Overview

overview

10

Static

static

Quotation_...DF.exe

windows7_x64

10

Quotation_...DF.exe

windows10-2004_x64

7

Analysis

  • max time kernel
    97s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation_Sheet_PO_including FOB_MOQ.PDF.exe

  • Size

    756KB

  • MD5

    a59a17e0750535499b455d7e2bf4b4ff

  • SHA1

    d659c6f80171c2142aa0b9f0352205ae6a79ca4d

  • SHA256

    c2be817a60ed0f80dc7f6e3e5eafc3db7a7a170e1df0015e2189cd9daecec6c8

  • SHA512

    83bab7d199df6dadc8ca1d8c3cb38bc8cf466309d25ee92b3579ea30eac012154b20c9193367f09441619c0e08a0134123cf89d97972a43aaac42a9bff212354

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OtuxuaaSs" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD064.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1232
    • C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3888
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation_Sheet_PO_including FOB_MOQ.PDF.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpD064.tmp
    Filesize

    1KB

    MD5

    0e59743bc297af4a34486c6590bf9f0f

    SHA1

    40a67703e9cd938b53ba61502710bbbf81cb2e5a

    SHA256

    a47764d5ce31f553b2033f23c557847b932fb57454f4bbbe64ad910dbd77a55c

    SHA512

    056f20db9c89b6d85d0a24640962a2c2b6245f10f35b8c05091754292fd35af55c65eb2e15a99fa2b08652a938f66ec567ed673c9399e5fa6e45691c9ccdc276

    Download Submit
  • memory/1232-135-0x0000000000000000-mapping.dmp
    Download
  • memory/1512-183-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-145-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-185-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-143-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-187-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-147-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-149-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-151-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-153-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-155-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-157-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-159-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-161-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-163-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-165-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-189-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-169-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-171-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-173-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-175-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-177-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-179-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-181-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-137-0x0000000000000000-mapping.dmp
    Download
  • memory/1512-141-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-138-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-167-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-191-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-195-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-193-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-197-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-199-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-201-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1512-646-0x0000000005840000-0x00000000058A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1904-652-0x00000000055F0000-0x0000000005656000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1904-649-0x0000000004F70000-0x0000000004FA6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1904-657-0x0000000006B80000-0x0000000006BA2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1904-650-0x00000000056E0000-0x0000000005D08000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1904-656-0x00000000077C0000-0x0000000007856000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1904-655-0x00000000069A0000-0x00000000069BA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1904-651-0x0000000005550000-0x0000000005572000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1904-654-0x0000000007E40000-0x00000000084BA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1904-653-0x00000000052A0000-0x00000000052BE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1904-648-0x0000000000000000-mapping.dmp
    Download
  • memory/2704-134-0x0000000009370000-0x000000000940C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2704-133-0x0000000005860000-0x000000000586A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2704-131-0x0000000005E50000-0x00000000063F4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2704-130-0x0000000000E00000-0x0000000000EC4000-memory.dmp
    Filesize

    784KB

    Download
  • memory/2704-132-0x0000000005940000-0x00000000059D2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3888-647-0x0000000000000000-mapping.dmp
    Download