a6c0b5ffc572e8892a3a140b82a956374c5a7d0670244c0f63a7c201f050cce5

Analysis

max time kernel
0s
max time network
41s
platform
windows7_x64
resource
win7v20210408
submitted
12-07-2021 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation-Request.exe
Size

282KB
MD5

4e3cfd2f0ab3148901ba7e33a1ba8ee3
SHA1

324c353ceb28f6134333e9b794cb0b8e03e9a1e6
SHA256

a3eb95be23a44e65540fda0d8b3114f98be79d63818cb42ef9472cafaa24e472
SHA512

6f40d01c1eb1276075baf4cafcb7234992a2a4d9fa7b0b7787d8676bcd5c93736b36c9c77a145c721886fd75ccd65e862f0c3d2eba00641e9837f134ca22cef8

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

Quotation-Request.exe

pid process

660 Quotation-Request.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation-Request.exe

description pid process target process

PID 660 set thread context of 1196 660 Quotation-Request.exe Quotation-Request.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Quotation-Request.exe

pid process

660 Quotation-Request.exe

pid	process
660	Quotation-Request.exe

description	pid	process	target process
PID 660 set thread context of 1196	660	Quotation-Request.exe	Quotation-Request.exe

pid	process
660	Quotation-Request.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Quotation-Request.exe

description	pid	process	target process
PID 660 wrote to memory of 1196	660	Quotation-Request.exe	Quotation-Request.exe
PID 660 wrote to memory of 1196	660	Quotation-Request.exe	Quotation-Request.exe
PID 660 wrote to memory of 1196	660	Quotation-Request.exe	Quotation-Request.exe
PID 660 wrote to memory of 1196	660	Quotation-Request.exe	Quotation-Request.exe
PID 660 wrote to memory of 1196	660	Quotation-Request.exe	Quotation-Request.exe

C:\Users\Admin\AppData\Local\Temp\Quotation-Request.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-Request.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\Quotation-Request.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-Request.exe"
2⤵
PID:1196

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\fpbqiqu.dll
MD5
6900210069871f6a6dc03f3146cf6549

SHA1
17d17067006d7aefb6245cf0ec99762ca6692b93

SHA256
c669c2e395b395976d3130efd161441a2b5d7fd5576aacb75773cad6297c9575

SHA512
69064ea921e651d77d181e26932871176b37c810e8dced2fa3e8dfb832c2c3009c27e07b82eac0452c70695681a3fb37f2ed31862ace6b7cdc13e302139d5407

Download Submit
memory/660-59-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/1196-61-0x00000000001C5CE2-mapping.dmp

Download