Analysis Overview
SHA256
44cd4f6ebd5c40c71b72c4c9ae46838d778637eb70db082592bb7ccbeca4f47f
Threat Level: Known bad
The file QUOTATIONAUGQTRA071244PDF.scr.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
VIPKeylogger
Credentials from Password Stores: Credentials from Web Browsers
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Unsigned PE
Browser Information Discovery
outlook_office_path
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-30 13:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-30 13:09
Reported
2024-08-30 13:11
Platform
win7-20240705-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2992 wrote to memory of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | C:\Windows\system32\WerFault.exe |
| PID 2992 wrote to memory of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | C:\Windows\system32\WerFault.exe |
| PID 2992 wrote to memory of 4964 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2992 -s 872
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 172.67.200.96:80 | filetransfer.io | tcp |
| US | 172.67.200.96:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | s24.filetransfer.io | udp |
| US | 188.114.97.0:443 | s24.filetransfer.io | tcp |
Files
memory/2992-0-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp
memory/2992-1-0x0000000000140000-0x00000000001A0000-memory.dmp
memory/2992-2-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp
memory/2992-3-0x000000001BFA0000-0x000000001C0C4000-memory.dmp
memory/2992-4-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-17-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-23-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-5-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-37-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-7-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-55-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-65-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-9-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-13-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-15-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-21-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-27-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-39-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-41-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-35-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-33-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-31-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-29-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-25-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-19-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-11-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-43-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-45-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-47-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-67-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-63-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-61-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-59-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-57-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-53-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-51-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-49-0x000000001BFA0000-0x000000001C0BD000-memory.dmp
memory/2992-1078-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp
memory/2992-1079-0x000000001AE80000-0x000000001AF1E000-memory.dmp
memory/2992-1080-0x0000000002450000-0x000000000249C000-memory.dmp
memory/2992-1081-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp
memory/2992-1082-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp
memory/2992-1085-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp
memory/2992-1084-0x000000001BCF0000-0x000000001BD44000-memory.dmp
memory/2992-1086-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-30 13:09
Reported
2024-08-30 13:11
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
127s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2096 created 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | C:\Windows\Explorer.EXE |
VIPKeylogger
Credentials from Password Stores: Credentials from Web Browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2096 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 2096 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
| PID 2096 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe
"C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | filetransfer.io | udp |
| US | 104.21.13.139:80 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 104.21.13.139:443 | filetransfer.io | tcp |
| US | 8.8.8.8:53 | s24.filetransfer.io | udp |
| US | 104.21.13.139:443 | s24.filetransfer.io | tcp |
| US | 8.8.8.8:53 | 139.13.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| JP | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 169.8.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 188.114.97.0:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2096-0-0x00007FFC5B3A3000-0x00007FFC5B3A5000-memory.dmp
memory/2096-1-0x000002C3B18A0000-0x000002C3B1900000-memory.dmp
memory/2096-2-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/2096-3-0x000002C3CC000000-0x000002C3CC124000-memory.dmp
memory/2096-23-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-21-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-63-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-67-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-65-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-59-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-61-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-57-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-55-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-53-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-51-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-49-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-47-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-45-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-41-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-39-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-37-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-33-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-31-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-29-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-27-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-25-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-19-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-17-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-15-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-13-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-11-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-9-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-7-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-5-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-43-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-35-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-4-0x000002C3CC000000-0x000002C3CC11D000-memory.dmp
memory/2096-1078-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/2096-1079-0x000002C3CC190000-0x000002C3CC22E000-memory.dmp
memory/2096-1080-0x000002C3B1D90000-0x000002C3B1DDC000-memory.dmp
memory/2096-1084-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/2096-1085-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/2096-1086-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/2096-1087-0x00007FFC5B3A3000-0x00007FFC5B3A5000-memory.dmp
memory/2096-1088-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/2096-1090-0x000002C3CD4E0000-0x000002C3CD534000-memory.dmp
memory/4848-1094-0x00007FFC5B3A3000-0x00007FFC5B3A5000-memory.dmp
memory/4848-1095-0x0000025955410000-0x0000025955456000-memory.dmp
memory/4848-1097-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/4848-1096-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/2096-1092-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/4848-1093-0x0000025953890000-0x00000259538DB000-memory.dmp
memory/4848-1098-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/4848-1099-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/4848-1100-0x00007FFC5B3A0000-0x00007FFC5BE61000-memory.dmp
memory/4848-1101-0x000002596F260000-0x000002596F422000-memory.dmp
memory/4848-1102-0x0000025955540000-0x0000025955590000-memory.dmp