Analysis Overview
SHA256
9fc616629b68b08d072474a412496c172b8235e30e8868d00e2ecc53d35e7651
Threat Level: Known bad
The file QUOTATION_AUGQTRA071244PDF.scr.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
VIPKeylogger
Credentials from Password Stores: Credentials from Web Browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Browser Information Discovery
Unsigned PE
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-29 05:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-29 05:59
Reported
2024-08-29 06:01
Platform
win7-20240708-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2876 wrote to memory of 5076 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | C:\Windows\system32\WerFault.exe |
| PID 2876 wrote to memory of 5076 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | C:\Windows\system32\WerFault.exe |
| PID 2876 wrote to memory of 5076 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2876 -s 1120
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 172.67.200.96:80 | filetransfer.io | tcp |
| US | 172.67.200.96:443 | filetransfer.io | tcp |
| US | 172.67.200.96:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | s23.filetransfer.io | udp |
| US | 104.21.13.139:443 | s23.filetransfer.io | tcp |
Files
memory/2876-0-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp
memory/2876-1-0x0000000000160000-0x00000000001C0000-memory.dmp
memory/2876-2-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
memory/2876-3-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp
memory/2876-4-0x000000001CB10000-0x000000001CC34000-memory.dmp
memory/2876-5-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-6-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-18-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-26-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-8-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-10-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-58-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-12-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-16-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-22-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-24-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-28-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-34-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-40-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-38-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-36-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-44-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-42-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-32-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-30-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-20-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-14-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-46-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-48-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-52-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-68-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-66-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-64-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-62-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-60-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-56-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-54-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-50-0x000000001CB10000-0x000000001CC2F000-memory.dmp
memory/2876-1079-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
memory/2876-1081-0x00000000022C0000-0x000000000230C000-memory.dmp
memory/2876-1080-0x000000001D0B0000-0x000000001D14E000-memory.dmp
memory/2876-1082-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
memory/2876-1084-0x000000001ACB0000-0x000000001AD04000-memory.dmp
memory/2876-1085-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
memory/2876-1086-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-29 05:59
Reported
2024-08-29 06:01
Platform
win10v2004-20240802-en
Max time kernel
133s
Max time network
148s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 344 created 3548 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | C:\Windows\Explorer.EXE |
VIPKeylogger
Credentials from Password Stores: Credentials from Web Browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 344 wrote to memory of 4552 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 344 wrote to memory of 4552 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 344 wrote to memory of 4552 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATION_AUGQTRA071244PDF.scr.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 172.67.200.96:80 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.200.67.172.in-addr.arpa | udp |
| US | 172.67.200.96:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | s23.filetransfer.io | udp |
| US | 104.21.13.139:443 | s23.filetransfer.io | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 0.130.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/344-0-0x000001D2A3B90000-0x000001D2A3BF0000-memory.dmp
memory/344-1-0x00007FFF5D963000-0x00007FFF5D965000-memory.dmp
memory/344-2-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp
memory/344-3-0x000001D2BE330000-0x000001D2BE454000-memory.dmp
memory/344-41-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-39-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-5-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-37-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-67-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-65-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-61-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-59-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-57-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-55-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-54-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-49-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-47-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-45-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-43-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-35-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-33-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-31-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-29-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-23-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-21-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-15-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-13-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-63-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-11-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-9-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-51-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-7-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-27-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-25-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-4-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-19-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-17-0x000001D2BE330000-0x000001D2BE44F000-memory.dmp
memory/344-1078-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp
memory/344-1079-0x000001D2BE450000-0x000001D2BE4EE000-memory.dmp
memory/344-1080-0x000001D2A4080000-0x000001D2A40CC000-memory.dmp
memory/344-1085-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp
memory/344-1084-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp
memory/344-1086-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp
memory/344-1087-0x00007FFF5D963000-0x00007FFF5D965000-memory.dmp
memory/344-1088-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp
memory/344-1090-0x000001D2BE4F0000-0x000001D2BE544000-memory.dmp
memory/344-1092-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp
memory/4552-1093-0x00000240C2C20000-0x00000240C2C6B000-memory.dmp
memory/4552-1094-0x00007FFF5D963000-0x00007FFF5D965000-memory.dmp
memory/4552-1095-0x00000240C47B0000-0x00000240C47F6000-memory.dmp
memory/4552-1096-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp
memory/4552-1097-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp
memory/4552-1098-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp
memory/4552-1099-0x00007FFF5D960000-0x00007FFF5E421000-memory.dmp
memory/4552-1100-0x00000240DD500000-0x00000240DD6C2000-memory.dmp
memory/4552-1101-0x00000240DD1D0000-0x00000240DD220000-memory.dmp