7d13ce311fc118285f4da0173fe22b65fe28f88438ac4d8ca4de542ecc0075d5

General

Target

Quote 2.exe
Size

602KB
MD5

72fe37dccaaae429b207e041e7b63f47
SHA1

f02610d1f9b9b88fe913199da0c94cea0efd6389
SHA256

dea162d39606424263d7694403e0d3207dbf1bcc5ad8abaa0efc5cd42f9afcd0
SHA512

6d4ab8b31127f48a8ddf1c1a7d77146cf34ca9ffcd4b013c06ae19efc6ee928fc5b33660bcb04a7e4be5acbe30d197ce7e6b98e13fc8078ecf31e184350d471b

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

996 schtasks.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Quote 2.exe

pid process

2036 Quote 2.exe
2036 Quote 2.exe
2036 Quote 2.exe
2036 Quote 2.exe
2036 Quote 2.exe
2036 Quote 2.exe
2036 Quote 2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Quote 2.exe

description pid process

Token: SeDebugPrivilege 2036 Quote 2.exe

pid	process
996	schtasks.exe

pid	process
2036	Quote 2.exe
2036	Quote 2.exe
2036	Quote 2.exe
2036	Quote 2.exe
2036	Quote 2.exe
2036	Quote 2.exe
2036	Quote 2.exe

description	pid	process
Token: SeDebugPrivilege	2036	Quote 2.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Quote 2.exe

description	pid	process	target process
PID 2036 wrote to memory of 996	2036	Quote 2.exe	schtasks.exe
PID 2036 wrote to memory of 996	2036	Quote 2.exe	schtasks.exe
PID 2036 wrote to memory of 996	2036	Quote 2.exe	schtasks.exe
PID 2036 wrote to memory of 996	2036	Quote 2.exe	schtasks.exe
PID 2036 wrote to memory of 1584	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1584	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1584	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1584	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1452	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1452	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1452	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1452	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1508	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1508	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1508	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1508	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1596	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1596	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1596	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1596	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1608	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1608	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1608	2036	Quote 2.exe	Quote 2.exe
PID 2036 wrote to memory of 1608	2036	Quote 2.exe	Quote 2.exe

C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
"C:\Users\Admin\AppData\Local\Temp\Quote 2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF73B.tmp"
2⤵
- Creates scheduled task(s)
PID:996

C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
"{path}"
2⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
"{path}"
2⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
"{path}"
2⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
"{path}"
2⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\Quote 2.exe
"{path}"
2⤵
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF73B.tmp

Filesize
1KB

MD5
d9b3fb55144055bf53049ae44e24a2b4

SHA1
e01d7cbee7c35cac28b467f84e92b7a48d32d61e

SHA256
7b950a718804352c3350d97782b2db4cd0e4fa78d1fded8b7f56edfa9df4a437

SHA512
001c56ee85bf76eb22969026c4ddd0f784052c37144642d8124b4fe0db1893bba55b2f5c4739a5a8cb54cdab5b1ea37ad830b34c429fdac0b8f93a4d5acc052c

Download Submit
memory/996-56-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x0000000075C01000-0x0000000075C03000-memory.dmp

Filesize
8KB

Download
memory/2036-55-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads