Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-11-2020 07:51
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION 21 11 2020.exe
Resource
win7v20201028
General
-
Target
QUOTATION 21 11 2020.exe
-
Size
906KB
-
MD5
be2f5670427369fb1d7bf50e32e60f06
-
SHA1
88412c7f107c686619ec61cec8662861744e455d
-
SHA256
61248c209119bd790c6ad906dd9d12e7a03455c2b2f6e4b7d1432aed6ae92439
-
SHA512
d556aebfb5e9d6225ef2d5e08e6ce7310e40895bf9b08f38df95e1a96e4cc4a01f0d087cacddbb3e067abc8b5296b11793ce6ae77dc48f4a924754bd06f71ef8
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
QUOTATION 21 11 2020.exepid process 1680 QUOTATION 21 11 2020.exe 1680 QUOTATION 21 11 2020.exe 1680 QUOTATION 21 11 2020.exe 1680 QUOTATION 21 11 2020.exe 1680 QUOTATION 21 11 2020.exe 1680 QUOTATION 21 11 2020.exe 1680 QUOTATION 21 11 2020.exe 1680 QUOTATION 21 11 2020.exe 1680 QUOTATION 21 11 2020.exe 1680 QUOTATION 21 11 2020.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
QUOTATION 21 11 2020.exedescription pid process Token: SeDebugPrivilege 1680 QUOTATION 21 11 2020.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
QUOTATION 21 11 2020.exedescription pid process target process PID 1680 wrote to memory of 1652 1680 QUOTATION 21 11 2020.exe schtasks.exe PID 1680 wrote to memory of 1652 1680 QUOTATION 21 11 2020.exe schtasks.exe PID 1680 wrote to memory of 1652 1680 QUOTATION 21 11 2020.exe schtasks.exe PID 1680 wrote to memory of 1652 1680 QUOTATION 21 11 2020.exe schtasks.exe PID 1680 wrote to memory of 1080 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 1080 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 1080 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 1080 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 1200 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 1200 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 1200 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 1200 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 368 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 368 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 368 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 368 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 112 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 112 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 112 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 112 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 940 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 940 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 940 1680 QUOTATION 21 11 2020.exe vbc.exe PID 1680 wrote to memory of 940 1680 QUOTATION 21 11 2020.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTATION 21 11 2020.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATION 21 11 2020.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgbZza" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDCF7.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDCF7.tmpMD5
53fe6a009ff482afe3363de4f176d7a0
SHA1ddf3db4b13f017d62a2654a2704df3ae4ef4288e
SHA25605727fc5b7aad6ac334fc4b0b969ec186ece6e457607f4469bf501b7dd8634c4
SHA51238ae6c23261db9c6db71b9b4f37055c742f95e86e013978d4546ade8a988445b781d13eebc07ff2502ad70dc0a4256ba2fae7daaa9ea9eca7fd718a49344e716
-
memory/1652-7-0x0000000000000000-mapping.dmp
-
memory/1680-0-0x00000000741A0000-0x000000007488E000-memory.dmpFilesize
6.9MB
-
memory/1680-1-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1680-3-0x0000000000210000-0x0000000000224000-memory.dmpFilesize
80KB
-
memory/1680-4-0x00000000044D0000-0x0000000004526000-memory.dmpFilesize
344KB
-
memory/1680-5-0x0000000000570000-0x0000000000576000-memory.dmpFilesize
24KB
-
memory/1680-6-0x0000000002170000-0x0000000002193000-memory.dmpFilesize
140KB