d6cc3ac995484b99ed790b6f8ceb145492794eb5d01ec4a71123b9975e9bfd20

Analysis

max time kernel
90s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2022, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quotefile.ps1
Size

1.9MB
MD5

739eaf406607fa3efddb9c6c97cdba76
SHA1

bdb0575775a3447391b9d719e6d69c0e44549fd2
SHA256

d6cc3ac995484b99ed790b6f8ceb145492794eb5d01ec4a71123b9975e9bfd20
SHA512

80ccebc7f4ff3597031899973817acdb4c1638788aa37b536fcafb6cd03b2f6113d40527b2e7a7f49d4794f021c815f8dc85ac4fd372d40cde59da6db2769384
SSDEEP

24576:AzrIw+80AssR3D6UN6hzwbSVsi5MW94d5upIAMoIKAdqQb16:AwwahXsvWK1dj6

Score

9^/10

evasion

Malware Config

Signatures

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	powershell.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	powershell.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	powershell.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	powershell.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
5072	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5072	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1540	5072	powershell.exe	84
PID 5072 wrote to memory of 1540	5072	powershell.exe	84
PID 1540 wrote to memory of 2648	1540	csc.exe	85
PID 1540 wrote to memory of 2648	1540	csc.exe	85
PID 5072 wrote to memory of 3732	5072	powershell.exe	86
PID 5072 wrote to memory of 3732	5072	powershell.exe	86
PID 3732 wrote to memory of 1664	3732	csc.exe	87
PID 3732 wrote to memory of 1664	3732	csc.exe	87

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\quotefile.ps1
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wdavrlny\wdavrlny.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC529.tmp" "c:\Users\Admin\AppData\Local\Temp\wdavrlny\CSCD958797063244F188C4193FEA8187FF5.TMP"
    3⤵
    PID:2648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\quohvina\quohvina.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF67A.tmp" "c:\Users\Admin\AppData\Local\Temp\quohvina\CSC5AFC7DBFC157477AB14115DEC65DF7E.TMP"
    3⤵
    PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC529.tmp

Filesize
1KB

MD5
656982afa0fe27511a88cb6db6947657

SHA1
66d042ca35e11662b8d4819ed7ef6677a0085ca6

SHA256
0ba5a28c4fafd865c1e8a9601aaa4b301299eb91d45061b077940c1030d669ed

SHA512
dc19ffdfbf0cebda43308fc00ee3fe65cb38357ec8cf7d3cf8df51b611ad6ab686c7b8694cc1b5a646909bec363bd2d05f7d9627eeea1c0f9c27ffd26de54f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF67A.tmp

Filesize
1KB

MD5
82c4ea95c8daca637d72d28ba81d9749

SHA1
84a16b9444bf3e94e3674494845dbdb5f7995388

SHA256
eab672a83b7dbc3b7c4945b0cb3bd96e5c264a3cf09873b877263bd5fdda9a5a

SHA512
d102055565a9d856d213ca22ae4347a9f409f79a9328177af2e20be11bc35eefd8e8f55a6fc30aed2a915e6645246a398582dc86ff687d9de5d5c376f0e62954

Download Submit
C:\Users\Admin\AppData\Local\Temp\quohvina\quohvina.dll

Filesize
3KB

MD5
b58d112ef3a7f7d6482cc210748a903c

SHA1
b4605be6ed46b96d70f58954e037d82e755cd899

SHA256
f25ff15d6141128996d2d9e695118c936013d5d12cc09817cc0ee57bce4c198e

SHA512
4cf49431807e7b30c8b9e4fdffff166fd5c23e32d8e6b0f20a480841a2d85d09c25f7ad9567586232f5c792fc79a41a41d24ef69ccfe09a593d800356c440028

