1df6109d033a42d97b34133e69afc0da679586b85b6614b034ebfd9343062d20

General

Target

Request for Quotation.exe
Size

500KB
MD5

1d9fd84bc6eaa80b160bd313750f6ff5
SHA1

011e1975d6cb6a567ad3fed83d59310728bd9227
SHA256

1df6109d033a42d97b34133e69afc0da679586b85b6614b034ebfd9343062d20
SHA512

d66d0a83284f6f21e711c3d62bcd280042d6a50125dc410b4c79d6f6dba7be5b6bd628fb21e6491b2bb291770f6d1c3951257e948dcbbb587e397fc75296a8da

Score

9^/10

Malware Config

Signatures

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/2004-6-0x0000000004AE0000-0x0000000004B3E000-memory.dmp	beds_protector

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Request for Quotation.exe

pid	process
2004	Request for Quotation.exe
2004	Request for Quotation.exe
2004	Request for Quotation.exe
2004	Request for Quotation.exe
2004	Request for Quotation.exe
2004	Request for Quotation.exe
2004	Request for Quotation.exe
2004	Request for Quotation.exe
2004	Request for Quotation.exe
2004	Request for Quotation.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Request for Quotation.exe

description pid process

Token: SeDebugPrivilege 2004 Request for Quotation.exe

description	pid	process
Token: SeDebugPrivilege	2004	Request for Quotation.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Request for Quotation.exe

description	pid	process	target process
PID 2004 wrote to memory of 1604	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 1604	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 1604	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 1604	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 484	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 484	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 484	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 484	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 1096	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 1096	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 1096	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 1096	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 752	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 752	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 752	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 752	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 340	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 340	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 340	2004	Request for Quotation.exe	Request for Quotation.exe
PID 2004 wrote to memory of 340	2004	Request for Quotation.exe	Request for Quotation.exe

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
2⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
2⤵
PID:484

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
2⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
2⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
2⤵
PID:340

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2004-2-0x0000000073AF0000-0x00000000741DE000-memory.dmp

Filesize
6.9MB

Download
memory/2004-3-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2004-5-0x0000000075EA1000-0x0000000075EA3000-memory.dmp

Filesize
8KB

Download
memory/2004-6-0x0000000004AE0000-0x0000000004B3E000-memory.dmp

Filesize
376KB

Download
memory/2004-7-0x00000000002A0000-0x00000000002AF000-memory.dmp

Filesize
60KB

Download
memory/2004-8-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads