Overview

overview

10

Static

static

Revised Qu...pg.exe

windows7_x64

10

Revised Qu...pg.exe

windows10_x64

7

Analysis

  • max time kernel
    111s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    27-01-2022 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Revised Quotation & COA_jpg.exe

  • Size

    551KB

  • MD5

    fce9b050476d555a64ce0522191d1f4a

  • SHA1

    4c34b842888ba0c8f80fdba42055281c18e995f3

  • SHA256

    07569721866b0b2b3d83ec0db9d400f9cd623c51ea30706aaef9e032ec64795e

  • SHA512

    c6ffe706492a009e214e6b6c256bf41406e217a93c9aa9e898b71ea66428c545bb4420f314d7781e9321e9095d678c6440fe4bb12bd8c629a9819e9effc32247

Score
7/10

Malware Config

Signatures

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Revised Quotation & COA_jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\Revised Quotation & COA_jpg.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2940
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:2736
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:680
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:988
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
              PID:608
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              2⤵
                PID:404

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scripting

            1
            T1064

            Persistence

            Privilege Escalation

            Defense Evasion

            Scripting

            1
            T1064

            Credential Access

            Discovery

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2940-118-0x0000000000210000-0x00000000002A0000-memory.dmp
              Filesize

              576KB

              Download
            • memory/2940-119-0x0000000004EE0000-0x00000000053DE000-memory.dmp
              Filesize

              5.0MB

              Download
            • memory/2940-120-0x0000000004AD0000-0x0000000004B62000-memory.dmp
              Filesize

              584KB

              Download
            • memory/2940-121-0x0000000004C30000-0x0000000004C3A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/2940-122-0x00000000049E0000-0x0000000004EDE000-memory.dmp
              Filesize

              5.0MB

              Download
            • memory/2940-123-0x0000000006E80000-0x0000000006E8C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/2940-124-0x00000000071C0000-0x000000000725C000-memory.dmp
              Filesize

              624KB

              Download
            • memory/2940-125-0x0000000007370000-0x00000000073D2000-memory.dmp
              Filesize

              392KB

              Download