Download Submit
C:\Users\Admin\AppData\Local\Temp\wdavrlny\wdavrlny.dll

Filesize
3KB

MD5
bdee03a5c556cf04624392b9828b6ada

SHA1
0aaaaaa078637555cbc696ad6398f02a56a4cf53

SHA256
14327f8b2fab025cba06f877ba5089e9c03a3e004bead0ad8ae25f00662e131f

SHA512
4938cc891c439d747e29fcd1acc3172acc8917217d1c9ba5b2d0b345b58335ff7b80e3c282bd0547a5038ee83fb45548765e3283aa3d857cbab099eaebffca37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\quohvina\CSC5AFC7DBFC157477AB14115DEC65DF7E.TMP

Filesize
652B

MD5
93e23eac35ff34fd5672d4e84ccfc5f8

SHA1
e55220c27411a742860f5a1becbddaf30e6ac19e

SHA256
426f998de3195cd14241090791df419e85bda49d03b94e66cf29e1f9e97c2e26

SHA512
d4c074eee9926979831c1f4d1952b16e52b0416020d001df748e934a5d680b3efabb57d69d97e1f31636d02fedae95abc205c6e04f5985ad4c4ca2fc655b5f16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\quohvina\quohvina.0.cs

Filesize
591B

MD5
9b5ca5987d03f2fda2d89b3225bb527b

SHA1
2fca70ccb8428eda41cb29785458155942e24da3

SHA256
e47533d0cbe442ac6b5bd50e507c9dae2c9f19ee4c0ffbc2273375f0721efaa8

SHA512
8e2c4ae7b952998cb6efaeaee6f274efb879f3c1bf657d83391ddf7ea291b4927204e5c2d67877b820a35a67d39dfe857b9f4725085062cae75bc871d657a7bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\quohvina\quohvina.cmdline

Filesize
369B

MD5
f9adf7b61e8ef3b4ac28d7f4def2dbd6

SHA1
1ad58285eb4b7a00147dadcd8e2ff5d52d335fb3

SHA256
59bb5118547a0ac61ffa22688452ab25019c484bf76ac96767e72d54106671d4

SHA512
0807d1a562498e63fded4499cca5cf59284767e544a8418e3c234b4a9cd172d6210f340e9577330ef564c3a9b6c8dd4d91b78c3b3b00577cac19073c90b92a24

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wdavrlny\CSCD958797063244F188C4193FEA8187FF5.TMP

Filesize
652B

MD5
b56a097e90987fe6bd1625bcc2c3313d

SHA1
2cf994f3408d22fade22fba71a7012c49cdd6be8

SHA256
99842e6bc178ed47f9e09da2f70d001e500fb1cee6481637f0d9191cf5423e8e

SHA512
4a67f34594430affffc59a673fc9b2a0bb7c83cc487e51512c9f1a549781800a57d7b2a74de67d6b76b7e2164940321bf0f060f8cedf6f839ad6efe722c88bdb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wdavrlny\wdavrlny.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wdavrlny\wdavrlny.cmdline

Filesize
369B

MD5
42175ff110fb5ffa6781ea482fdc329c

SHA1
4413bf6903f7d8c1fc22d7fa28bb6b5bd65b01c5

SHA256
bbb29372ee3f965b017775eebfd673d4a8eb93721b3a0747734269d452f6c8a8

SHA512
f0cd107f108de6052c6dede82d34c356fdd5d9fdc177a348792f8d54afe3027d0d59b1a3dabe344bf6eaa950ababbc84a1401b9c0f38e24c5978857b80834d6f

Download Submit
memory/5072-141-0x00007FFC2DE50000-0x00007FFC2E911000-memory.dmp

Filesize
10.8MB

Download
memory/5072-132-0x0000018FDD030000-0x0000018FDD052000-memory.dmp

Filesize
136KB

Download
memory/5072-133-0x00007FFC2DE50000-0x00007FFC2E911000-memory.dmp

Filesize
10.8MB

Download
memory/5072-149-0x00007FFC2DE50000-0x00007FFC2E911000-memory.dmp

Filesize
10.8MB

Download