4f292f3a32f19fbb2b43bb9defa01b89d010712ca518f2ab0e7d0fa76760aa01

General

Target

Quotation.exe
Size

687KB
MD5

df9d06efd44cacfd15067deb44fb7d91
SHA1

85dcefdefe1b612eb3d053721c3d475bc248787e
SHA256

eb4900d71cfd218e3eb1eb920e96d4466796772830d964424ae42878ef9b2f8d
SHA512

7f8bf4196e319da4415ae9c37ad1f3bab53ecff6255e80986d954468e460b889540aa3084506df30c037a4363ae4e5edfc0ea5adbe21e477e2bac10e7f9c47e7

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1488 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Quotation.exe

pid process

1960 Quotation.exe
1960 Quotation.exe
1960 Quotation.exe
1960 Quotation.exe
1960 Quotation.exe
1960 Quotation.exe
1960 Quotation.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Quotation.exe

description pid process

Token: SeDebugPrivilege 1960 Quotation.exe

pid	process
1488	schtasks.exe

pid	process
1960	Quotation.exe
1960	Quotation.exe
1960	Quotation.exe
1960	Quotation.exe
1960	Quotation.exe
1960	Quotation.exe
1960	Quotation.exe

description	pid	process
Token: SeDebugPrivilege	1960	Quotation.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Quotation.exe

description	pid	process	target process
PID 1960 wrote to memory of 1488	1960	Quotation.exe	schtasks.exe
PID 1960 wrote to memory of 1488	1960	Quotation.exe	schtasks.exe
PID 1960 wrote to memory of 1488	1960	Quotation.exe	schtasks.exe
PID 1960 wrote to memory of 1488	1960	Quotation.exe	schtasks.exe
PID 1960 wrote to memory of 1080	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1080	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1080	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1080	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1132	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1132	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1132	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1132	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1356	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1356	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1356	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1356	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1472	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1472	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1472	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 1472	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 864	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 864	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 864	1960	Quotation.exe	Quotation.exe
PID 1960 wrote to memory of 864	1960	Quotation.exe	Quotation.exe

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zcCILgqNJi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp143D.tmp"
2⤵
- Creates scheduled task(s)
PID:1488

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"{path}"
2⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"{path}"
2⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"{path}"
2⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"{path}"
2⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"{path}"
2⤵
PID:864

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp143D.tmp
Filesize
1KB

MD5
0f6407a80605e9d003b9ad9fa1618d03

SHA1
5677d7500c4b4817bdb46e352e6c2218fbf9ac28

SHA256
96a584cc40b91f358fe8cfae1990b7dd7844fd54aa6a6bb4fcc442dbcc460d25

SHA512
c88968640a52cf712e11ee32c6d30315c7d823a9d6851a5e8b0edf629263d3dc40ceb38074e294b4f7a07a996d4f3cda447f599d855a26a0492f4bf70c371fa4

Download Submit
memory/1488-59-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x0000000000250000-0x0000000000302000-memory.dmp

Filesize
712KB

Download
memory/1960-55-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/1960-56-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/1960-57-0x0000000007F20000-0x0000000007FC0000-memory.dmp

Filesize
640KB

Download
memory/1960-58-0x0000000005C10000-0x0000000005C98000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads