmpFilesize
4KB