Analysis
-
max time kernel
17s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-01-2021 18:12
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v20201028
General
-
Target
Quotation.exe
-
Size
720KB
-
MD5
a71b92a0262b4067b2da39ad1f39bef5
-
SHA1
5fab5dc05795e35879eeab69f9c8172e4963431c
-
SHA256
1787f73acf804bff30fe863e077fb5bc9799b3cb39065534198f894757907e79
-
SHA512
8ca4c96e2942b8da52e5644fee5bd9c90beaa91d2cb52aeab83955dbc98d71269d280c530908ef4811b5c06833720ece2d8b3666f030b66b8e40b1e769eab7a3
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\rthfy.exe," reg.exe -
Executes dropped EXE 2 IoCs
Processes:
rthfy.exeAddInProcess32.exepid process 3036 rthfy.exe 3796 AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rthfy.exedescription pid process target process PID 3036 set thread context of 3796 3036 rthfy.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
Quotation.exerthfy.exepid process 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 4700 Quotation.exe 3036 rthfy.exe 3036 rthfy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Quotation.exerthfy.exedescription pid process Token: SeDebugPrivilege 4700 Quotation.exe Token: SeDebugPrivilege 3036 rthfy.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Quotation.execmd.exerthfy.exedescription pid process target process PID 4700 wrote to memory of 3696 4700 Quotation.exe cmd.exe PID 4700 wrote to memory of 3696 4700 Quotation.exe cmd.exe PID 4700 wrote to memory of 3696 4700 Quotation.exe cmd.exe PID 3696 wrote to memory of 504 3696 cmd.exe reg.exe PID 3696 wrote to memory of 504 3696 cmd.exe reg.exe PID 3696 wrote to memory of 504 3696 cmd.exe reg.exe PID 4700 wrote to memory of 3036 4700 Quotation.exe rthfy.exe PID 4700 wrote to memory of 3036 4700 Quotation.exe rthfy.exe PID 4700 wrote to memory of 3036 4700 Quotation.exe rthfy.exe PID 3036 wrote to memory of 3796 3036 rthfy.exe AddInProcess32.exe PID 3036 wrote to memory of 3796 3036 rthfy.exe AddInProcess32.exe PID 3036 wrote to memory of 3796 3036 rthfy.exe AddInProcess32.exe PID 3036 wrote to memory of 3796 3036 rthfy.exe AddInProcess32.exe PID 3036 wrote to memory of 3796 3036 rthfy.exe AddInProcess32.exe PID 3036 wrote to memory of 3796 3036 rthfy.exe AddInProcess32.exe PID 3036 wrote to memory of 3796 3036 rthfy.exe AddInProcess32.exe PID 3036 wrote to memory of 3796 3036 rthfy.exe AddInProcess32.exe PID 3036 wrote to memory of 3796 3036 rthfy.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\rthfy.exe,"2⤵
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\rthfy.exe,"3⤵
- Modifies WinLogon for persistence
PID:504 -
C:\Users\Admin\rthfy.exe"C:\Users\Admin\rthfy.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
PID:3796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\rthfy.exeMD5
a71b92a0262b4067b2da39ad1f39bef5
SHA15fab5dc05795e35879eeab69f9c8172e4963431c
SHA2561787f73acf804bff30fe863e077fb5bc9799b3cb39065534198f894757907e79
SHA5128ca4c96e2942b8da52e5644fee5bd9c90beaa91d2cb52aeab83955dbc98d71269d280c530908ef4811b5c06833720ece2d8b3666f030b66b8e40b1e769eab7a3
-
C:\Users\Admin\rthfy.exeMD5
a71b92a0262b4067b2da39ad1f39bef5
SHA15fab5dc05795e35879eeab69f9c8172e4963431c
SHA2561787f73acf804bff30fe863e077fb5bc9799b3cb39065534198f894757907e79
SHA5128ca4c96e2942b8da52e5644fee5bd9c90beaa91d2cb52aeab83955dbc98d71269d280c530908ef4811b5c06833720ece2d8b3666f030b66b8e40b1e769eab7a3
-
memory/504-10-0x0000000000000000-mapping.dmp
-
memory/3036-21-0x00000000083B0000-0x00000000083BB000-memory.dmpFilesize
44KB
-
memory/3036-11-0x0000000000000000-mapping.dmp
-
memory/3036-14-0x0000000073CE0000-0x00000000743CE000-memory.dmpFilesize
6.9MB
-
memory/3036-22-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/3696-9-0x0000000000000000-mapping.dmp
-
memory/3796-24-0x0000000000401190-mapping.dmp
-
memory/4700-8-0x0000000007610000-0x0000000007611000-memory.dmpFilesize
4KB
-
memory/4700-7-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/4700-6-0x00000000025A0000-0x00000000025BE000-memory.dmpFilesize
120KB
-
memory/4700-5-0x0000000004C70000-0x0000000004C71000-memory.dmpFilesize
4KB
-
memory/4700-2-0x0000000073CE0000-0x00000000743CE000-memory.dmpFilesize
6.9MB
-
memory/4700-3-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB