Analysis
-
max time kernel
150s -
max time network
74s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
25-01-2024 10:44
Static task
static1
Behavioral task
behavioral1
Sample
quantizer/quantizer.exe
Resource
win10-20231215-en
Behavioral task
behavioral2
Sample
quantizer/vc_redist.x86.exe
Resource
win10-20231215-en
General
-
Target
quantizer/quantizer.exe
-
Size
212KB
-
MD5
1458480cf8803569195f934d47ac7481
-
SHA1
e82b5cbf643075a44049aa97ba045795da25ab55
-
SHA256
68d528f9ac891e920449188198a233b71b2860838af4fb970b9966f941ce82ca
-
SHA512
168466da32f952df6bae568e75bb683bc6e009880b67d28acc0f3b8fb6e88b186abbeeabf0a87bf9a01f47362c157f46277682d9a3e2bdab90f8f2f2775f7e04
-
SSDEEP
1536:Ra2jqHhCCjLFUkH8neWP4xqunYlFjTZgjq9qlQJ1veZ2eDg4X:RLjqHhCWcn5BYYfjTZgjq9BT2Z2eDP
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 3684 AcroRd32.exe 3684 AcroRd32.exe 3684 AcroRd32.exe 3684 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AcroRd32.exeRdrCEF.exedescription pid process target process PID 3684 wrote to memory of 4376 3684 AcroRd32.exe RdrCEF.exe PID 3684 wrote to memory of 4376 3684 AcroRd32.exe RdrCEF.exe PID 3684 wrote to memory of 4376 3684 AcroRd32.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 3880 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe PID 4376 wrote to memory of 4516 4376 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\quantizer\quantizer.exe"C:\Users\Admin\AppData\Local\Temp\quantizer\quantizer.exe"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DA8054A32C3D0A6ED584710DC3BBDE39 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D92F509BA77F1B5B1E25E9E0EA841DB8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D92F509BA77F1B5B1E25E9E0EA841DB8 --renderer-client-id=2 --mojo-platform-channel-handle=1632 --allow-no-sandbox-job /prefetch:13⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1368-0-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB