Overview

overview

8

Static

static

3

Quotations...nt.exe

windows7-x64

8

Quotations...nt.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2023 14:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotations for client.exe

  • Size

    392KB

  • MD5

    559030db8c9ff37791ea1e3c62baa4a2

  • SHA1

    825adb32a085b98f41b070bea1b9b664aa5f31ea

  • SHA256

    1d9953bcc362548bbefbe63345d3b6058f26a875191a5e08fec4f106dc93c22c

  • SHA512

    a2c5f7196ddb9214ae7d168675dc8dd6f01d47fc57cb5efa4880ac7544c8a1fa00a339759b09a1457693c87b960b2f3f10e79c955a7579d476220014ae70ad20

  • SSDEEP

    12288:BnPdwGAEXy7g8MzQp2sZ58eB4S6jvtHEX/Yd:9PdwGA99F79B4X1HEvYd

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3196
    • C:\Users\Admin\AppData\Local\Temp\Quotations for client.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotations for client.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Users\Admin\AppData\Local\Temp\qibybbe.exe
        "C:\Users\Admin\AppData\Local\Temp\qibybbe.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Users\Admin\AppData\Local\Temp\qibybbe.exe
          "C:\Users\Admin\AppData\Local\Temp\qibybbe.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3688
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:3892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\abnumnhcg.va
      Filesize

      249KB

      MD5

      086eb519ffd61f2d03b0cbf9366a3994

      SHA1

      f93dfc2ce3cb91c91b826963ee6b08faa5406f01

      SHA256

      22ed68305025f631c73eb7ad81db95083ddd17612d9b0eb62a127228053f0981

      SHA512

      8c8eed5d5ae6616dff5b5b0be4c3dc8fbc0e4d65bd7c708cf506a6720eefbbc2c717a9be45bb224477b8a0f67e042d2667892acd81be666e77d91e2271c0170d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qibybbe.exe
      Filesize

      227KB

      MD5

      ed7f318f5234df99d0f3093d9693e40c

      SHA1

      46b8d433ba988edd2aab86e266d3e92fc288d4b5

      SHA256

      61e3c81e114829b3a88543c2d5a3d88bf6a2e049a5104f19dfe8ffc5dd516c89

      SHA512

      16783ee5b110471415f1f6966bcee324ef78372cb7c3b12a77e3915714835a543edcea1f282373766b2384e92b8f81a9d8205d0bf17349763517e1b8694635cd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qibybbe.exe
      Filesize

      227KB

      MD5

      ed7f318f5234df99d0f3093d9693e40c

      SHA1

      46b8d433ba988edd2aab86e266d3e92fc288d4b5

      SHA256

      61e3c81e114829b3a88543c2d5a3d88bf6a2e049a5104f19dfe8ffc5dd516c89

      SHA512

      16783ee5b110471415f1f6966bcee324ef78372cb7c3b12a77e3915714835a543edcea1f282373766b2384e92b8f81a9d8205d0bf17349763517e1b8694635cd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\qibybbe.exe
      Filesize

      227KB

      MD5

      ed7f318f5234df99d0f3093d9693e40c

      SHA1

      46b8d433ba988edd2aab86e266d3e92fc288d4b5

      SHA256

      61e3c81e114829b3a88543c2d5a3d88bf6a2e049a5104f19dfe8ffc5dd516c89

      SHA512

      16783ee5b110471415f1f6966bcee324ef78372cb7c3b12a77e3915714835a543edcea1f282373766b2384e92b8f81a9d8205d0bf17349763517e1b8694635cd

      Download Submit

    • memory/2420-5-0x0000000000F70000-0x0000000000F72000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3196-15-0x000000000C190000-0x000000000D824000-memory.dmp

      Filesize

      22.6MB

      Download

    • memory/3196-29-0x0000000008590000-0x0000000008696000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3196-25-0x0000000008590000-0x0000000008696000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3196-24-0x0000000008590000-0x0000000008696000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3196-22-0x000000000C190000-0x000000000D824000-memory.dmp

      Filesize

      22.6MB

      Download

    • memory/3688-10-0x0000000001730000-0x0000000001A7A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3688-13-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/3688-7-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/3688-11-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/3688-18-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/3688-19-0x00000000016D0000-0x00000000016F4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3688-14-0x00000000016D0000-0x00000000016F4000-memory.dmp

      Filesize

      144KB

      Download

    • memory/3688-12-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4392-21-0x0000000001480000-0x00000000014B6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4392-23-0x00000000032D0000-0x0000000003373000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4392-20-0x0000000003490000-0x00000000037DA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4392-17-0x0000000001480000-0x00000000014B6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4392-26-0x0000000001480000-0x00000000014B6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4392-27-0x00000000032D0000-0x0000000003373000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4392-16-0x0000000001480000-0x00000000014B6000-memory.dmp

      Filesize

      216KB

      Download