Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 02:21
Static task
static1
Behavioral task
behavioral1
Sample
Request For Quote document.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Request For Quote document.exe
Resource
win10v2004-20240802-en
General
-
Target
Request For Quote document.exe
-
Size
294KB
-
MD5
9fe3c4fe210d4dbcbcd600a0f3bafa8e
-
SHA1
0abb32cb963fdf10289f5a5c308a1be7eeb6bfcb
-
SHA256
22d69380285b3ae54c3ab153d36152c70a1d40e5e860ccb962ac564c86a6cdb4
-
SHA512
26d6b9b7f3dfc3c3d1741748234d1e155a424bd8dbfa6d40c658637c95a8c4646e9002c230f8fe04c26fb19fa3803bd9b00f36a7a1666b8007abe955b496f797
-
SSDEEP
6144:giISBtWm7kQgIjRs6HcKBlVMrfuQK7Rq9e1+fnIE3mfHbHI5Cj604zhMBr1:gctWm7kQgIjRs6HcKBlarfuQK7Rq9u+m
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\bookq = "C:\\Users\\Admin\\AppData\\Roaming\\bookq.exe" Request For Quote document.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5716 1792 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Request For Quote document.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1792 Request For Quote document.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1792 Request For Quote document.exe Token: SeDebugPrivilege 1792 Request For Quote document.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1792 wrote to memory of 5716 1792 Request For Quote document.exe 30 PID 1792 wrote to memory of 5716 1792 Request For Quote document.exe 30 PID 1792 wrote to memory of 5716 1792 Request For Quote document.exe 30 PID 1792 wrote to memory of 5716 1792 Request For Quote document.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request For Quote document.exe"C:\Users\Admin\AppData\Local\Temp\Request For Quote document.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 10682⤵
- Program crash
PID:5716
-