07e783f93cb4f77e53bf07300e46e2fd096641d609d23f13b6903c87ff20dd66

General

Target

Urgent Quotation Notification_PDF/6N0eSKFgiTb66IA.exe
Size

656KB
MD5

dbc854edb4f43fcf32712a328f80e83c
SHA1

b1be36b4c9a08f488dd6ac224ba5d83262d8d8ad
SHA256

30ad47744445964405bb651788caf7f7b7d7ad8e9c7d06a9dd7057af586343a3
SHA512

fd45d95a0bb1ebab2f0defb892f679334d8524e5b6f0be6906dc9b6b5bd4274e6dc3ce860e32657ba7ec6dead4554f94ff17c75e7d5e89fbf3cf3907356b3a08
SSDEEP

12288:fqiGcJ+ruYgzGVqHW3x9imV88TsKVjddB8neTul+GGaT4XyC2j2apwJwtN:fqi8AaMYvVvTpVjKCVa0CCG

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 4136	4028	6N0eSKFgiTb66IA.exe	101
PID 4136 set thread context of 3316	4136	6N0eSKFgiTb66IA.exe	57
PID 4136 set thread context of 4764	4136	6N0eSKFgiTb66IA.exe	102
PID 4764 set thread context of 3316	4764	chkntfs.exe	57
PID 4764 set thread context of 3796	4764	chkntfs.exe	103

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkntfs.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkntfs.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4028	6N0eSKFgiTb66IA.exe
4028	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4136	6N0eSKFgiTb66IA.exe
4136	6N0eSKFgiTb66IA.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe
4764	chkntfs.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	6N0eSKFgiTb66IA.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 4424	4028	6N0eSKFgiTb66IA.exe	100
PID 4028 wrote to memory of 4424	4028	6N0eSKFgiTb66IA.exe	100
PID 4028 wrote to memory of 4424	4028	6N0eSKFgiTb66IA.exe	100
PID 4028 wrote to memory of 4136	4028	6N0eSKFgiTb66IA.exe	101
PID 4028 wrote to memory of 4136	4028	6N0eSKFgiTb66IA.exe	101
PID 4028 wrote to memory of 4136	4028	6N0eSKFgiTb66IA.exe	101
PID 4028 wrote to memory of 4136	4028	6N0eSKFgiTb66IA.exe	101
PID 4028 wrote to memory of 4136	4028	6N0eSKFgiTb66IA.exe	101
PID 4028 wrote to memory of 4136	4028	6N0eSKFgiTb66IA.exe	101
PID 4136 wrote to memory of 4764	4136	6N0eSKFgiTb66IA.exe	102
PID 4136 wrote to memory of 4764	4136	6N0eSKFgiTb66IA.exe	102
PID 4136 wrote to memory of 4764	4136	6N0eSKFgiTb66IA.exe	102
PID 4764 wrote to memory of 3796	4764	chkntfs.exe	103
PID 4764 wrote to memory of 3796	4764	chkntfs.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3316
- C:\Users\Admin\AppData\Local\Temp\Urgent Quotation Notification_PDF\6N0eSKFgiTb66IA.exe
  "C:\Users\Admin\AppData\Local\Temp\Urgent Quotation Notification_PDF\6N0eSKFgiTb66IA.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\Urgent Quotation Notification_PDF\6N0eSKFgiTb66IA.exe
    "C:\Users\Admin\AppData\Local\Temp\Urgent Quotation Notification_PDF\6N0eSKFgiTb66IA.exe"
    3⤵
    PID:4424
- - C:\Users\Admin\AppData\Local\Temp\Urgent Quotation Notification_PDF\6N0eSKFgiTb66IA.exe
    "C:\Users\Admin\AppData\Local\Temp\Urgent Quotation Notification_PDF\6N0eSKFgiTb66IA.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\chkntfs.exe
      "C:\Windows\SysWOW64\chkntfs.exe"
      4⤵
      Suspicious use of SetThreadContext
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Program Files\Mozilla Firefox\Firefox.exe
        
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        5⤵
        
        PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2384 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3316-19-0x000000000E4F0000-0x000000000FBCE000-memory.dmp

Filesize
22.9MB

Download
memory/3316-27-0x00000000031D0000-0x00000000032B9000-memory.dmp

Filesize
932KB

Download
memory/3316-36-0x00000000031D0000-0x00000000032B9000-memory.dmp

Filesize
932KB

Download
memory/3796-34-0x000001511CE60000-0x000001511CF69000-memory.dmp

Filesize
1.0MB

Download
memory/4028-8-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4028-5-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4028-6-0x0000000004F30000-0x0000000004F3A000-memory.dmp

Filesize
40KB

Download
memory/4028-7-0x00000000051E0000-0x000000000527C000-memory.dmp

Filesize
624KB

Download
memory/4028-4-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/4028-9-0x0000000008B40000-0x0000000008B4C000-memory.dmp

Filesize
48KB

Download
memory/4028-10-0x0000000008B90000-0x0000000008C1A000-memory.dmp

Filesize
552KB

Download
memory/4028-3-0x0000000004E80000-0x0000000004F12000-memory.dmp

Filesize
584KB

Download
memory/4028-13-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4028-2-0x0000000005530000-0x0000000005AD4000-memory.dmp

Filesize
5.6MB

Download
memory/4028-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/4028-1-0x00000000003F0000-0x000000000049A000-memory.dmp

Filesize
680KB

Download
memory/4136-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-11-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-18-0x0000000003110000-0x0000000003135000-memory.dmp

Filesize
148KB

Download
memory/4136-23-0x0000000003110000-0x0000000003135000-memory.dmp

Filesize
148KB

Download
memory/4136-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-14-0x0000000001640000-0x000000000198A000-memory.dmp

Filesize
3.3MB

Download
memory/4764-21-0x00000000006D0000-0x000000000070F000-memory.dmp

Filesize
252KB

Download
memory/4764-26-0x00000000025F0000-0x0000000002694000-memory.dmp

Filesize
656KB

Download
memory/4764-25-0x00000000006D0000-0x000000000070F000-memory.dmp

Filesize
252KB

Download
memory/4764-29-0x00000000006D0000-0x000000000070F000-memory.dmp

Filesize
252KB

Download
memory/4764-24-0x00000000027F0000-0x0000000002B3A000-memory.dmp

Filesize
3.3MB

Download
memory/4764-35-0x00000000025F0000-0x0000000002694000-memory.dmp

Filesize
656KB

Download
memory/4764-20-0x00000000006D0000-0x000000000070F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing