Overview

overview

8

Static

static

1

quotation.exe

windows7-x64

8

quotation.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    quotation.exe

  • Size

    925KB

  • MD5

    45cc1bf65d887b4899f7c212b271e578

  • SHA1

    95091ef8a659d6dbde4119cf45d8bc7600be35bd

  • SHA256

    9d3e2f47c9e19eb3dd2ad6ff1b00ae5e7b429c4c997268a42b3f75c6d448090a

  • SHA512

    aaeecd5fc1c395de750be26a62eac4c993d54da38ee6210c03c113fb33ae91b8e6cd3088e5101d54fdbe2708ca4fc479cf0956979622aebfe2cc71fce22bc326

  • SSDEEP

    12288:vLdUcmDiSGP31lk463i3tINrHtkvT3Op44ZOloWvOkR:vLdeiNS4Oi9IN3p7OloWvV

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\quotation.exe
      "C:\Users\Admin\AppData\Local\Temp\quotation.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\quotation.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1208
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2664
    • C:\Windows\SysWOW64\iexpress.exe
      "C:\Windows\SysWOW64\iexpress.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1216-16-0x0000000003BE0000-0x0000000003CE0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2208-18-0x00000000000F0000-0x000000000012F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2208-17-0x00000000000F0000-0x000000000012F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/2664-6-0x0000000000400000-0x0000000000443000-memory.dmp
    Filesize

    268KB

    Download
  • memory/2664-11-0x0000000000400000-0x0000000000443000-memory.dmp
    Filesize

    268KB

    Download
  • memory/2664-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2664-8-0x0000000000400000-0x0000000000443000-memory.dmp
    Filesize

    268KB

    Download
  • memory/2664-15-0x0000000000400000-0x0000000000443000-memory.dmp
    Filesize

    268KB

    Download
  • memory/3016-4-0x0000000000310000-0x0000000000320000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3016-5-0x00000000053A0000-0x000000000542A000-memory.dmp
    Filesize

    552KB

    Download
  • memory/3016-0-0x000000007419E000-0x000000007419F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3016-12-0x0000000074190000-0x000000007487E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3016-3-0x0000000000330000-0x000000000034A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3016-2-0x0000000074190000-0x000000007487E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3016-1-0x0000000001370000-0x000000000145A000-memory.dmp
    Filesize

    936KB

    Download