Overview

overview

10

Static

static

Quote 2.exe

windows7_x64

3

Quote 2.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    53s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote 2.exe

  • Size

    602KB

  • MD5

    72fe37dccaaae429b207e041e7b63f47

  • SHA1

    f02610d1f9b9b88fe913199da0c94cea0efd6389

  • SHA256

    dea162d39606424263d7694403e0d3207dbf1bcc5ad8abaa0efc5cd42f9afcd0

  • SHA512

    6d4ab8b31127f48a8ddf1c1a7d77146cf34ca9ffcd4b013c06ae19efc6ee928fc5b33660bcb04a7e4be5acbe30d197ce7e6b98e13fc8078ecf31e184350d471b

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
    "C:\Users\Admin\AppData\Local\Temp\Quote 2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF73B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:996
    • C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
      "{path}"
      2⤵
        PID:1584
      • C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
        "{path}"
        2⤵
          PID:1452
        • C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
          "{path}"
          2⤵
            PID:1508
          • C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
            "{path}"
            2⤵
              PID:1596
            • C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
              "{path}"
              2⤵
                PID:1608

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpF73B.tmp
              Filesize

              1KB

              MD5

              d9b3fb55144055bf53049ae44e24a2b4

              SHA1

              e01d7cbee7c35cac28b467f84e92b7a48d32d61e

              SHA256

              7b950a718804352c3350d97782b2db4cd0e4fa78d1fded8b7f56edfa9df4a437

              SHA512

              001c56ee85bf76eb22969026c4ddd0f784052c37144642d8124b4fe0db1893bba55b2f5c4739a5a8cb54cdab5b1ea37ad830b34c429fdac0b8f93a4d5acc052c

              Download Submit
            • memory/996-56-0x0000000000000000-mapping.dmp
              Download
            • memory/2036-54-0x0000000075C01000-0x0000000075C03000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2036-55-0x00000000748A0000-0x0000000074E4B000-memory.dmp
              Filesize

              5.7MB

              Download