a6c0b5ffc572e8892a3a140b82a956374c5a7d0670244c0f63a7c201f050cce5

Analysis

Target

Quotation-Request.exe
Size

282KB
MD5

4e3cfd2f0ab3148901ba7e33a1ba8ee3
SHA1

324c353ceb28f6134333e9b794cb0b8e03e9a1e6
SHA256

a3eb95be23a44e65540fda0d8b3114f98be79d63818cb42ef9472cafaa24e472
SHA512

6f40d01c1eb1276075baf4cafcb7234992a2a4d9fa7b0b7787d8676bcd5c93736b36c9c77a145c721886fd75ccd65e862f0c3d2eba00641e9837f134ca22cef8

Score

7^/10

Loads dropped DLL 1 IoCs

Processes:

Quotation-Request.exe

pid process

660 Quotation-Request.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Quotation-Request.exe

description pid process target process

PID 660 set thread context of 1196 660 Quotation-Request.exe Quotation-Request.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Quotation-Request.exe

pid process

660 Quotation-Request.exe

pid	process
660	Quotation-Request.exe

description	pid	process	target process
PID 660 set thread context of 1196	660	Quotation-Request.exe	Quotation-Request.exe

pid	process
660	Quotation-Request.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Quotation-Request.exe

description	pid	process	target process
PID 660 wrote to memory of 1196	660	Quotation-Request.exe	Quotation-Request.exe
PID 660 wrote to memory of 1196	660	Quotation-Request.exe	Quotation-Request.exe
PID 660 wrote to memory of 1196	660	Quotation-Request.exe	Quotation-Request.exe
PID 660 wrote to memory of 1196	660	Quotation-Request.exe	Quotation-Request.exe
PID 660 wrote to memory of 1196	660	Quotation-Request.exe	Quotation-Request.exe

C:\Users\Admin\AppData\Local\Temp\Quotation-Request.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation-Request.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Local\Temp\Quotation-Request.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation-Request.exe"
  2⤵
  PID:1196

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

\Users\Admin\AppData\Local\Temp\fpbqiqu.dll

MD5
6900210069871f6a6dc03f3146cf6549

SHA1
17d17067006d7aefb6245cf0ec99762ca6692b93

SHA256
c669c2e395b395976d3130efd161441a2b5d7fd5576aacb75773cad6297c9575

SHA512
69064ea921e651d77d181e26932871176b37c810e8dced2fa3e8dfb832c2c3009c27e07b82eac0452c70695681a3fb37f2ed31862ace6b7cdc13e302139d5407

Download Submit
memory/660-59-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/1196-61-0x00000000001C5CE2-mapping.dmp

Download