Overview

overview

10

Static

static

Quotation.exe

windows7_x64

10

Quotation.exe

windows10_x64

10

Analysis

  • max time kernel
    17s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    06-01-2021 18:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.exe

  • Size

    720KB

  • MD5

    a71b92a0262b4067b2da39ad1f39bef5

  • SHA1

    5fab5dc05795e35879eeab69f9c8172e4963431c

  • SHA256

    1787f73acf804bff30fe863e077fb5bc9799b3cb39065534198f894757907e79

  • SHA512

    8ca4c96e2942b8da52e5644fee5bd9c90beaa91d2cb52aeab83955dbc98d71269d280c530908ef4811b5c06833720ece2d8b3666f030b66b8e40b1e769eab7a3

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\rthfy.exe,"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\rthfy.exe,"
        3⤵
        • Modifies WinLogon for persistence
        PID:504
    • C:\Users\Admin\rthfy.exe
      "C:\Users\Admin\rthfy.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
        "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
        3⤵
        • Executes dropped EXE
        PID:3796

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
    MD5

    6a673bfc3b67ae9782cb31af2f234c68

    SHA1

    7544e89566d91e84e3cd437b9a073e5f6b56566e

    SHA256

    978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

    SHA512

    72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

    Download Submit
  • C:\Users\Admin\rthfy.exe
    MD5

    a71b92a0262b4067b2da39ad1f39bef5

    SHA1

    5fab5dc05795e35879eeab69f9c8172e4963431c

    SHA256

    1787f73acf804bff30fe863e077fb5bc9799b3cb39065534198f894757907e79

    SHA512

    8ca4c96e2942b8da52e5644fee5bd9c90beaa91d2cb52aeab83955dbc98d71269d280c530908ef4811b5c06833720ece2d8b3666f030b66b8e40b1e769eab7a3

    Download Submit
  • C:\Users\Admin\rthfy.exe
    MD5

    a71b92a0262b4067b2da39ad1f39bef5

    SHA1

    5fab5dc05795e35879eeab69f9c8172e4963431c

    SHA256

    1787f73acf804bff30fe863e077fb5bc9799b3cb39065534198f894757907e79

    SHA512

    8ca4c96e2942b8da52e5644fee5bd9c90beaa91d2cb52aeab83955dbc98d71269d280c530908ef4811b5c06833720ece2d8b3666f030b66b8e40b1e769eab7a3

    Download Submit
  • memory/504-10-0x0000000000000000-mapping.dmp
    Download
  • memory/3036-21-0x00000000083B0000-0x00000000083BB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3036-11-0x0000000000000000-mapping.dmp
    Download
  • memory/3036-14-0x0000000073CE0000-0x00000000743CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3036-22-0x0000000004A70000-0x0000000004A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3696-9-0x0000000000000000-mapping.dmp
    Download
  • memory/3796-24-0x0000000000401190-mapping.dmp
    Download
  • memory/4700-8-0x0000000007610000-0x0000000007611000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4700-7-0x00000000025C0000-0x00000000025C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4700-6-0x00000000025A0000-0x00000000025BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4700-5-0x0000000004C70000-0x0000000004C71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4700-2-0x0000000073CE0000-0x00000000743CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4700-3-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download