49042e86af4503a917b8408c4faab2759688065a429015a2c90430fa7371291f

Analysis

max time kernel
208s
max time network
281s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03/07/2024, 23:01

Target

Dropped Malware/REQUEST FOR QUOTATION_pdf.exe
Size

1.1MB
MD5

8f72ae5c3e68e643690aea36735a95bd
SHA1

ed901f56acd0fdf9acf586ee84cd22469a92c285
SHA256

e3f20d09ed34a08bc3a8c6ebf4bceb079c24229e8b7765a2e679a0ee4a6df28a
SHA512

aee44099bb33d6a628221dcd1feb11ad537aa3d9ed76643368cd915758c8bad68e533b4b3a406c0b82b72ca0ee47ffc229dab849461eb473e2176f0b30894308
SSDEEP

24576:5AHnh+eWsN3skA4RV1Hom2KXMmHaWQ7JttVeq4RqULd9DEEC/oWb5:Ah+ZkldoPK8YaWQ7J554FHao6

Score

5^/10

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4148 set thread context of 4296	4148	REQUEST FOR QUOTATION_pdf.exe	76

Suspicious behavior: EnumeratesProcesses 14 IoCs

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4148	REQUEST FOR QUOTATION_pdf.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4148	REQUEST FOR QUOTATION_pdf.exe
4148	REQUEST FOR QUOTATION_pdf.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4148	REQUEST FOR QUOTATION_pdf.exe
4148	REQUEST FOR QUOTATION_pdf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4296	4148	REQUEST FOR QUOTATION_pdf.exe	76
PID 4148 wrote to memory of 4296	4148	REQUEST FOR QUOTATION_pdf.exe	76
PID 4148 wrote to memory of 4296	4148	REQUEST FOR QUOTATION_pdf.exe	76
PID 4148 wrote to memory of 4296	4148	REQUEST FOR QUOTATION_pdf.exe	76

C:\Users\Admin\AppData\Local\Temp\Dropped Malware\REQUEST FOR QUOTATION_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Dropped Malware\REQUEST FOR QUOTATION_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Dropped Malware\REQUEST FOR QUOTATION_pdf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296

C:\Users\Admin\AppData\Local\Temp\aut74F1.tmp

Filesize
268KB

MD5
295f6c5b65128e588d0b582be289ab6d

SHA1
fd6bd3b6d93a374b3c1806928c2979c97a5818f4

SHA256
53f3373a9c431f530f34f34dca345c7bdc5ed31693d7186bb8a1ce395d6a0302

SHA512
4a5c488e5a1ae1f53d72fb747fa406350280f6d7584d3d2698bc1cbd259b987ec429bd540b6c656e9c00037fb2d3bd680774d01a6edefd6c0c0eae5b4cf5c631

Download Submit
memory/4148-12-0x00000000013A0000-0x00000000013A4000-memory.dmp

Filesize
16KB

Download
memory/4296-13-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4296-14-0x0000000001800000-0x0000000001B56000-memory.dmp

Filesize
3.3MB

Download
memory/4296-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4296-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download