Overview

overview

8

Static

static

3

Quotation ...17.exe

windows7-x64

8

Quotation ...17.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    16s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    17/05/2024, 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation No Q240419617.exe

  • Size

    692KB

  • MD5

    9869cf5ff4bf02dcc23e4b20b26dc6f6

  • SHA1

    05755dabf2e7290ea00429852de5b572de762da0

  • SHA256

    ba531af97daeb195d2b21cfc4db12c782d2b99d2cc1bc5c2000eb04a24b402e5

  • SHA512

    7d880fa37baf002b73d73f78355e172669da287454786c4a54867dc8970bc5ad28e7523cdbbf3d40da387517075b868d6fd8a7148439ee351da182fe646529a9

  • SSDEEP

    12288:mLUHDGW4SBSwsmSsxzLY+VzkDfq+TK0WjXJGuWYaNWx533ryQ5sT:HV4SUQSH+Vz6fq+TVKkumWxJ3r/6

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation No Q240419617.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation No Q240419617.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Quotation No Q240419617.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3048
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ncClrGU.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ncClrGU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4FC5.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2732
    • C:\Users\Admin\AppData\Local\Temp\Quotation No Q240419617.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation No Q240419617.exe"
      2⤵
        PID:2456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp4FC5.tmp
      Filesize

      1KB

      MD5

      5894098f3129fb79c6c7e64b6fd7c052

      SHA1

      1ab1e7f3515b5e1f279230d1d5fdb0575688ec95

      SHA256

      4853592c10e58d510d3cd3ea9988ab0733cb280a14b88b0599d161f5a3ec3f98

      SHA512

      1f4faa2071fee17c0756f59c4a54b93aaafc15f44f33ff83e03abdb757a0235b3fe68a1ed5ac7f55534a25ce7d6bf2bcd774055682b9517582475fc433146b9d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      6be0b47e8c61b4cfde11ef81193c3979

      SHA1

      922a7930c6bb867b8c384980cea64bc5a4c61f6b

      SHA256

      b4a08638460ca76cb93b9dbc57819010f4dfde6cf90cd249ca865efc8491f43d

      SHA512

      b0b821c064660c81ddbc522b22fad58ea1ce98808765be811ab3f6b9c0fcd1aa13b1a00123e4f7a01e9c262ec366b833e4cfcdc457bcc2ce073ed22d20866cd0

      Download Submit

    • memory/308-0-0x000007FEF5B03000-0x000007FEF5B04000-memory.dmp

      Filesize

      4KB

      Download

    • memory/308-1-0x00000000011C0000-0x0000000001274000-memory.dmp

      Filesize

      720KB

      Download

    • memory/308-2-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/308-3-0x00000000007A0000-0x00000000007BC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/308-4-0x0000000000760000-0x0000000000774000-memory.dmp

      Filesize

      80KB

      Download

    • memory/308-5-0x0000000002760000-0x00000000027E0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/308-23-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2456-22-0x000007FFFFFDE000-0x000007FFFFFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3048-14-0x000000001B580000-0x000000001B862000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3048-15-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

      Filesize

      32KB

      Download