61248c209119bd790c6ad906dd9d12e7a03455c2b2f6e4b7d1432aed6ae92439

General

Target

QUOTATION 21 11 2020.exe
Size

906KB
MD5

be2f5670427369fb1d7bf50e32e60f06
SHA1

88412c7f107c686619ec61cec8662861744e455d
SHA256

61248c209119bd790c6ad906dd9d12e7a03455c2b2f6e4b7d1432aed6ae92439
SHA512

d556aebfb5e9d6225ef2d5e08e6ce7310e40895bf9b08f38df95e1a96e4cc4a01f0d087cacddbb3e067abc8b5296b11793ce6ae77dc48f4a924754bd06f71ef8

Score

7^/10

Malware Config

Signatures

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1652 schtasks.exe

pid	process
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

QUOTATION 21 11 2020.exe

pid	process
1680	QUOTATION 21 11 2020.exe
1680	QUOTATION 21 11 2020.exe
1680	QUOTATION 21 11 2020.exe
1680	QUOTATION 21 11 2020.exe
1680	QUOTATION 21 11 2020.exe
1680	QUOTATION 21 11 2020.exe
1680	QUOTATION 21 11 2020.exe
1680	QUOTATION 21 11 2020.exe
1680	QUOTATION 21 11 2020.exe
1680	QUOTATION 21 11 2020.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

QUOTATION 21 11 2020.exe

description pid process

Token: SeDebugPrivilege 1680 QUOTATION 21 11 2020.exe

description	pid	process
Token: SeDebugPrivilege	1680	QUOTATION 21 11 2020.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

QUOTATION 21 11 2020.exe

description	pid	process	target process
PID 1680 wrote to memory of 1652	1680	QUOTATION 21 11 2020.exe	schtasks.exe
PID 1680 wrote to memory of 1652	1680	QUOTATION 21 11 2020.exe	schtasks.exe
PID 1680 wrote to memory of 1652	1680	QUOTATION 21 11 2020.exe	schtasks.exe
PID 1680 wrote to memory of 1652	1680	QUOTATION 21 11 2020.exe	schtasks.exe
PID 1680 wrote to memory of 1080	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 1080	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 1080	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 1080	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 1200	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 1200	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 1200	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 1200	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 368	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 368	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 368	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 368	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 112	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 112	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 112	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 112	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 940	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 940	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 940	1680	QUOTATION 21 11 2020.exe	vbc.exe
PID 1680 wrote to memory of 940	1680	QUOTATION 21 11 2020.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\QUOTATION 21 11 2020.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION 21 11 2020.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgbZza" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCF7.tmp"
2⤵
- Creates scheduled task(s)
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:1200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:940

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDCF7.tmp
MD5
53fe6a009ff482afe3363de4f176d7a0

SHA1
ddf3db4b13f017d62a2654a2704df3ae4ef4288e

SHA256
05727fc5b7aad6ac334fc4b0b969ec186ece6e457607f4469bf501b7dd8634c4

SHA512
38ae6c23261db9c6db71b9b4f37055c742f95e86e013978d4546ade8a988445b781d13eebc07ff2502ad70dc0a4256ba2fae7daaa9ea9eca7fd718a49344e716

Download Submit
memory/1652-7-0x0000000000000000-mapping.dmp

Download
memory/1680-0-0x00000000741A0000-0x000000007488E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1680-3-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/1680-4-0x00000000044D0000-0x0000000004526000-memory.dmp

Filesize
344KB

Download
memory/1680-5-0x0000000000570000-0x0000000000576000-memory.dmp

Filesize
24KB

Download
memory/1680-6-0x0000000002170000-0x0000000002193000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads