2f4acbd783db771739523c21f32489679e97ad254b51b170981ad58bcf00575c

General

Target

Quotation - TB046J12LCO2 Project Mechanical.exe
Size

1.1MB
MD5

16a009a8c64f7d483d331d27cc342f54
SHA1

e140137a852280f79e101e93276216643d1631aa
SHA256

2f4acbd783db771739523c21f32489679e97ad254b51b170981ad58bcf00575c
SHA512

0afa038e4cacec78cf5551c5f341c1342b077fef9608a51ba0b0cf39152687830d95665c9324ba3eaa5b3cb3964adc8e92964b710ac2de0da9891e3923540f4e
SSDEEP

24576:LAHnh+eWsN3skA4RV1Hom2KXMmHajd/h2cNa0yIvdFW5:mh+ZkldoPK8Yajd7lyI1O

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2668	RMActivate_ssp.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2856 set thread context of 2992	2856	Quotation - TB046J12LCO2 Project Mechanical.exe	28
PID 2992 set thread context of 1104	2992	svchost.exe	20
PID 2992 set thread context of 2668	2992	svchost.exe	29
PID 2668 set thread context of 1104	2668	RMActivate_ssp.exe	20

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1340930862-1405011213-2821322012-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	RMActivate_ssp.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2992	svchost.exe
2992	svchost.exe
2992	svchost.exe
2992	svchost.exe
2992	svchost.exe
2992	svchost.exe
2992	svchost.exe
2992	svchost.exe
2668	RMActivate_ssp.exe
2668	RMActivate_ssp.exe
2668	RMActivate_ssp.exe
2668	RMActivate_ssp.exe
2668	RMActivate_ssp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2856	Quotation - TB046J12LCO2 Project Mechanical.exe
2992	svchost.exe
1104	Explorer.EXE
1104	Explorer.EXE
2668	RMActivate_ssp.exe
2668	RMActivate_ssp.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2856	Quotation - TB046J12LCO2 Project Mechanical.exe
2856	Quotation - TB046J12LCO2 Project Mechanical.exe
1104	Explorer.EXE
1104	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2856	Quotation - TB046J12LCO2 Project Mechanical.exe
2856	Quotation - TB046J12LCO2 Project Mechanical.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2992	2856	Quotation - TB046J12LCO2 Project Mechanical.exe	28
PID 2856 wrote to memory of 2992	2856	Quotation - TB046J12LCO2 Project Mechanical.exe	28
PID 2856 wrote to memory of 2992	2856	Quotation - TB046J12LCO2 Project Mechanical.exe	28
PID 2856 wrote to memory of 2992	2856	Quotation - TB046J12LCO2 Project Mechanical.exe	28
PID 2856 wrote to memory of 2992	2856	Quotation - TB046J12LCO2 Project Mechanical.exe	28
PID 1104 wrote to memory of 2668	1104	Explorer.EXE	29
PID 1104 wrote to memory of 2668	1104	Explorer.EXE	29
PID 1104 wrote to memory of 2668	1104	Explorer.EXE	29
PID 1104 wrote to memory of 2668	1104	Explorer.EXE	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Admin\AppData\Local\Temp\Quotation - TB046J12LCO2 Project Mechanical.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation - TB046J12LCO2 Project Mechanical.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation - TB046J12LCO2 Project Mechanical.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2992
- C:\Windows\SysWOW64\RMActivate_ssp.exe
  "C:\Windows\SysWOW64\RMActivate_ssp.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\prespecialist

Filesize
264KB

MD5
1cb65f815398054b6991c24f3a24e726

SHA1
5b5649d946e2d2b10bff465b3a291eee0e0c0052

SHA256
89cf65de807d861370b51d84eac316eb68ff0b3f208c078163210ad653b5cfd8

SHA512
2ce6ed9c82185dc60dd1633d5cadb5ffcc3517bb7d40f80519467f7dc7815b4e7cafcc0fe2c0c515cf6311398d2121039e4c3b991c177b03c8278bb9572bae94

Download Submit
C:\Users\Admin\AppData\Local\Temp\snghl.zip

Filesize
474KB

MD5
af10a982a2ef91c9787106eea1a0cc4a

SHA1
00435a36f5e6059287cde2cebb2882669cdba3a5

SHA256
e028068b067e5e60fa5680b0bafa48a31287b6d614ee0b92df51cce23b974099

SHA512
73d0d3034405527798b854dc33fc608c7ccf0af1689e139af4bbb5a5324dc0748bdc2bf632468745920dc7be4eb7f0240d3cf1b5872d3f5c0c897725db78bf9f

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
904KB

MD5
5e5ba61531d74e45b11cadb79e7394a1

SHA1
677224e14aac9dd35f367d5eb1704b36e69356b8

SHA256
99e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c

SHA512
712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46

Download Submit
memory/1104-28-0x0000000004B60000-0x0000000004C5D000-memory.dmp

Filesize
1012KB

Download
memory/1104-68-0x0000000004B60000-0x0000000004C5D000-memory.dmp

Filesize
1012KB

Download
memory/1104-18-0x0000000003190000-0x0000000003290000-memory.dmp

Filesize
1024KB

Download
memory/1104-27-0x0000000004B60000-0x0000000004C5D000-memory.dmp

Filesize
1012KB

Download
memory/2668-66-0x0000000061E00000-0x0000000061ECE000-memory.dmp

Filesize
824KB

Download
memory/2668-65-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/2668-67-0x0000000001C70000-0x0000000001D0C000-memory.dmp

Filesize
624KB

Download
memory/2668-19-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/2668-20-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/2668-23-0x0000000001EA0000-0x00000000021A3000-memory.dmp

Filesize
3.0MB

Download
memory/2668-24-0x0000000000170000-0x00000000001AF000-memory.dmp

Filesize
252KB

Download
memory/2668-26-0x0000000001C70000-0x0000000001D0C000-memory.dmp

Filesize
624KB

Download
memory/2856-11-0x0000000000170000-0x0000000000174000-memory.dmp

Filesize
16KB

Download
memory/2992-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-21-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-22-0x0000000000190000-0x00000000001AD000-memory.dmp

Filesize
116KB

Download
memory/2992-17-0x0000000000190000-0x00000000001AD000-memory.dmp

Filesize
116KB

Download
memory/2992-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-13-0x0000000000B80000-0x0000000000E83000-memory.dmp

Filesize
3.0MB

Download
memory/2992-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing