9d3e2f47c9e19eb3dd2ad6ff1b00ae5e7b429c4c997268a42b3f75c6d448090a

General

Target

quotation.exe
Size

925KB
MD5

45cc1bf65d887b4899f7c212b271e578
SHA1

95091ef8a659d6dbde4119cf45d8bc7600be35bd
SHA256

9d3e2f47c9e19eb3dd2ad6ff1b00ae5e7b429c4c997268a42b3f75c6d448090a
SHA512

aaeecd5fc1c395de750be26a62eac4c993d54da38ee6210c03c113fb33ae91b8e6cd3088e5101d54fdbe2708ca4fc479cf0956979622aebfe2cc71fce22bc326
SSDEEP

12288:vLdUcmDiSGP31lk463i3tINrHtkvT3Op44ZOloWvOkR:vLdeiNS4Oi9IN3p7OloWvV

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2684 powershell.exe

pid	process
2684	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

quotation.exeRegSvcs.exeiexpress.exe

description	pid	process	target process
PID 2188 set thread context of 2700	2188	quotation.exe	RegSvcs.exe
PID 2700 set thread context of 1192	2700	RegSvcs.exe	Explorer.EXE
PID 2700 set thread context of 2152	2700	RegSvcs.exe	iexpress.exe
PID 2152 set thread context of 1192	2152	iexpress.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

quotation.exepowershell.exeRegSvcs.exeiexpress.exe

pid	process
2188	quotation.exe
2188	quotation.exe
2684	powershell.exe
2700	RegSvcs.exe
2700	RegSvcs.exe
2700	RegSvcs.exe
2700	RegSvcs.exe
2700	RegSvcs.exe
2700	RegSvcs.exe
2700	RegSvcs.exe
2700	RegSvcs.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe
2152	iexpress.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeExplorer.EXEiexpress.exe

pid process

2700 RegSvcs.exe
1192 Explorer.EXE
1192 Explorer.EXE
2152 iexpress.exe
2152 iexpress.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

quotation.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2188 quotation.exe
Token: SeDebugPrivilege 2684 powershell.exe

pid	process
2700	RegSvcs.exe
1192	Explorer.EXE
1192	Explorer.EXE
2152	iexpress.exe
2152	iexpress.exe

description	pid	process
Token: SeDebugPrivilege	2188	quotation.exe
Token: SeDebugPrivilege	2684	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

quotation.exeExplorer.EXE

description	pid	process	target process
PID 2188 wrote to memory of 2684	2188	quotation.exe	powershell.exe
PID 2188 wrote to memory of 2684	2188	quotation.exe	powershell.exe
PID 2188 wrote to memory of 2684	2188	quotation.exe	powershell.exe
PID 2188 wrote to memory of 2684	2188	quotation.exe	powershell.exe
PID 2188 wrote to memory of 2700	2188	quotation.exe	RegSvcs.exe
PID 2188 wrote to memory of 2700	2188	quotation.exe	RegSvcs.exe
PID 2188 wrote to memory of 2700	2188	quotation.exe	RegSvcs.exe
PID 2188 wrote to memory of 2700	2188	quotation.exe	RegSvcs.exe
PID 2188 wrote to memory of 2700	2188	quotation.exe	RegSvcs.exe
PID 2188 wrote to memory of 2700	2188	quotation.exe	RegSvcs.exe
PID 2188 wrote to memory of 2700	2188	quotation.exe	RegSvcs.exe
PID 2188 wrote to memory of 2700	2188	quotation.exe	RegSvcs.exe
PID 2188 wrote to memory of 2700	2188	quotation.exe	RegSvcs.exe
PID 2188 wrote to memory of 2700	2188	quotation.exe	RegSvcs.exe
PID 1192 wrote to memory of 2152	1192	Explorer.EXE	iexpress.exe
PID 1192 wrote to memory of 2152	1192	Explorer.EXE	iexpress.exe
PID 1192 wrote to memory of 2152	1192	Explorer.EXE	iexpress.exe
PID 1192 wrote to memory of 2152	1192	Explorer.EXE	iexpress.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\quotation.exe
"C:\Users\Admin\AppData\Local\Temp\quotation.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\quotation.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2700

C:\Windows\SysWOW64\iexpress.exe
"C:\Windows\SysWOW64\iexpress.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-16-0x00000000030F0000-0x00000000031F0000-memory.dmp

Filesize
1024KB

Download
memory/2152-18-0x0000000000140000-0x000000000017F000-memory.dmp

Filesize
252KB

Download
memory/2152-17-0x0000000000140000-0x000000000017F000-memory.dmp

Filesize
252KB

Download
memory/2188-12-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-1-0x0000000000090000-0x000000000017A000-memory.dmp

Filesize
936KB

Download
memory/2188-2-0x00000000742F0000-0x00000000749DE000-memory.dmp

Filesize
6.9MB

Download
memory/2188-3-0x0000000000550000-0x000000000056A000-memory.dmp

Filesize
104KB

Download
memory/2188-4-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2188-5-0x0000000004F00000-0x0000000004F8A000-memory.dmp

Filesize
552KB

Download
memory/2188-0-0x00000000742FE000-0x00000000742FF000-memory.dmp

Filesize
4KB

Download
memory/2700-11-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-6-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2700-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads