Overview

overview

10

Static

static

Quotation ...er.exe

windows7_x64

3

Quotation ...er.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    14-07-2021 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation for named specification new order.exe

  • Size

    786KB

  • MD5

    b8f0f94f760baa38503ac7da4faab222

  • SHA1

    2775a004ef8bfdb79ed2fae45066b49d740b1afc

  • SHA256

    d3147c430d999a7e8337cfb4120dff3079eef4bf51abc0c979f424eff86f1845

  • SHA512

    1c789c724bd67ea1b5a0ee365b8bb40768e87cef7f861f76bdfa9ec7bf99be507d3233b8450722e63378eaa3f841deb94a643925747ad6bb491401b26b5715ec

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LGAkOTDdgeJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3063.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1752
    • C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe"
      2⤵
        PID:744
      • C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe"
        2⤵
          PID:1052
        • C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe
          "C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe"
          2⤵
            PID:1848
          • C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe
            "C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe"
            2⤵
              PID:1296
            • C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe
              "C:\Users\Admin\AppData\Local\Temp\Quotation for named specification new order.exe"
              2⤵
                PID:1744

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp3063.tmp
              MD5

              33b5fc0dc0063a793e8cde3009e73453

              SHA1

              5575931b2c724df95b367207e66a57b58f4182c4

              SHA256

              d8fe24087518e468b573936cba8bd207b1ff70d9e26b26cd14f9757f261b8106

              SHA512

              4289b025d4d5bcda722d4753d8815265021a374b56e4d89ed8b7526a68b203002b9b00d040ace403aa08b3c4c15dfc2a479c82cf99672c64506e4c5efa47c090

              Download Submit
            • memory/816-59-0x0000000000280000-0x0000000000281000-memory.dmp
              Filesize

              4KB

              Download
            • memory/816-61-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/816-62-0x00000000003A0000-0x00000000003B0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/816-63-0x0000000004D00000-0x0000000004D87000-memory.dmp
              Filesize

              540KB

              Download
            • memory/816-64-0x00000000021A0000-0x00000000021E3000-memory.dmp
              Filesize

              268KB

              Download
            • memory/1752-65-0x0000000000000000-mapping.dmp
              Download