Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-09-2024 14:21
Static task
static1
Behavioral task
behavioral1
Sample
Quotation_pdf.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Quotation_pdf.exe
Resource
win10v2004-20240802-en
General
-
Target
Quotation_pdf.exe
-
Size
883KB
-
MD5
571902de75705d1aeaa32be01459dc65
-
SHA1
4ccf3c9a339146008c1d8466857e13d3c7752a05
-
SHA256
8f2c4543e4bc9194d1c1a9bc946a75d49162b0eee2715df4ba626980892107b5
-
SHA512
966381cdeaf8213fefdca876052a59dcda9e2436cfc50b4516eca936ebb9e75b9421058969526fa0b46d06067a43398a51c8e7201fa72d39faa0153c4328a9d7
-
SSDEEP
24576:kBGzjcJ6NacNEyNOU+6cNuuH2SNcjmYY4Swv:kE86N1l5x8uuWSpYXS2
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2656 powershell.exe 2096 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Quotation_pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2344 Quotation_pdf.exe 2344 Quotation_pdf.exe 2344 Quotation_pdf.exe 2344 Quotation_pdf.exe 2344 Quotation_pdf.exe 2344 Quotation_pdf.exe 2344 Quotation_pdf.exe 2344 Quotation_pdf.exe 2344 Quotation_pdf.exe 2096 powershell.exe 2656 powershell.exe 2344 Quotation_pdf.exe 2344 Quotation_pdf.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2344 Quotation_pdf.exe Token: SeDebugPrivilege 2096 powershell.exe Token: SeDebugPrivilege 2656 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2344 wrote to memory of 2656 2344 Quotation_pdf.exe 30 PID 2344 wrote to memory of 2656 2344 Quotation_pdf.exe 30 PID 2344 wrote to memory of 2656 2344 Quotation_pdf.exe 30 PID 2344 wrote to memory of 2656 2344 Quotation_pdf.exe 30 PID 2344 wrote to memory of 2096 2344 Quotation_pdf.exe 32 PID 2344 wrote to memory of 2096 2344 Quotation_pdf.exe 32 PID 2344 wrote to memory of 2096 2344 Quotation_pdf.exe 32 PID 2344 wrote to memory of 2096 2344 Quotation_pdf.exe 32 PID 2344 wrote to memory of 2664 2344 Quotation_pdf.exe 34 PID 2344 wrote to memory of 2664 2344 Quotation_pdf.exe 34 PID 2344 wrote to memory of 2664 2344 Quotation_pdf.exe 34 PID 2344 wrote to memory of 2664 2344 Quotation_pdf.exe 34 PID 2344 wrote to memory of 2996 2344 Quotation_pdf.exe 36 PID 2344 wrote to memory of 2996 2344 Quotation_pdf.exe 36 PID 2344 wrote to memory of 2996 2344 Quotation_pdf.exe 36 PID 2344 wrote to memory of 2996 2344 Quotation_pdf.exe 36 PID 2344 wrote to memory of 1632 2344 Quotation_pdf.exe 37 PID 2344 wrote to memory of 1632 2344 Quotation_pdf.exe 37 PID 2344 wrote to memory of 1632 2344 Quotation_pdf.exe 37 PID 2344 wrote to memory of 1632 2344 Quotation_pdf.exe 37 PID 2344 wrote to memory of 3008 2344 Quotation_pdf.exe 38 PID 2344 wrote to memory of 3008 2344 Quotation_pdf.exe 38 PID 2344 wrote to memory of 3008 2344 Quotation_pdf.exe 38 PID 2344 wrote to memory of 3008 2344 Quotation_pdf.exe 38 PID 2344 wrote to memory of 560 2344 Quotation_pdf.exe 39 PID 2344 wrote to memory of 560 2344 Quotation_pdf.exe 39 PID 2344 wrote to memory of 560 2344 Quotation_pdf.exe 39 PID 2344 wrote to memory of 560 2344 Quotation_pdf.exe 39 PID 2344 wrote to memory of 300 2344 Quotation_pdf.exe 40 PID 2344 wrote to memory of 300 2344 Quotation_pdf.exe 40 PID 2344 wrote to memory of 300 2344 Quotation_pdf.exe 40 PID 2344 wrote to memory of 300 2344 Quotation_pdf.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\efsOOkOP.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\efsOOkOP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB50D.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"2⤵PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"2⤵PID:1632
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"2⤵PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"2⤵PID:560
-
-
C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Quotation_pdf.exe"2⤵PID:300
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5058392715ba3218d45d65df005bd5179
SHA1e164f674af1c6974c1771cbdec811ebe85c284f6
SHA2565cd1d58c441f40187ae601ebd9bff7aca38a8e2d354d65e2e664a46766b6e8a1
SHA51228df1bec99212409ece47d9bb3173a060cb8391d505cb39ecf501d2e0b188eaf6118e8a49bed37407a7f1fc36a216d39c82c89782e7d152a1f5561f6adda6353
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD536259c9ae106a89b9808b0dfc91a8081
SHA19ff613bec920b7b828a44b8d8a8d2db11baf71f5
SHA256182dfd39928c67fbf8c055f695492b21d9e960770e42948b00ee8c01a54d3e31
SHA512d8481e6dba0b5322c841f12551d300725a6ee758474f49c4ed703320969cdbdc0f834be64ef9606996ca0cc88657a82ccee6a52030357aa61e26f10b507dd1aa