Overview

overview

9

Static

static

3

QUOTATION_...DF.scr

windows7-x64

9

QUOTATION_...DF.scr

windows10-2004-x64

9

Resubmissions

26/10/2023, 10:36

231026-mndk3sbd84 10

17/07/2023, 13:35

230717-qvv1gscc27 9

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    17/07/2023, 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTATION_JUL7FIBA00541·PDF.scr

  • Size

    77KB

  • MD5

    cbda8cb8fd16a2172972e8fa81cc11a8

  • SHA1

    9fbe855f5a322c4848ed6f0d02a0b7e7be3d52dd

  • SHA256

    7cadda6850c04813046afddaea278ff58b38dc49bc8e10f121560580c9eae27a

  • SHA512

    3b53a255c67e8edcd1f73d84adb7c4c7c6f13e0f9387655cc4806ca493e0c87f07b32520e89692050f1aefcb79f79252e095cc532b8fd5e7e20b5c004a8fbff7

  • SSDEEP

    1536:N5wInQOcC+rhr+KoYlU88VGzm2v9cbpAQlTlBcUu1Vm1fR4:PwRrA88VGl9YpAQlTlBAC1fR4

Score
9/10
evasionpersistence

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\QUOTATION_JUL7FIBA00541·PDF.scr
    "C:\Users\Admin\AppData\Local\Temp\QUOTATION_JUL7FIBA00541·PDF.scr" /S
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2740
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DCE.tmp.bat""
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:2728
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious use of AdjustPrivilegeToken
        PID:2868

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8DCE.tmp.bat
    Filesize

    151B

    MD5

    5ddc9c4d82b91ca8a6de9a5f5d091d45

    SHA1

    4b4bac837095bb58791fbd1f3320f7d7f192e7af

    SHA256

    b78fde84411e273e3a7907a8999151badd473e12915c015c53153319ff963ae4

    SHA512

    198803e0d974b8911683b2e8800cc9256f79031981ef69bc827b66350dba909964a733a9904e28d3572d0b43384d17a40a59141908bf5d1c7c080cdf97acdd54

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp8DCE.tmp.bat
    Filesize

    151B

    MD5

    5ddc9c4d82b91ca8a6de9a5f5d091d45

    SHA1

    4b4bac837095bb58791fbd1f3320f7d7f192e7af

    SHA256

    b78fde84411e273e3a7907a8999151badd473e12915c015c53153319ff963ae4

    SHA512

    198803e0d974b8911683b2e8800cc9256f79031981ef69bc827b66350dba909964a733a9904e28d3572d0b43384d17a40a59141908bf5d1c7c080cdf97acdd54

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    77KB

    MD5

    cbda8cb8fd16a2172972e8fa81cc11a8

    SHA1

    9fbe855f5a322c4848ed6f0d02a0b7e7be3d52dd

    SHA256

    7cadda6850c04813046afddaea278ff58b38dc49bc8e10f121560580c9eae27a

    SHA512

    3b53a255c67e8edcd1f73d84adb7c4c7c6f13e0f9387655cc4806ca493e0c87f07b32520e89692050f1aefcb79f79252e095cc532b8fd5e7e20b5c004a8fbff7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    77KB

    MD5

    cbda8cb8fd16a2172972e8fa81cc11a8

    SHA1

    9fbe855f5a322c4848ed6f0d02a0b7e7be3d52dd

    SHA256

    7cadda6850c04813046afddaea278ff58b38dc49bc8e10f121560580c9eae27a

    SHA512

    3b53a255c67e8edcd1f73d84adb7c4c7c6f13e0f9387655cc4806ca493e0c87f07b32520e89692050f1aefcb79f79252e095cc532b8fd5e7e20b5c004a8fbff7

    Download Submit

  • \Users\Admin\AppData\Roaming\svchost.exe
    Filesize

    77KB

    MD5

    cbda8cb8fd16a2172972e8fa81cc11a8

    SHA1

    9fbe855f5a322c4848ed6f0d02a0b7e7be3d52dd

    SHA256

    7cadda6850c04813046afddaea278ff58b38dc49bc8e10f121560580c9eae27a

    SHA512

    3b53a255c67e8edcd1f73d84adb7c4c7c6f13e0f9387655cc4806ca493e0c87f07b32520e89692050f1aefcb79f79252e095cc532b8fd5e7e20b5c004a8fbff7

    Download Submit

  • memory/1332-57-0x0000000000670000-0x00000000006E8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/1332-67-0x000007FEF55C0000-0x000007FEF5FAC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1332-54-0x0000000000DF0000-0x0000000000E08000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1332-56-0x000000001B510000-0x000000001B590000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1332-55-0x000007FEF55C0000-0x000007FEF5FAC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2868-72-0x0000000000AF0000-0x0000000000B08000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2868-73-0x000007FEF4BD0000-0x000007FEF55BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2868-74-0x000000001B190000-0x000000001B210000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2868-76-0x000007FEF4BD0000-0x000007FEF55BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2868-77-0x000000001B190000-0x000000001B210000-memory.dmp

    Filesize

    512KB

    Download