511ac21d17ad7b77173c3007465b034ce0a83517749f7263d27243453f6728c3

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30/08/2023, 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QUOTATION_AUG7FIBA00541·PDF.scr.exe
Size

1.9MB
MD5

0fcb28f04c3fead1520ea0b7476b0957
SHA1

f07204100d8990931fd81ef3ed24591bb0db788c
SHA256

511ac21d17ad7b77173c3007465b034ce0a83517749f7263d27243453f6728c3
SHA512

8f0708effffbcbd45a459c437d02a9e8887bde14fc259388a12100562bc698d78b379c0c82bc262eeacbb2b58812e3716c8894e0c7e11b2172362033e72e6e0e
SSDEEP

24576:k8QUVF5iQ8Q0WuNO/JpxB0FGlAu4OmeMVqHfKP6w1mp8pncTMWanOm:k3+5iHQ6N0H4OLMQHJO+MWY

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rnrkpe = "C:\\Users\\Admin\\AppData\\Roaming\\Rnrkpe.exe"	QUOTATION_AUG7FIBA00541·PDF.scr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2552 set thread context of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	2548	WerFault.exe	36

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1340	ipconfig.exe
2584	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1780	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	28
PID 2552 wrote to memory of 1780	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	28
PID 2552 wrote to memory of 1780	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	28
PID 2552 wrote to memory of 1780	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	28
PID 1780 wrote to memory of 1340	1780	cmd.exe	30
PID 1780 wrote to memory of 1340	1780	cmd.exe	30
PID 1780 wrote to memory of 1340	1780	cmd.exe	30
PID 1780 wrote to memory of 1340	1780	cmd.exe	30
PID 2552 wrote to memory of 2372	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	33
PID 2552 wrote to memory of 2372	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	33
PID 2552 wrote to memory of 2372	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	33
PID 2552 wrote to memory of 2372	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	33
PID 2372 wrote to memory of 2584	2372	cmd.exe	35
PID 2372 wrote to memory of 2584	2372	cmd.exe	35
PID 2372 wrote to memory of 2584	2372	cmd.exe	35
PID 2372 wrote to memory of 2584	2372	cmd.exe	35
PID 2552 wrote to memory of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36
PID 2552 wrote to memory of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36
PID 2552 wrote to memory of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36
PID 2552 wrote to memory of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36
PID 2552 wrote to memory of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36
PID 2552 wrote to memory of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36
PID 2552 wrote to memory of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36
PID 2552 wrote to memory of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36
PID 2552 wrote to memory of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36
PID 2552 wrote to memory of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36
PID 2552 wrote to memory of 2548	2552	QUOTATION_AUG7FIBA00541·PDF.scr.exe	36
PID 2548 wrote to memory of 2576	2548	aspnet_compiler.exe	37
PID 2548 wrote to memory of 2576	2548	aspnet_compiler.exe	37
PID 2548 wrote to memory of 2576	2548	aspnet_compiler.exe	37
PID 2548 wrote to memory of 2576	2548	aspnet_compiler.exe	37

C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUG7FIBA00541·PDF.scr.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUG7FIBA00541·PDF.scr.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig /renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 200
    3⤵
    - Program crash
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2552-0-0x0000000000E20000-0x0000000001002000-memory.dmp

Filesize
1.9MB

Download
memory/2552-1-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-2-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/2552-3-0x00000000052B0000-0x0000000005374000-memory.dmp

Filesize
784KB

Download
memory/2552-4-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-11-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-9-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-7-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-5-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-13-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-15-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-19-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-21-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-23-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-17-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-25-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-29-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-31-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-27-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-33-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-35-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-41-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-43-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-49-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-53-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-59-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-61-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-67-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-65-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-63-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-57-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-55-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-51-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-47-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-45-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-39-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-37-0x00000000052B0000-0x000000000536F000-memory.dmp

Filesize
764KB

Download
memory/2552-978-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-1069-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/2552-1082-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2552-1083-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download
memory/2552-1084-0x0000000000BC0000-0x0000000000C0C000-memory.dmp

Filesize
304KB

Download
memory/2552-1099-0x0000000074B80000-0x000000007526E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads